GPG-WKS-CLIENT(1)                                      GNU Privacy Guard 2.2                                      GPG-WKS-CLIENT(1)

       gpg-wks-client - Client for the Web Key Service

       gpg-wks-client [options] --supported user-id
       gpg-wks-client [options] --check user-id
       gpg-wks-client [options] --create fingerprint user-id
       gpg-wks-client [options] --receive
       gpg-wks-client [options] --read
       gpg-wks-client [options] --mirror
       gpg-wks-client [options] --install-key
       gpg-wks-client [options] --remove-key
       gpg-wks-client [options] --print-wkd-hash
       gpg-wks-client [options] --print-wkd-url

       The  gpg-wks-client is used to send requests to a Web Key Service provider.  This is usually done to upload a key into a Web
       Key Directory.

       With the --supported command the caller can test whether a site supports the Web Key Service.  The argument is an  arbitrary
       address  in  the  to be tested domain. For example ‘’.  The command returns success if the Web Key Service is
       supported.  The operation is silent; to get diagnostic output use the option --verbose.   See  option  --with-colons  for  a
       variant of this command.

       With  the --check command the caller can test whether a key exists for a supplied mail address.  The command returns success
       if a key is available.

       The --create command is used to send a request for publication in the Web Key Directory.  The arguments are the  fingerprint
       of  the key and the user id to publish.  The output from the command is a properly formatted mail with all standard headers.
       This mail can be fed to sendmail(8) or any other tool to actually send that mail.  If sendmail(8) is  installed  the  option
       --send  can be used to directly send the created request.  If the provider request a 'mailbox-only' user id and no such user
       id is found, gpg-wks-client will try an additional user id.

       The --receive and --read commands are used to process confirmation mails as send from the service provider.  The former  ex‐
       pects  an  encrypted  MIME messages, the latter an already decrypted MIME message.  The result of these commands are another
       mail which can be send in the same way as the mail created with --create.

       The command --install-key manually installs a key into a local directory (see option -C) reflecting the structure of a  WKD.
       The  arguments  are  a file with the keyblock and the user-id to install.  If the first argument resembles a fingerprint the
       key is taken from the current keyring; to force the use of a file, prefix the first argument with "./".  If no arguments are
       given  the parameters are read from stdin; the expected format are lines with the fingerprint and the mailbox separated by a
       space.  The command --remove-key removes a key from that directory, its only argument is a user-id.

       The command --mirror is similar to --install-key but takes the keys from the the LDAP server configured for Dirmngr.  If  no
       arguments are given all keys and user ids are installed.  If arguments are given they are taken as domain names to limit the
       to be installed keys.  The option --blacklist may be used to further limit the to be installed keys.

       The command --print-wkd-hash prints the WKD user-id identifiers and the corresponding mailboxes from the user-ids  given  on
       the command line or via stdin (one user-id per line).

       The  command --print-wkd-url prints the URLs used to fetch the key for the given user-ids from WKD.  The meanwhile preferred
       format with sub-domains is used here.

       gpg-wks-client is not commonly invoked directly and thus it is not installed in the bin directory.  Here is an  example  how
       it can be invoked manually to check for a Web Key Directory entry for ‘’:

         $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check

       gpg-wks-client understands these options:

       --send Directly send created mails using the sendmail command.  Requires installation of that command.

              This option has currently only an effect on the --supported command.  If it is used all arguments on the command line
              are taken as domain names and tested for WKD support.  The output format is one line per domain with colon  delimited
              fields.  The currently specified fields are (future versions may specify additional fields):

              1 - domain
                     This  is  the domain name.  Although quoting is not required for valid domain names this field is specified to
                     be quoted in standard C manner.

              2 - WKD
                     If the value is true the domain supports the Web Key Directory.

              3 - WKS
                     If the value is true the domain supports the Web Key Service protocol to upload keys to the directory.

              4 - error-code
                     This may contain an gpg-error code to describe certain failures.  Use ‘gpg-error CODE’ to explain the code.

              5 - protocol-version
                     The minimum protocol version supported by the server.

              6 - auth-submit
                     The auth-submit flag from the policy file of the server.

              7 - mailbox-only
                     The mailbox-only flag from the policy file of the server.

       --output file
       -o     Write the created mail to file instead of stdout.  Note that the value - for file is the same as writing to stdout.

       --status-fd n
              Write special status strings to the file descriptor n.  This program returns only  the  status  messages  SUCCESS  or
              FAILURE  which  are  helpful  when the caller uses a double fork approach and can't easily get the return code of the

       -C dir
       --directory dir
              Use dir as top level directory for the commands --mirror, --install-key and --remove-key.  The default  is  ‘openpgp‐

       --blacklist file
              This  option  is  used to exclude certain mail addresses from a mirror operation.  The format of file is one mail ad‐
              dress (just the addrspec, e.g. "") per line.  Empty lines and lines starting with a '#' are ignored.

              Enable extra informational output.

              Disable almost all informational output.

              Print version of the program and exit.

       --help Display a brief help page and exit.


GnuPG 2.2.40                                                 2022-10-07                                           GPG-WKS-CLIENT(1)