I'm feeling a bit lost with how PGP keys function. I initially used Tor for verification and got a "Good signature" response. Now, I'm trying to do it with the ConnectBot app from F-Droid using just an APK and ASC file, but the guidance on how to get public keys is all over the place. Some say to just contact the creator directly, others suggest getting it from their official website. If there's no key to copy-paste, should I even attempt signing? It's been tricky even with AI assistance.
3 Answers
With PGP/RSA encryption, you generate a pair of keys: one public and one private. You keep the private key secret and share the public one. So, to verify someone’s signature, you need to get their public key. The usual method is asking them directly, or they might have it listed on their website. It's vital to ensure you're getting the right public key from a trustworthy source!
Honestly, there aren't many great solutions for this, and the ones that exist aren't widely adopted. Some public servers allow for key sharing, but they lack guarantees about the authenticity of keys. Typically, you'll want to either get a key in person or from a secure website. The 'Web of Trust' approach is tricky to scale, and right now, PGP Certificate Authorities are also not widely used. This is partly why some platforms have moved away from using PGP signatures entirely.
I suspected there could be fake keys out there; I’m really new to this whole key exchange process. I’ll definitely read more about it. Thanks for the heads-up!
PGP relies on a 'Web of Trust.' If you trust the site you downloaded the signature from, you might not need to verify the signing key, but it would only work like an unsigned message digest in that case. Just remember that as a beginner, it's good to double-check that you're using reliable sources!
I’m just starting with verification myself and don’t fully understand the 'Web of Trust' yet. I’ve heard it can bring up warnings about untrusted signatures, which can be confusing.
So public keys are just those long strings, right? Why don’t they make it easier to find them instead of hiding them in .asc files?