diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5cb4f86..f3d86a9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,6 +3,7 @@ image: python:3.9-bullseye
 
 stages:
 - test
+- integration
 - build
 - deploy
 - upload
@@ -20,8 +21,9 @@ test:
   script:
   - pip3 install -e .
   - python3 -m coverage run --rcfile=setup.cfg -m unittest discover easywks
-  - python3 -m coverage combine
-  - python3 -m coverage report --rcfile=setup.cfg
+  artifacts:
+    paths:
+    - ".coverage*"
 
 codestyle:
   stage: test
@@ -29,24 +31,61 @@ codestyle:
   - pip3 install -e .
   - pycodestyle easywks
 
+easywksserver_gpgwksclient:
+  stage: integration
+  script:
+    - echo "openpgpkey" > /etc/hostname
+    - echo "127.0.0.1 openpgpkey.example.org openpgpkey example.org" > /etc/hosts
+    - pip3 install -e .
+    - apt update; apt install --yes gnupg2 socat ca-certificates
+    - openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/key.pem -out /etc/ssl/cert.pem -sha256 -days 365 -nodes -subj '/CN=openpgpkey.example.org'
+    - cp /etc/ssl/cert.pem /usr/local/share/ca-certificates/local.crt
+    - update-ca-certificates
+    - mkdir -p /tmp/easywks
+    - |
+      cat > /tmp/easywks.yml <<EOF
+      directory: /tmp/easywks
+      permit_unsigned_response: true  # required for gpg-wks-client compat
+      httpd:
+        host: 127.0.0.1
+        port: 8080
+      mailing_method: stdout
+      domains:
+        example.org:
+          submission_address: gpgwks@example.org
+      EOF
+    - easywks --config /tmp/easywks.yml init
+    - easywks --config /tmp/easywks.yml webserver &
+    - socat OPENSSL-LISTEN:443,fork,reuseaddr,verify=0,cert=/etc/ssl/cert.pem,key=/etc/ssl/key.pem TCP:127.0.0.1:8080 &
+    - sleep 3
+    - install -m 0700 -d /tmp/gpg /tmp/cleangpg
+    - export GNUPGHOME=/tmp/gpg
+    - test/genkey.sh alice@example.org
+    - >-
+      export FINGERPRINT="$(gpg --with-colons --fingerprint alice@example.org | grep -A1 ^pub | grep ^fpr | cut -d: -f10)"
+    - /usr/lib/gnupg/gpg-wks-client --supported alice@example.org
+    - /usr/lib/gnupg/gpg-wks-client --check gpgwks@example.org
+    - PUBREQ="$(/usr/lib/gnupg/gpg-wks-client --create "${FINGERPRINT}" alice@example.org)"
+    - CONFREQ="$(echo "${PUBREQ}" | easywks --config /tmp/easywks.yml process)"
+    - CONFRESP="$(echo "${CONFREQ}" | /usr/lib/gnupg/gpg-wks-client --receive --verbose)"
+    - PUBRESP="$(echo "${CONFRESP}" | easywks --config /tmp/easywks.yml process)"
+    - echo "${PUBRESP}" | gpg --batch --decrypt
+    - /usr/lib/gnupg/gpg-wks-client --check alice@example.org
+    - export GNUPGHOME=/tmp/gpg
+    - gpg --auto-key-locate=clear,wkd,nodefault --locate-keys alice@example.org
+    - kill %2
+    - kill %1
 
 
-# currently not working for some reason
-#build_docker:
-#  stage: build
-#  script:
-#  - apt update && apt install --yes docker.io
-#  - docker build -t "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA" -f package/docker/Dockerfile .
-#  - docker tag "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA" "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_REF_NAME"
-#  - if [[ -n "$CI_COMMIT_TAG" ]]; then docker tag "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA" "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_TAG"; fi
-#  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD registry.gitlab.com
-#  - docker push "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA"
-#  - docker push "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_REF_NAME"
-#  - if [[ -n "$CI_COMMIT_TAG" ]]; then docker push "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_TAG"; fi
-#  only:
-#  - staging
-#  - tags
+coverage:
+  stage: integration
+  coverage: >-
+    /(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/
+  script:
+  - python3 -m coverage combine
+  - python3 -m coverage report --rcfile=setup.cfg
 
+    
 build_wheel:
   stage: build
   script:
diff --git a/easywks/types.py b/easywks/types.py
index 7207f28..e5e8956 100644
--- a/easywks/types.py
+++ b/easywks/types.py
@@ -89,11 +89,14 @@ class ConfirmationRequest:
         encrypted = self._key.encrypt(to_encrypt)
         mpenc = MIMEApplication(str(encrypted), _subtype='vnd.gnupg.wks')
         mixed = MIMEMultipart(_subtype='mixed', _subparts=[mpplain, mpenc])
-        to_sign = PGPMessage.new(mixed.as_string(policy=default))
+        to_sign = PGPMessage.new(mixed.as_string(policy=default).replace('\n', '\r\n'))
         sig = pgp_sign(self.domain, to_sign)
-        mpsig = MIMEApplication(str(sig), _subtype='pgp-signature')
-        email = MIMEMultipart(_subtype='signed', _subparts=[mixed, mpsig], policy=default,
+        mpsig = MIMEApplication(str(sig), _subtype='pgp-signature', name='signature.asc', _encoder=encode_noop)
+        mpsig['Content-Description'] = 'OpenPGP digital signature'
+        mpsig['Content-Disposition'] = 'attachment; filename="signature"'
+        email = MIMEMultipart(_subtype=f'signed', _subparts=[mixed, mpsig], policy=default,
                               protocol='application/pgp-signature')
+        email.set_param('micalg', f'pgp-{str(sig.hash_algorithm).split(".",1)[1].lower()}', requote=False)
         email['Subject'] = 'Confirm your key publication'
         email['To'] = self._submitter_addr
         email['From'] = self._submission_addr
@@ -184,8 +187,8 @@ class PublishResponse:
                                    submission=self.submission_address)
         mpplain = MIMEText(mail_text, _subtype='plain')
         to_encrypt = PGPMessage.new(mpplain.as_string(policy=default))
+        to_encrypt |= pgp_sign(self.domain, to_encrypt)
         encrypted: PGPMessage = self.key.encrypt(to_encrypt)
-        encrypted |= pgp_sign(self.domain, encrypted)
         payload = MIMEApplication(str(encrypted), _subtype='octet-stream', _encoder=encode_noop)
         mpenc = MIMEApplication('Version: 1\r\n', _subtype='pgp-encrypted', _encoder=encode_noop)
         email = MIMEMultipart(_subtype='encrypted', _subparts=[mpenc, payload], policy=default,
diff --git a/test/genkey.sh b/test/genkey.sh
new file mode 100755
index 0000000..4b5fe95
--- /dev/null
+++ b/test/genkey.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+cat >/tmp/keygen <<EOF
+%no-protection
+%no-ask-passphrase
+%transient-key
+Key-Type: EDDSA
+Key-Curve: ed25519
+Subkey-Type: ECDH
+Subkey-Curve: cv25519
+Expire-Date: 0
+Name-Real: EasyWKS Test User
+Name-Comment: TEST KEY DO NOT USE
+Name-Email: ${1}
+EOF
+
+gpg --batch --full-gen-key /tmp/keygen
+for uid in $@; do
+    gpg --batch --quick-add-uid "${1}" "EasyWKS Test User (TEST KEY DO NOT USE) <${uid}>"
+done
+gpg --export --armor "${1}" > "/tmp/${1}.asc"
+for uid in $@; do
+    gpg --export --armor "${uid}" > "/tmp/${uid}.asc"
+done