Table of Contents

GPG Key information

Introduction

Although I use Keybase to link my online identities together, I do not use Keybase for my main GPG keys; this is because I do not like their implementation.

My key

The fingerprint of my key is 9810820D97C63B9A1C5DDF1530EBFFC640B94A5D

Whenever my key is updated, the keyservers are most likely to be updated before any other source. Therefore I recommend loading my key from a server such as:

https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9810820d97c63b9a1c5ddf1530ebffc640b94a5d

Load the key into your environment with this command:

gpg --keyserver keyserver.ubuntu.com --recv-keys 9810820D97C63B9A1C5DDF1530EBFFC640B94A5D

After importing the key, please ensure that you run the following command and check the full fingerprint matches the fingerprint above:

gpg --fingerprint [email protected]

If you obtain my key from the Ubuntu keyserver listed above, you can run the following command to update it:

gpg --refresh-keys --keyserver keyserver.ubuntu.com

Since I update the expiration on my keys yearly, this command should be run at least yearly to ensure you do not use outdated keys.

Verification

To prove I control this key, check the following message:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

To confirm I have control of this key, I am signing this message :

MY KEY FINGERPRINT:  9810820D97C63B9A1C5DDF1530EBFFC640B94A5D
THIS PAGE URL:             https://jhewitt.net/gpg_key
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQQhaILf1x2t3R1h6dnZA+fA1kAVAUCZGAHLAAKCRBnZA+fA1kA
VJfvAQD1jB33p5lDxAQBcS0rpvNiTem0OOkLmWlBqOSEq/K1+gD7Bjg/Ac8+FT1S
LY3AuIBO0WLH7anfJltZ27hSPLqfpwk=
=9KWu
-----END PGP SIGNATURE-----

Keybase verification

Although my GPG key is not linked to Keybase, I did sign a message with my Keybase identity to link this GPG key to my established Keybase identity:

BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5weRa0zkDXf5M0 AJRa9G8uXAHGcXY kwqy4yI26Xptwh1 DlfrVqCSgwoPGdN 6R7YQOcGjgE2N8G Yot0hAB5NfJgleZ 4k6GDrfW0XSGXtT 6fY8AuNHGUKoeVj YgN7ziTyOLBzral l6qtRbGSwc3Z6Ig oG88Tfkmdm1BBzQ e1nvs01ngNlZGGi Cvg2lPEWnOf6CvD GU72WO3lnN14ArB jCKjJXKbiqywC0o DYXhAHLBrmivjeu vH27eYuNUwrqr0w 65qft4YrZZ4lMS4 DFsz5PgxPQGUhkL BSinqnz7c0uIRPg k9JfMCz09NG2AsA NMqBebBqylfpqx7 gdO45GJ3QqEF2Ca oJu5tWkCDjANE8f R6GAO30jmJjmP04 1MEvtOYiunawGwX 8eCg5pWAbC0IhEk wmgmWFfbkDO0FGn viviL28Uqc2G36E MwfXDT2SH1vxpOw UenCERmAGf0TOiA d3W2JQFLzg1mp4c pG2IDfDTYKJf5dg YYWP4fCRM5yzX3y FYEXPhhfM4. END KEYBASE SALTPACK SIGNED MESSAGE.

Signing policy

I rarely sign other people's keys. However, I always do it in the most strict way possible. Government identification will be checked, I will also check the person I am signing has access to the email address on the key in addition to checking they are able to sign messages with the key. I will also check the relation between the person and the domain of the email address in the key (assuming it is not a generic email provider)

Essentially I am only signing keys where I am very sure nothing suspicious is happening and that the key owner maintains their key(s) properly.