5

My company's firewall blocks keyservers on port 80, and a few of the distributions that I'm hoping to support don't feature HKPS yet for fetching over TLS.

Are there keyservers out there that offer a simple download of a given key over HTTPS? For instance, I can fetch my own personal key which is on keybase at https://keybase.io/naftulikay/pgp_keys.asc

Are there resources out there for getting a key over HTTPS without using the keyserver protocol? I'm writing Ansible so it's easy enough to get things over HTTPS.

markgraf
  • 2,849
  • 1
  • 8
  • 20
Naftuli Kay
  • 38,686
  • 85
  • 220
  • 311
  • I'm not sure whether I understand ... you want to be able to use `hkp://`, but only `hkps` is allowed by policy. So why can't you install a local proxy to redirect the (then-local) http-Requests to https? – Philippos Sep 17 '19 at 09:24
  • Is there an API somewhere where I can issue an HTTP GET and retrieve a key by its fingerprint? My network blocks hkp and hkps, so if it's possible to get a key over HTTP, this is what I need. – Naftuli Kay Sep 17 '19 at 16:05
  • In order to help you I need to understand the whole problem. That's why I ask back. Again: 1) You have an application doing hkp: requests, yes or no? 2) You say your firewall blocks keyservers on port 80, so are port 80 connections being scanned for being hkp? Why would your company do that? And what about port 11371 connections? 3) And now your idea is to fetch keys over http without hkp, thus dropping all security concerns that led to introducing hkp? – Philippos Sep 18 '19 at 06:25
  • 2
    My office network somehow blocks _all_ HKP and HKPS traffic. I am running automation on a local machine within the network to install PGP keys for apt/yum repositories. I have tried many different keyservers on many different ports. I'm not necessarily looking to obtain keys over plaintext HTTP, but rather hopefully over HTTPS. I'm looking for a service which provides an HTTP(S) API on top of the PGP keyservers. So far, my alternative has been to download keys outside of the network, export them to a file, and store the full keys locally. – Naftuli Kay Sep 18 '19 at 15:35
  • 1
    I'd like to simply issue something like `curl -sSL https://keyserver.website/fetch/${KEY_ID}` to download a PGP key in ASCII-armored format. Some repositories that I use host their own PGP keys over HTTP which I can use to fetch the key content, but not all do. In short, I need to get a key in an automated way without having to use keyservers due to network constraints. – Naftuli Kay Sep 18 '19 at 15:37

1 Answers1

5

openpgp.org has a facility for https. Just imported a few keys by their fingerprints. The path is predictable you just need to replace ${KEY_FINGERPRINT} with the fingerprint of the key you want to import. Which of course must be already uploaded to https://keys.openpgp.org:

curl --sSL https://keys.openpgp.org/vks/v1/by-fingerprint/${KEY_FINGERPRINT} | \
  gpg --import

The Ubuntu keyserver also has an HTTP(S) API by which one can fetch keys in ASCII format:

curl -sSL https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${KEY_FINGERPRINT} | \
  gpg --import

Note the | gpg --import pipe, which is used to import the key data into the GnuPG keyring.

Automating GPG/PGP Key Importation via HTTPS:

Since the path https://keys.openpgp.org is predictable and only varies by the fingerprint of keys stored on the server, we can automate importation of a list of keys identified by their fingerprints. Below is tested and know to work correctly

To adapt script to your own use, simply replace my (3) specimen key fingerprints with fingerprints of keys you want to import and of course set the variable PATHSCRIPTS to your desired path:

#!/bin/bash

PATHSCRIPTS='/home/pi'

# Create text file using a Here-Doc containing Key Fingerprints of keys to import into keyring:

cat <<EOF> $PATHSCRIPTS/Key-fingerprints-list.txt
AEB042FFD73BAA7545EDA021343A2DF613C5E7F8
7AFAF20259E69236E43EEF521F45D0F6E89F27A6
704FCD2556C40AF8F2FBD8E2E5A1DE67F98FA66F
EOF

# Read the text file we created into an array
readarray arrayKeyFingerprints < $PATHSCRIPTS/Key-fingerprints-list.txt

# Loop through the array adding each key in turn by its fingerprint from keys.openpgp.org:
for i in ${arrayKeyFingerprints[@]}; do
    curl https://keys.openpgp.org/vks/v1/by-fingerprint/$i | gpg --import
done

Results of the above script- which was saved as test.sh and ran on a Raspberry Pi- are shown below:

pi@pi4-ap1:~ $ ./test.sh 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
100  3212  100  3212    0     0   7629      0 --:--:-- --:--:-- --:--:--  7629
gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created
gpg: key 343A2DF613C5E7F8: public key "Terrence Houlahan (I'm the former NYPD cop living in the UK.  This is my only *personal* key.  Trust no others.) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
100  3220  100  3220    0     0  18720      0 --:--:-- --:--:-- --:--:-- 18612
gpg: key 1F45D0F6E89F27A6: public key "Terrence Houlahan (Terrence Houlahan Linux & Network Engineer) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
100  3252  100  3252    0     0  19473      0 --:--:-- --:--:-- --:--:-- 19473
gpg: key E5A1DE67F98FA66F: public key "Terrence Houlahan (Open-IPcamera Project Developer Key Terrence Houlahan) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

We do a key list and there are our (3) imported keys:

pi@pi4-ap1:~ $ gpg --list-keys
/home/pi/.gnupg/pubring.kbx
---------------------------
pub   rsa4096 2011-03-13 [SC]
  AEB042FFD73BAA7545EDA021343A2DF613C5E7F8
uid           [ unknown] Terrence Houlahan (I'm the former NYPD cop living in the UK.  This is my only *personal* key.  Trust no others.) <[email protected]>
sub   rsa4096 2011-03-13 [E]

pub   rsa4096 2019-02-06 [SC] [expires: 2029-01-31]
  7AFAF20259E69236E43EEF521F45D0F6E89F27A6
uid           [ unknown] Terrence Houlahan (Terrence Houlahan Linux & Network Engineer) <[email protected]>
sub   rsa4096 2019-02-06 [E] [expires: 2029-01-31]

pub   rsa4096 2019-02-06 [SC] [expires: ????-??-??]
  704FCD2556C40AF8F2FBD8E2E5A1DE67F98FA66F
uid           [ unknown] Terrence Houlahan (Open-IPcamera Project Developer Key Terrence Houlahan) <[email protected]>
sub   rsa4096 2019-02-06 [E] [expires: ????-??-??]
F1Linux
  • 2,286
  • 1
  • 16
  • 28
  • When I attempt to access this, I get `gpg: error searching keyserver: Server indicated a failure`. Also when I try to browse this website, I'm redirected to a completely different domain `analytics.sumptuouscapital.com`. – Naftuli Kay Sep 18 '19 at 19:26
  • Lemme take a look- – F1Linux Sep 18 '19 at 19:27
  • Okee-dokee: just realized my test was invalid: gnupg.net sure enough let's you SEARCH for a key, but not grab it via https. The edited answer I tried with a few keys that I uploaded to `openpgp.org` and was able to just edit the key fingerprint in the example command in the edited answer – F1Linux Sep 18 '19 at 20:04
  • This works perfectly and was _exactly_ what I was looking for. Thank you! – Naftuli Kay Sep 18 '19 at 20:07
  • 2
    And since the path is predictable, you could feed it a list of fingerprints and iterate through the list to script the process! – F1Linux Sep 18 '19 at 20:09
  • Just followed up on my idea yesterday to automate key importation by script- – F1Linux Sep 19 '19 at 07:57