File: README.md

package info (click to toggle)
sks 1.1.6-14
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 2,296 kB
  • sloc: ml: 15,228; ansic: 1,069; sh: 358; makefile: 347
file content (243 lines) | stat: -rw-r--r-- 8,556 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
SKS Keyserver
=============

The following is an incomplete guide to compiling, setting up and using SKS.
Hopefully this is enough to get you started, in addition there is a wiki available, 
where in particular <https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering> 
should help getting a working installation. 

Prerequisites
-------------

There are a few prerequisites to building this code.  You need:

* OCaml-4.0 or later.  Get it from <http://ocaml.org>
* Berkeley DB version 4.6.* or later.  You can find the
  appropriate versions at
  <http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html>
* GNU Make and a C compiler (e.g gcc) 

  Verifying the integrity of the download
----------------------------
Releases of SKS are signed using the SKS Keyserver Signing Key
available on public keyservers with the KeyID

    0x41259773973A612A
	
and has a fingerprint of

    C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A.
	
Using GnuPG, verification can be accomplished by, first, retrieving the signing
key using

    gpg --keyserver pool.sks-keyservers.net --recv-key 0x41259773973A612A
	
followed by verifying that you have the correct key

    gpg --keyid-format long --fingerprint 0x41259773973A612A

should produce:

    pub   4096R/41259773973A612A 2012-06-27
    Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A
		
A check should also be made that the key is signed by
trustworthy other keys;

    gpg --list-sigs 0x41259773973A612A

and the fingerprint should be verified through other trustworthy sources.
			
Once you are certain that you have the correct key downloaded, you can create
a local signature, in order to remember that you have verified the key.

     gpg --lsign-key 0x41259773973A612A

Finally; verifying the downloaded file can be done using

    gpg --keyid-format long --verify sks-x.y.z.tgz.asc

The resulting output should be similar to
	
    gpg: Signature made Wed Jun 27 12:52:39 2012 CEST
    gpg:                using RSA key 41259773973A612A
    gpg: Good signature from "SKS Keyserver Signing Key"

  Compilation and Installation
----------------------------

  * Install OCaml and Berkeley DB

    When installing ocaml, make sure you do both the `make world` and
    the `make opt` steps before installing.  The later makes sure you
    get the optimizing compilers.  (do make opt.opt if you want faster
    compilation.  You can then set the environment variables `OCAMLC`,
    `OCAMLOPT` and `CALMP4O` to `ocamlc.opt`, `ocamlopt.opt` and
    `camlp4o.opt` respectively.)

    If your vendor or porting project supplies prebuilt binaries and
    libraries for Berkeley DB, make sure to get the development
    package as you will need the correct version include files.

  * Copy `Makefile.local.unused` to `Makefile.local`, and edit to
    match your installation.

  * Compile

        make dep
        make all
        make all.bc # if you want the bytecode versions
        make install # puts executables in $PREFIX/bin, as defined
                     # in Makefile.local

    There are some other useful compilation targets, mostly useful for
    development.

      - `make doc`

        creates a doc directory with ocamldoc-generated documentation
        of the individual modules.  These are mostly useful as
        documentation to the source code, not a user's guide.

      - `make modules.ps`

        Creates a ps-file that shows the dependencies between
        different modules, and gives you a sense of the overall
        structure of the system.  For this to work you need to have
        AT&T's graphviz installed, as well as python2.  The python
        script that's used actually requires that python2 be called
        python2, rather than python.  You can of course edit that
        script.

Setup and Configuration
-----------------------

You need to set up a directory for the SKS installation.  It will
contain the database files along with configuration and log files.

Configuration options can be passed in on the command-line or put in
the `sksconf` file in the SKS directory.  the `-basedir` option
specifies the SKS directory itself, which defaults to the current
working directory.

### Sksconf and commandline options

The format of the sksconf file is simply a bunch of lines of the
form:

    keyword: value

The `#` character is used for comments, and blank lines are
ignored.  The keywords are just the command-line flags, minus the
initial `-`.

The one thing you probably want no matter what is a line that says

    logfile: log

which ensures that sks will output messages to `recon.log` and
`db.log` respectively.

### Membership file

If you want your server to gossip with others, you will need a
membership file which tells the `sks recon` who else to gossip with.
The membership file should look something like:

    epidemic.cs.cornell.edu 11370
    athos.rutgers.edu 11370
    ...

This file should be called `membership`, and should be stored in the
SKS directory.  Note that in order for synchronization to work, both
hosts have to have each other in their membership lists.  Send mail to
<sks-devel@nongnu.org> to get other SKS administrators to add you to
their membership lists.

**IMPORTANT NOTE**: if you include the server itself in the membership
file, you should make sure that you also specify the `hostname`
option, and that the selected hostname is exactly the same string
listed in the membership file.  Otherwise, the `sks recon` will try to
synchronize with itself and will deadlock.

### Outgoing PKS synchronization: mailsync file

The mailsync file contains a list of email addresses of PKS
keyservers.  This file is important, because it ensures that keys
submitted directly to an SKS keyserver are also forwarded to PKS
keyservers.

**IMPORTANT**: don't add someone to your mailsync file without getting
their permission first!

In order for outgoing email sync's to work, you need to specify a
command to actually send the email out.  The default is `sendmail -t
-oi`, but you may need something different.

### Incoming PKS synchronization

Incoming PKS synchronization is less critical than outgoing,
since as long as some SKS server gets the new data, it will be
distributed to all.  Having more hosts receive the incoming PKS
syncs does, however, increase the fault-tolerance of the
connection between the two systems.

In order to get incoming mail working, you should pipe the appropriate
incoming mail to the following command via procmail:

    sks_add_mail sks_directory_name

Here's an example procmail entry:

    PATH=/path/of/sks/exectuables

    :0
    * ^Subject: incremental
    | sks_add_mail sks_directory_name


### Built-in webserver

You can server up a simple index page directly from the port
you're using for HKP.  This is done by creating a subdirectory in
your SKS directory called `web`.  There, you can put an index file
named `index.html`, `index.htm`, `index.xhtm`, or `index.xhtml`,
supporting files with extensions .css, .es, or .js, and some image
files with extensions jpg, jpeg, png or gif. Subdirectories will
be ignored, as will filenames with anything other than
alphanumeric characters and the '.'  character.  This is
particularly useful if you want to run your webserver off of port
80.  This can be done by using the -hkp_port command-line option.


Building up the databases
-------------------------

  - First, you need to get a keydump.  If you're running a PKS server,
    you should be able to convince PKS to generate one for you.  If
    you're starting from scratch, you'll need to download one from the
    net.  You should contact the pgp keyserver list
    <pgp-keyserver-folk@flame.org>

  - in the SKS directory, put in a subdirectory called `dump` which
    contains the keydump files from which the database is to be built.

  - Run sks_build.sh.  That script actually runs three utilities.  You
    might want to edit sks_build.sh if you want to trade off speed for
    space usage.  At the current settings, you could run out of ram if
    you try this with less then 256 megs of RAM.

**DO NOT DELETE THE `dump` DIRECTORY**, even after the database is
built.  The original keys are not copied to the database, and so the
dump must be left in place.

Platform specific issues
------------------------

### FreeBSD ###

On FreeBSD it appears that libdb is named differently than on some
other platforms.  For that reason, you need to set the LIBDB
environment value to `-ldb46` instead of `-ldb-4.6` for other
platfomrs.