rGem-simple-gnupg-keyserver¶ ↑
- code
- docs
DESCRIPTION:¶ ↑
SimpleHKP
is a simple Ruby/rack based GnuPG extendedHKP key and identity server packaged as a standard Ruby Gem.
As such it conforms to an extended version of the OpenPGP HTTP Keyserver Protocol (HKP) (draft-shaw-openpgp-hkp-00.txt).
The associated documentation provides more detail.
Security:¶ ↑
ALL uploaded key data is passed through the external gpg2 command. Any security weaknesses of gpg2 are weaknesses of this SimpleHKP
rack application.
This rack application is written in Ruby, so any security weaknesses of Ruby and/or the Ruby web-server you are using are also weaknesses of this SimpleHKP
rack application.
By default all files associated with the normal running of the SimpleHKP
rack application are stored in the “simpleHKP” directory of the current working directory. This “simpleHKP” directory SHOULD NOT be accessible from any other web-server (such as NGinx).
This rack application is intentionally as self contained and simple as possible. If you have any security concerns, this rack application is easily readable.
When used with SimpleMonkey, this SimpleHKP
acts like a distributed password file. All important (non-public identity) details are encrypted, however, the collection of servers, users and their associated roles are visibly in the “public domain”. It is important to run your own collection of SimpleHKP
servers inside a controlled domain or VPN.
SYNOPSIS:¶ ↑
A typical rackup.ru file might be:
require 'simpleHKP' simpleHKPoptions = { ... some options ... } run SimpleHKP.new(simpleHKPoptions)
Your webserver should be configured to bind to ports 11371 (for use as an HKP keyserver) and 80 (for use by standard browsers).
Options can be set by creating a SimpleHKP
instance with a hash of key/value pairs.
The current default options are:
defaultOptions = { 'debug' => false, # should debug output to logged? 'title' => # the title used by the default headerHTML "SimpleHKP @ #{Socket.gethostname}", 'simpleHKPdir' => 'simpleHKP', # base disk path to simpleHKP disk space 'keyDir' => 'keys', # subdir to key storage directory 'idDir' => 'identities', # subdir to identity storage directory 'mediaDir' => 'media', # subdir to any css, js, images etc 'htmlDir' => 'html', # subdir to html partials 'mimeMap' => { # a file ext to mime mapping 'css' => 'text/css', 'html' => 'text/html', 'js' => 'text/javascript' } }
The following HTML partials can be used to over-ride the web pages for the use of humans:
-
header.html
-
defaultBody.html
-
lookupKeysForm.html
-
lookupIdentitiesForm.html
-
uploadKeyForm.html
-
uploadIdentityForm.html
-
footer.html
SYNCHRONIZATION¶ ↑
A ‘simpleHKP/echo’ class has been added which knows how to echo keys/identities from one key server to another.
So that for example the following ruby script could be placed into one of your machine’s /etc/daily directories and the script would ensure all key servers are synchronized daily.
#!/usr/bin/env ruby # A simple key/identity server sychronization example # # We use a hub-spoke model. We choose one "hub" key server to act as # the master key server and amalgamate all of the keys/identities from # the spoke key server back to the hub key server. We then push the # amalgamated keys/identities in the hub back to the spokes, so that # after two passes, all key servers have the same keys/identities. require 'simpleHKP/echo' hubKeyServer = 'hubKeyServer' spokeKeyServers = [ 'spokeKeyServer1', 'spokeKeyServer2', 'spokeKeyServer3' ] # Start by bringing all spoke keys/identities into the hub # spokeKeyServers.each do | aKeyServer | SimpleHKPEcho.echoFromTo(aKeyServer, hubKeyServer) end # now send the amalgamated hub keys/identities back to each spoke # spokeKeyServers.each do | aKeyServer | SimpleHKPEcho.echoFromTo(hubKeyServer, aKeyServer) end
Where the “hubKeyServer” and “spokeKeyServersX” are the fully qualified domain or IP address of each of your key servers.
The SimpleHKPEcho.echoFromTo
method fails gracefully if a given key server is offline, by simply returning. In the example above, all other echo pairs (from, to) will be tried.
To just echo either the keys or identities you can use SimpleHKPEcho.echoKeysFromTo
or SimpleHKPEcho.echoIdentitiesFromTo
respectively.
REQUIREMENTS:¶ ↑
There are explicitly no external Ruby requirements other than Ruby and a Ruby webserver (such as puma)
The webserver requires GnuPG2 installed.
INSTALL:¶ ↑
To install the simple-gnupg-keyserver gem:
$ gem install simple-gnupg-keyserver
LICENSE:¶ ↑
(The MIT License)
Copyright © 2015 Stephen Gaito
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ‘Software’), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.