pgp-alt-wot/README.md

1.7 KiB

pgp-alt-wot

PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust


Example use case for this repository is Tor Browser, I need to download it on most of systems and I need to verify it and it's painful to verify the PGP key all the time, while I can just verify my own fingerprint from paper and see that it has signed the keys. I have done this at least twice on Windowses first installing GPG through Chocolatey.


I don't know if there is point in putting down formal signing requirements, but what has been my policy at the time of writing is:

NOTE: this section is written from memory so may be inaccurate

  • friends - knowing for a long time through various connections and seeing at times seeing IDs (or visiting both directions) and otherwise having so deep relationship that lying about identity wouldn't be easily possible
  • privacytools - confirmed from the people themselves, their websites, privacytools.io (WKD in git) and similar.
  • software - used their verification instructions (of varying strength)
    • keepassxc.asc mullvad.asc tails.asc tor-browser-developers.asc yggdrasil.asc
    • keepassxc - checked their website through normal and Tor Browser
    • mullvad - checked their website and onion
    • tails - followed their verification instructions (including checking that it's signed by a Debian developer)
    • tor-browser - followed their checking instructions
    • yggdrasil - checked their website and comitted apt repo adding to git

TODO:

  • add links to the previous section
  • add OnionShare?