According to draft RFC [1], a WKD server should be hosted at either one of these two domains: - Apex domain: gentoo.org - Subdomain: openpgpkey.gentoo.org The apex domain, however, gets redirected in Gentoo's case which causes the following warning: ❯ gpg -v --auto-key-locate wkd --locate-external-keys infrastructure@gentoo.org gpg: WARNING: unacceptable HTTP redirect from server was cleaned up gpg: (further info: changed from 'https://gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure' to 'https://www.gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure') etc. You should either disable non-www to www redirects for paths starting with "/.well-known/openpgpkey/" or switch over to the subdomain openpgpkey.gentoo.org. The later case, however, requires different paths and thus a bit more work. In the referenced RFC, these examples are given: https://example.org/.well-known/openpgpkey/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe vs https://openpgpkey.example.org/.well-known/openpgpkey/example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe [1] https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service#section-3.1
Honestly, I'd rather admit that it's 2022 and reverse the redirect rather than forcing www. like we were living in the 90s.
The only drawback of only using the apex domain (gentoo.org) that comes to mind is the scope of cookies if they are set with "domain=gentoo.org" attribute: > The Domain attribute specifies which hosts can receive a cookie. > If unspecified, the attribute defaults to the same host > that set the cookie, excluding subdomains. > If Domain is specified, then subdomains are always included. > Therefore, specifying Domain is less restrictive than omitting it. Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute In that case, the cookies can be used for the apex domain as well as all subdomains which is most likely s.th. that isn't desired.
app-portage/gemato only supports the WKD fetch of public keys that are hosted on the apex domain: https://github.com/projg2/gemato/blob/805ca36a222c5649b16134e818f8c8b23415c7a2/gemato/openpgp.py#L70
WKD advanced is online again. $ T=$(mktemp -d) ; gpg --homedir $T --auto-key-locate wkd --locate-external-keys infrastructure@gentoo.org releng@gentoo.org repomirrorci@gentoo.org ; rm -rf "$T" gpg: keybox '/tmp/tmp.KcIpfNLMh3/pubring.kbx' created gpg: /tmp/tmp.KcIpfNLMh3/trustdb.gpg: trustdb created gpg: key A13D0EF1914E7A72: public key "Gentoo repository mirrors (automated git signing key) <repomirrorci@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found gpg: key 9E6438C817072058: public key "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>" imported gpg: key BB572E0E2D182910: public key "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" imported gpg: Total number processed: 2 gpg: imported: 2 gpg: no ultimately trusted keys found gpg: key DB6B8C1F96D8BF6D: public key "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found pub rsa4096 2018-05-28 [C] [expires: 2024-07-01] EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72 uid [ unknown] Gentoo repository mirrors (automated git signing key) <repomirrorci@gentoo.org> sub rsa2048 2018-05-28 [S] [expires: 2024-07-01] pub dsa1024 2004-07-20 [SC] [expires: 2024-01-01] D99EAC7379A850BCE47DA5F29E6438C817072058 uid [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org> sub elg2048 2004-07-20 [E] [expires: 2024-01-01] pub rsa4096 2011-11-25 [C] [expires: 2024-07-01] DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D uid [ unknown] Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org> sub rsa4096 2011-11-25 [S] [expires: 2024-07-01]