fsfe-ams
/
openpgp-ca
5
1
Fork 0
Code Issues 0 Releases 0 Activity
OpenPGP CA container integrated with CD panel https://keys.fsfe.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commits
1 Branch
102 KiB
 
 
 
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
 ZIP  TAR.GZ
Max Mehl 2feae2620d
make REUSE compliant 		1 week ago
LICENSES make REUSE compliant 1 week ago
keys make REUSE compliant 1 week ago
wkd make REUSE compliant 1 week ago
.drone.yml make REUSE compliant 1 week ago
Dockerfile-ca make REUSE compliant 1 week ago
Dockerfile-restd make REUSE compliant 1 week ago
README.md make REUSE compliant 1 week ago
docker-compose.yml make REUSE compliant 1 week ago
reset-db.sh make REUSE compliant 1 week ago

README.md

OpenPGP CA

Build Status REUSE status

This is a custom installation of OpenPGP CA for the FSFE.

OpenPGP CA (certificate authority) is a tool for managing OpenPGP keys within groups or organizations. In the FSFE case, it allows FSFE users to import their public keys into our key store, have them signed by the FSFE CA, and make them available via WKD (Web Key Directory).

Structure

This project consists of three parts:

  1. openpgp-ca: the base service, managing the CA, and exporting WKD. Not running permanently.
  2. openpgp-ca-restd: the REST API that allows fsfe-cd (our user interface on my.fsfe.org) to interact with the OpenPGP CA database
  3. openpgp-ca-wkd: a simple webserver, exposing the WKD directory to the public.
  4. openpgp-ca-keys: a simple webserver, displaying keys.fsfe.org and providing the plain-text ASCII keys

The openpgp-ca-restd container is connected to the fsfe-cd Docker network.

Typical commands

Export WKD and plain-text files

The WKD has to be exported from openpgp-ca. Because this service does not run permanently, the following command has to be issued on the server's CLI:

docker run -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/wkd:/tmp/wkd" openpgp-ca:latest wkd export /tmp/wkd/

Note that we have to mount the volumes explicitely.

In summary, we have the following cronjobs running:

# Export OpenPGP-CA WKD and ASCII keys, and once per day delete all keys to catch stale ones
2 2 * * * rm /srv/openpgp-ca/wkd/.well-known/openpgpkey/fsfe.org/hu/* > /dev/null 2>&1
3 2 * * * rm /srv/openpgp-ca/keys/* > /dev/null 2>&1
* * * * * docker run --rm -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/wkd:/tmp/wkd" openpgp-ca:latest wkd export /tmp/wkd > /dev/null 2>&1
* * * * * docker run --rm -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/keys:/tmp/keys" openpgp-ca:latest user export -p /tmp/keys > /dev/null 2>&1

FAQ

  • Why using Dockerfiles instead of direct links to the image registry? We want to build a docker image with a predicatable and short name, especially for openpgp-ca which we have to call from CLI to export the WKD. Therefore, we build images in which we can refer to tagged upstream images.