Mikaela/pgp-alt-wot
1
0
Fork 0
mirror of https://gitea.blesmrt.net/mikaela/pgp-alt-wot.git synced 2026-05-20 23:03:58 +02:00
Code Issues Projects Releases Wiki Activity
83 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Aminda Suomalainen 2517c814b8
software/mozilla-releases.asc: re-export with updated signature
2025-05-14 14:41:05 +03:00
crypto-exchange
add crypto-exchange/kraken-{ads,support}.asc
2020-02-22 00:21:51 +02:00
effi
effi: add README.md to avoid ambiguosity
2020-01-28 13:37:01 +02:00
email-cloaking
add email-cloaking/anonaddy.asc
2020-03-03 17:18:43 +02:00
feneas
feneas: add hq-feneas-org.asc
2020-03-21 10:32:56 +02:00
friends
friends: add ccx
2022-06-24 21:48:25 +03:00
gnupg
gnupg: add {andre,niibe,werner}.asc
2021-09-15 19:03:36 +03:00
LICENSES
import pre-commit changes from other projects
2025-05-14 14:39:02 +03:00
me
me.asc: update with UIDs and signatures
2022-06-24 22:37:50 +03:00
minisign
import pre-commit changes from other projects
2025-05-14 14:39:02 +03:00
ncsc-fi
ncsc-fi: add advisory, news and signing keys
2020-02-22 00:29:27 +02:00
pirates
fix names
2021-02-13 16:59:19 +02:00
privacytools
privacytools: update jonah.asc
2020-02-22 11:59:21 +02:00
services
services: add creep.im.asc
2020-05-09 16:37:21 +03:00
software
software/mozilla-releases.asc: re-export with updated signature
2025-05-14 14:41:05 +03:00
vpn
vpn: add mullvad-code.asc & mullvad-support.asc
2020-02-22 00:34:28 +02:00
.editorconfig
configure pre-commit
2023-05-09 13:33:23 +03:00
.gitattributes
add simple .gitattributes & .editorconfig
2023-02-17 14:33:13 +02:00
.gitignore
add .gitignore
2024-01-06 18:19:25 +02:00
.pre-commit-config.yaml
import pre-commit changes from other projects
2025-05-14 14:39:02 +03:00
me.asc
update README & me/ & add my Unicus key
2020-03-13 19:57:48 +02:00
package.json
import pre-commit changes from other projects
2025-05-14 14:39:02 +03:00
pnpm-lock.yaml
import pre-commit changes from other projects
2025-05-14 14:39:02 +03:00
README.md
import pre-commit changes from other projects
2025-05-14 14:39:02 +03:00
REUSE.toml
import pre-commit changes from other projects
2025-05-14 14:39:02 +03:00

README.md 

# pgp-alt-wot

PGP keys signed by me so I don't have to validate the same keys again-and-again
and can just trust my own paper verified fingerprint in the subsequent
validations.

WoT? [Web Of Trust](https://en.wikipedia.org/wiki/Web_of_trust)

<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

- [Why?](#why)
- [Inclusion policy](#inclusion-policy)
- [Places to check for keys](#places-to-check-for-keys)
- [Mirrors](#mirrors)
- [See also](#see-also)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

## Why?

For example, I use [Tor Browser](https://torproject.org/) everywhere and
download it directly from their website. They have signed it using GPG (a
OpenPGP implementation) and to ensure it hasn't been tampered with, I have to
check that signature and I have two options:

- I can always
  [verify the signature](https://support.torproject.org/tbb/how-to-verify-signature/),
  but that takes time and I would need to verify it from both
  [support.torproject.org](https://support.torproject.org/tbb/how-to-verify-signature/)
  and
  [4bflp2c4tnynnbes.onion](http://4bflp2c4tnynnbes.onion/#how-to-verify-signature).
  But what if
  [they were compromised or I was under a MITM attack or lazy and verfied only one version](https://www.qubes-os.org/faq/#should-i-trust-this-website)?
- (or) I could verify the signing key carefully once, sign (or certify) it by
  myself and in the future simply verify that my own key is valid (as I have
  been doing this a few times on the other side of dualbooting and at family).

This second method is also
[encouraged by Tails](https://tails.boum.org/install/expert/usb/index.en.html).

What if I am wrong and trust the wrong key? I think I am less likely to trust a
wrong key by verifying it carefully and signing it once than verifying it
separately every time. However if I do sign a wrong key, I can always revoke my
signature and then publish the key with my revocation signature on public
keyservers (which I don't usually do, while I cannot control what people do with
the signatures from this repository).

## Inclusion policy

- I am reasonably certain that the key belongs to whom it claims to belong to or
  I trust the key to belong to whomever it belongs to.
- I have some need of the key or have attended keysigning party with the key
  owner.
- `me/me.asc` is just my key and place where I try to keep all signatures it has
  received. Symlinks are legacy reasons and other me's are also me.

## Places to check for keys

- GitHub, Gitea and GitLab expose user public keys when you append a `.gpg`
  after their profile page (`.keys` for SSH).
- [The Internet Archive's Waybackmachine](https://web.archive.org/) is always a
  good place too especially when using together with official websites.
- Some people have similar projects or webpages for this purpose
  - [Artemis' verify page](https://artemislena.eu/services/verify.html)

## Mirrors

- main:
  [git.blesmrt.net/Mikaela/pgp-alt-wot](https://gitea.blesmrt.net/mikaela/pgp-alt-wot/)
- [git.piraattipuolue.fi/Mikaela/pgp-alt-wot](https://git.piraattipuolue.fi/mikaela/pgp-alt-wot)
- [git.com.de/Mikaela/pgp-alt-wot](https://git.com.de/mikaela/pgp-alt-wot)
  ([onion](http://gitea.qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion/Mikaela/pgp-alt-wot))

## See also

- [Qubes OS: On Digital Signatures and Key Verification](https://www.qubes-os.org/security/verifying-signatures/)
- [Finnish Digital and Population Services Agency certificate search](https://dvv.fineid.fi/certificate-search)
  - S/MIME, not OpenPGP though
Description
No description provided
Readme 611 KiB
Languages
Public Key 98.4%
Text 1.6%