GPG Sync works like this:
- The IT staff generates an "authority key". Then they create a keylist file include PGP fingerprints for all members of your organization, digitally sign this list with the authority key, and upload both the keylist and its signature to a website so that they're accessible from public URLs.
- All members of your organization install GPG Sync on their computers and configure it with the authority key's fingerprint and the URL of your keylist. (Now, all of your members will automatically and regularly fetch this URL and then refresh all of the non-revoked keys on the list from a keyserver.)
- When new keys in your organization are added, the IT staff adds them to the keylist, re-signs it with the authority key, and uploads the keylist and the signature to the same URLs. If users migrate to new keys, the IT leaves their old fingerprints on the list so that all other members can tell that their old keys were revoked.
Now each member of your organization will have up-to-date public keys for each other member, and key changes will be transitioned smoothly without any further work or interaction.
Here are some features:
- Complies with the in-progress Distributing OpenPGP Keys with Signed Keylist Subscriptions internet standard draft
- Works in macOS, Windows, and Linux
- Creates system tray applet that launches automatically on boot
- Downloads from HKPS key server by default, but customizable
- Supports fetching keylists over Tor or other SOCKS5 proxies
- Makes sure non-revoked public keys are refreshed once a day
- Works seamlessly with the web of trust
If you'd like to test out GPG Sync without creating your own authority key and keylist, you can use one that we created for testing.