PGP
My PGP Key
This page describes how to retrieve and verify my PGP public key.
I use PGP primarily for signing my custom kernels which I distribute. All source tarballs and Git tags created by me should be signed with this key. You can also use this key to encrypt sensitive email to me.
Details
| Type | Primary UID | Fingerprint |
|---|---|---|
| ECC (Curve25519) | [email protected] | B82A 30B6 B359 60B7 2CF6 22EA C005 E3D3 9A5E D5A6 |
| RSA (4096) | [email protected] | 0804 FE6A 3263 D008 B6A2 78E2 CE96 4AA2 C818 3D62 |
Getting My Key
●From my WKD server
gpg --with-wkd-hash --fingerprint [email protected]
●From a public key server
Curve25519 :
gpg --keyserver hkp://pool.sks-keyservers.net --recv-key 0xEF5D84C1838F2EB6D8968C0410378EFC2080080C
RSA 4096 :
gpg --keyserver hkp://pool.sks-keyservers.net --recv-key 0xEF5D84C1838F2EB6D8968C0410378EFC2080080C
●From my website
Alternatively, download my Curve25519 or RSA4096 key and import it into GPG:
gpg --import 0xEF5D84C1838F2EB6D8968C0410378EFC2080080C.pub.asc
Verifying My Key
It is important that you verify that the key you downloaded actually belongs to me.
●Best Option: Use the Debian Keyring (for Debian/Ubuntu users)
Since my key has been signed by several Debian Developers, you can check my key against the Debian keyring if you are a Debian or Ubuntu user.
First, install the debian-keyring package if it’s not already installed.
Then, check my key’s signatures using the Debian keyring:
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs [email protected]
You should look for the string sig! next to the ID of someone who is not me.
●Second-Best Option: Use the Web of Trust (for advanced users)
My key is signed by other people who have vouched for my identity. If you know how to use the Web of Trust, you can use it to verify my key.
●Weakest Option: Trust this Website
You can verify that the key you downloaded has the same fingerprint as is listed at the top of this page, provided that this page was served over HTTPS from my domain name. HTTPS provides some assurance that the page has not been altered. However, HTTPS is only as secure as the public certificate authority system. Thus you should consider this the weakest way to verify my key.
To calculate the fingerprint of the key you downloaded:
gpg --fingerprint [email protected]
Make sure the “Key fingerprint” that it outputs matches the fingerprint at the top of this page.
Using My Key
Once you have retrieved and verified my PGP key, you can use it to authenticate software that you have downloaded.
To verify a tarball, download both the tarball and the signature file (SIGFILE) to the same directory and run
gpg --verify SIGFILE. Examine the output carefully for confirmation that the signature is good and came from my key.
To verify a Git tag (TAG), run git tag --verify TAG. Examine the output carefully for confirmation that the signature is good and came from my key.