GPG public key server

Venafi CodeSign Protect includes functionality to set up and use a GPG public key server that provides the following:

  • Generates and stores GPG public keys on the Trust Protection Platform server
  • Sets up an Internet Information Services (IIS) web server and creates a GPG public key store
  • Makes GPG public keys publicly available through a RESTful HTTP request using a well-known DNS record for user domains

Prerequisites

CodeSign Protect's GPG public key server requires Trust Protection Platform 21.4 or later with a functioning GPG environment already set up. For instructions on setting up a GPG environment, see Setting up GPG clients.

Trust Protection Platform and Code Signing Clients must both be running version 21.4 or higher. If either is running version 21.3 or lower, the GPG public key server functionality will not work. The functionality will revert back to generating and storing GPG public keys on client workstations.

Installing and starting GPG public key server

The component named Code Signing Key Server can be selected during the installation and upgrade to Trust Protection Platform 21.4 or higher.

After installing the Code Signing Key Server component, use the Venafi Configuration Console (VCC) snap-in to make sure its status is set to "Started."

Make sure your CodeSign Protect clients are also running version 21.4 or higher.

Setting up and verifying DNS

The CodeSign Protect GPG public key server lets GPG clients automatically obtain a user's GPG public key. To enable this ability, the CodeSign Protect GPG key server must have a DNS record of openpgpkey.<domain_name> where <domain_name> matches the domain portion of the email address used in the user's UID.

Next, after properly configuring the email address and domain name, run the following command to retrieve a GPG public key:

gpg --locate-key email_address@example.net

If the client is unable to locate a GPG public key using this command, then the process can be debugged using the dirmgr command, which is an internal component of GPG and installed along with GPG.

You can run the following command to request a GPG public key and view verbose details about the requests being made.

On MacOS or Linux workstations:

echo "WKD_GET email_address@example.net" | dirmngr > /dev/null

On Windows workstations:

echo "WKD_GET email_address@example.net" | dirmngr > NUL

Running the command produces output similar to the following example, which includes the URL that GPG attempts to use to access the GPG public key:

echo "WKD_GET email_address@example.net" | dirmngr > /dev/null

dirmngr[3151576.0]: permanently loaded certificates: 131

dirmngr[3151576.0]: runtime cached certificates: 0

dirmngr[3151576.0]: trusted certificates: 131 (131,0,0,0)

dirmngr[3151576.0]: number of system provided CAs: 148

dirmngr[3151576.0]: error accessing 'https://example.net/.well-known/openpgpkey/hu/5xg6c6mcy7zhtxfy96xn6fntfewwsxw3?l=email_address': http status 404

 

dirmngr[3151576.0]: command 'WKD_GET' failed: No data

In the example above, the DNS entry for openpgpkey.example.net could not be resolved, so GPG reverted back to its original domain.

Using the CodeSign Protect GPG public key server

On the client workstation, run gpgconfig sync to create and store public keys on the CodeSign Protect GPG public key server. Trust Protection Platform generates the key.

The public key won't be available via the WKD command until after the gpgconfig sync command has been run using the 21.4 client and 21.4 server.