add pgp_key support contact field for /.well-known/matrix/support (MSC4439)

x86pup · jevolk · commit 684df56b4917 · 2026-05-23T08:51:38.000Z
matrix-org/matrix-spec-proposals#4439 Signed-off-by: June Strawberry <june@girlboss.ceo>
diff --git a/Cargo.toml b/Cargo.toml
@@ -392,6 +392,7 @@ features = [
     "unstable-msc4310",
     "unstable-msc4311",
     "unstable-msc4383",
+    "unstable-msc4439",
     "unstable-msc4466",
     "unstable-extensible-events",
 ]
diff --git a/docs/development/compliance/msc.md b/docs/development/compliance/msc.md
@@ -18,17 +18,17 @@
 
 ## Counts
 
-- ✅ `yes`: 216
+- ✅ `yes`: 217
 - 🟨 `partial`: 59
-- ❌ `no`: 457
+- ❌ `no`: 456
 - ⬛ `n/a`: 292
 
 ### Status by inventory bucket
 
 | Inv | yes | partial | no | n/a | total |
 |---|---|---|---|---|---|
 | merged | 150 | 30 | 12 | 64 | 256 |
-| open | 58 | 28 | 406 | 176 | 668 |
+| open | 59 | 28 | 405 | 176 | 668 |
 | closed | 8 | 1 | 39 | 52 | 100 |
 
 ## Merged
@@ -314,7 +314,7 @@ in the [Out of scope](#out-of-scope) section.
 | MSC4446 | ❌ ● | 0/0 | Allow moving the fully read marker to older events | No allow_backward field; no monotonicity check on m.fully_read |
 | MSC4445 | ❌ ◐ | 0/0 | Clarify `/sync` timeline order | No msc4445 unstable_features flags advertised |
 | MSC4440 | ❌ ● | 0/0 | Profile Biography via Global Profiles | Generic MSC4133 passthrough only; no m.biography validation |
-| MSC4439 | ❌ ● | 0/0 | Encryption key URIs in `/.well-known/matrix/support` | No pgp_key field on /.well-known/matrix/support contacts |
+| MSC4439 | ✅ ● | 80/90 | Encryption key URIs in `/.well-known/matrix/support` | src/api/client/well_known.rs:58; pgp_key plumbed via ruma unstable-msc4439 |
 | MSC4438 | ✅ ● | 100/100 | Message bookmarks via account data | Pure account-data convention; existing endpoints store arbitrary types |
 | MSC4437 | ❌ ● | 0/0 | Endpoint to replace entire profile | No PUT /_matrix/client/v3/profile/{userId} replace-all endpoint |
 | MSC4436 | ✅ ● | 100/100 | Make server ACLs case insensitive | Ruma is_allowed uses WildMatch::new_case_insensitive |
diff --git a/src/api/client/well_known.rs b/src/api/client/well_known.rs
@@ -38,38 +38,24 @@ pub(crate) async fn well_known_support(
 	_body: Ruma<discover_support::Request>,
 ) -> Result<discover_support::Response> {
 	let support_page = services
-		.server
 		.config
 		.well_known
 		.support_page
 		.as_ref()
 		.map(ToString::to_string);
 
-	let role = services
-		.server
-		.config
-		.well_known
-		.support_role
-		.clone();
+	let role = services.config.well_known.support_role.clone();
 
 	// support page or role must be either defined for this to be valid
 	if support_page.is_none() && role.is_none() {
 		return Err!(Request(NotFound("Not found.")));
 	}
 
-	let email_address = services
-		.server
-		.config
-		.well_known
-		.support_email
-		.clone();
+	let email_address = services.config.well_known.support_email.clone();
 
-	let matrix_id = services
-		.server
-		.config
-		.well_known
-		.support_mxid
-		.clone();
+	let matrix_id = services.config.well_known.support_mxid.clone();
+
+	let pgp_key = services.config.well_known.support_pgp_key.clone();
 
 	// if a role is specified, an email address or matrix id is required
 	if role.is_some() && (email_address.is_none() && matrix_id.is_none()) {
@@ -80,7 +66,7 @@ pub(crate) async fn well_known_support(
 	let mut contacts: Vec<Contact> = vec![];
 
 	if let Some(role) = role {
-		let contact = Contact { role, email_address, matrix_id };
+		let contact = Contact { role, email_address, matrix_id, pgp_key };
 
 		contacts.push(contact);
 	}
diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
@@ -2811,6 +2811,21 @@ pub struct WellKnownConfig {
 	/// reloadable: yes
 	pub support_mxid: Option<OwnedUserId>,
 
+	/// The PGP key (i.e. OpenPGP) that one may use for encrypted communications
+	/// for the above support role. No specific format is mandated for this
+	/// field or by the spec proposal. This field can contain a URL to a PGP
+	/// key, the 64-bit long ID, the OPENPGPKEY DNS record, or just the full
+	/// fingerprint.
+	///
+	/// Full/raw key content must not be here.
+	///
+	/// As this is a spec proposal (MSC4439), the identifier/prefix for this
+	/// field is currently "dev.zirco.msc4439.pgp_key"
+	///
+	/// reloadable: yes
+	/// example: "openpgp4fpr:8B77919975EAFA5E2456EE03665FE73077489DB0"
+	pub support_pgp_key: Option<String>,
+
 	/// LiveKit JWT endpoint.
 	/// Required for Element Call / MatrixRTC (MSC4143).
 	///
diff --git a/tuwunel-example.toml b/tuwunel-example.toml
@@ -2462,6 +2462,22 @@
 #
 #support_mxid =
 
+# The PGP key (i.e. OpenPGP) that one may use for encrypted communications
+# for the above support role. No specific format is mandated for this
+# field or by the spec proposal. This field can contain a URL to a PGP
+# key, the 64-bit long ID, the OPENPGPKEY DNS record, or just the full
+# fingerprint.
+#
+# Full/raw key content must not be here.
+#
+# As this is a spec proposal (MSC4439), the identifier/prefix for this
+# field is currently "dev.zirco.msc4439.pgp_key"
+#
+# reloadable: yes
+# example: "openpgp4fpr:8B77919975EAFA5E2456EE03665FE73077489DB0"
+#
+#support_pgp_key =
+
 # LiveKit JWT endpoint.
 # Required for Element Call / MatrixRTC (MSC4143).
 #

Original file line number	Diff line number	Diff line change
`@@ -392,6 +392,7 @@ features = [`
`392`	`392`	`"unstable-msc4310",`
`393`	`393`	`"unstable-msc4311",`
`394`	`394`	`"unstable-msc4383",`
	`395`	`+ "unstable-msc4439",`
`395`	`396`	`"unstable-msc4466",`
`396`	`397`	`"unstable-extensible-events",`
`397`	`398`	`]`