Web Key Directory

WKD is a protocol to ship PGP keys to users. GnuPG implements it as of at least 2019.

See WKD for details from upstream.

Torproject only implements key retrieval, which works using HTTPS GET requests, and not any of the update mechanisms.

The directory is populated from the tor account-keyring. When updates are pushed to the repo on alberti, a hook will rebuild the keyring, rebuild the wkd directory tree, and push updates to the static mirrors. Note that only keys with @torproject.org UIDs are included.

To build the tree, we currently use Debian's update-keyrings script.

Key retrivals can be tested using gpg's wks client:

weasel@orinoco:~$ systemctl --user stop dirmngr.service
Warning: Stopping dirmngr.service, but it can still be activated by:
weasel@orinoco:~$ /usr/lib/gnupg/gpg-wks-client --check al@torproject.org && echo yay || echo boo