1.7 KiB
1.7 KiB
pgp-alt-wot
PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.
WoT? Web Of Trust
Example use case for this repository is Tor Browser, I need to download it on most of systems and I need to verify it and it's painful to verify the PGP key all the time, while I can just verify my own fingerprint from paper and see that it has signed the keys. I have done this at least twice on Windowses first installing GPG through Chocolatey.
I don't know if there is point in putting down formal signing requirements, but what has been my policy at the time of writing is:
NOTE: this section is written from memory so may be inaccurate
- friends - knowing for a long time through various connections and seeing at times seeing IDs (or visiting both directions) and otherwise having so deep relationship that lying about identity wouldn't be easily possible
- privacytools - confirmed from the people themselves, their websites, privacytools.io (WKD in git) and similar.
- software - used their verification instructions (of varying strength)
- keepassxc.asc mullvad.asc tails.asc tor-browser-developers.asc yggdrasil.asc
- keepassxc - checked their website through normal and Tor Browser
- mullvad - checked their website and onion
- tails - followed their verification instructions (including checking that it's signed by a Debian developer)
- tor-browser - followed their checking instructions
- yggdrasil - checked their website and comitted apt repo adding to git
TODO:
- add links to the previous section
- add OnionShare?