Although I use Keybase to link my online identities together, I do not use Keybase for my main GPG keys; this is because I do not like their implementation.

The fingerprint of my key is 9810820D97C63B9A1C5DDF1530EBFFC640B94A5D

Whenever my key is updated, the keyservers are most likely to be updated before any other source. Therefore I recommend loading my key from a server such as:

https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9810820d97c63b9a1c5ddf1530ebffc640b94a5d

Load the key into your environment with this command:

gpg --keyserver keyserver.ubuntu.com --recv-keys 9810820D97C63B9A1C5DDF1530EBFFC640B94A5D

After importing the key, please ensure that you run the following command and check the full fingerprint matches the fingerprint above:

gpg --fingerprint [email protected]

If you obtain my key from the Ubuntu keyserver listed above, you can run the following command to update it:

gpg --refresh-keys --keyserver keyserver.ubuntu.com

Since I update the expiration on my keys yearly, this command should be run at least yearly to ensure you do not use outdated keys.

The keys expired briefly in 2025, but are now refreshed and able to be used again. I also recently added a TXT record to my domain with the fingerprint for additional verification, you can see it by doing a TXT lookup for gpg-fingerprint.jhewitt.net. Eg, on Linux:

dig txt gpg-fingerprint.jhewitt.net

Alternatively, using nslookup:

nslookup -q=txt gpg-fingerprint.jhewitt.net

To prove I control this key, check the following message (updated September 2025):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I, Joseph Hewitt (jhewitt.net), confirm control of the GPG key with fingerprint 9810820D97C63B9A1C5DDF1530EBFFC640B94A5D

This message was signed on 2025-09-19.

For more information about my key and signing policy, please see https://jhewitt.net/gpg_key

The fingerprint of this GPG key is also published as TXT DNS record here: gpg-fingerprint.jhewitt.net

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQQhaILf1x2t3R1h6dnZA+fA1kAVAUCaM2iLgAKCRBnZA+fA1kA
VIY7AQDxwoM0zcP9DWdl53VTSRanyJt4KEWJPFcKu7eizrDkYAD/WbRS4GT4GLPB
NfqQ+/oWgdhN77vQt9Qb+RtJdFcyMAc=
=WuaS
-----END PGP SIGNATURE-----

Although my GPG key is not linked to Keybase, I did sign a message with my Keybase identity to link this GPG key to my established Keybase identity:

BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5weRa0zkDXf5M0 AJRa9G8uXAHGcXY kwqy4yI26Xptwh1 DlfrVqCSgwoPGdN 6R7YQOcGjgE2N8G Yot0hAB5NfJgleZ 4k6GDrfW0XSGXtT 6fY8AuNHGUKoeVj YgN7ziTyOLBzral l6qtRbGSwc3Z6Ig oG88Tfkmdm1BBzQ e1nvs01ngNlZGGi Cvg2lPEWnOf6CvD GU72WO3lnN14ArB jCKjJXKbiqywC0o DYXhAHLBrmivjeu vH27eYuNUwrqr0w 65qft4YrZZ4lMS4 DFsz5PgxPQGUhkL BSinqnz7c0uIRPg k9JfMCz09NG2AsA NMqBebBqylfpqx7 gdO45GJ3QqEF2Ca oJu5tWkCDjANE8f R6GAO30jmJjmP04 1MEvtOYiunawGwX 8eCg5pWAbC0IhEk wmgmWFfbkDO0FGn viviL28Uqc2G36E MwfXDT2SH1vxpOw UenCERmAGf0TOiA d3W2JQFLzg1mp4c pG2IDfDTYKJf5dg YYWP4fCRM5yzX3y FYEXPhhfM4. END KEYBASE SALTPACK SIGNED MESSAGE.

I rarely sign other people's keys. However, I always do it in the most strict way possible. Government identification will be checked, I will also check the person I am signing has access to the email address on the key in addition to checking they are able to sign messages with the key. I will also check the relation between the person and the domain of the email address in the key (assuming it is not a generic email provider)

Essentially I am only signing keys where I am very sure nothing suspicious is happening and that the key owner maintains their key(s) properly.