Go to file
2023-05-09 13:33:23 +03:00
crypto-exchange add crypto-exchange/kraken-{ads,support}.asc 2020-02-22 00:21:51 +02:00
effi effi: add README.md to avoid ambiguosity 2020-01-28 13:37:01 +02:00
email-cloaking add email-cloaking/anonaddy.asc 2020-03-03 17:18:43 +02:00
feneas feneas: add hq-feneas-org.asc 2020-03-21 10:32:56 +02:00
friends friends: add ccx 2022-06-24 21:48:25 +03:00
gnupg gnupg: add {andre,niibe,werner}.asc 2021-09-15 19:03:36 +03:00
me me.asc: update with UIDs and signatures 2022-06-24 22:37:50 +03:00
minisign minisign: add own public key & releated things 2021-06-09 23:51:59 +03:00
ncsc-fi ncsc-fi: add advisory, news and signing keys 2020-02-22 00:29:27 +02:00
pirates fix names 2021-02-13 16:59:19 +02:00
privacytools privacytools: update jonah.asc 2020-02-22 11:59:21 +02:00
services services: add creep.im.asc 2020-05-09 16:37:21 +03:00
software software/deb.torproject.org.asc: refresh 2023-01-23 08:24:03 +02:00
vpn vpn: add mullvad-code.asc & mullvad-support.asc 2020-02-22 00:34:28 +02:00
.editorconfig configure pre-commit 2023-05-09 13:33:23 +03:00
.gitattributes add simple .gitattributes & .editorconfig 2023-02-17 14:33:13 +02:00
.pre-commit-config.yaml configure pre-commit 2023-05-09 13:33:23 +03:00
me.asc update README & me/ & add my Unicus key 2020-03-13 19:57:48 +02:00
README.md configure pre-commit 2023-05-09 13:33:23 +03:00

pgp-alt-wot

PGP keys signed by me so I dont have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust

Why?

For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasnt been tampered with, I have to check that signature and I have two options:

This second method is also encouraged by Tails.

What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I dont usually do, while I cannot control what people do with the signatures from this repository).

Inclusion policy

  • I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
  • I have some need of the key or have attended keysigning party with the key owner.
  • me/me.asc is just my key and place where I try to keep all signatures it has received. Symlinks are legacy reasons and other mes are also me.

Places to check for keys

  • GitHub, Gitea and GitLab expose user public keys when you append a .gpg after their profile page (.keys for SSH).
  • The Internet Archives Waybackmachine is always a good place too especially when using together with official websites.
  • Some people have similar projects or webpages for this purpose

Mirrors

See also