I'm trying to get a better understanding of how PGP keys work. I first learned to verify signatures using Tor and got a "Good signature" response, but now I'm trying to do it using the ConnectBot app from F-Droid and I'm feeling pretty lost. I see various online suggestions about obtaining public keys: some say to contact the creator directly, others suggest fetching them from official websites. If there's no public key available to copy, should I even bother with signing? I feel like even AI isn't giving me clear answers here.
1 Answer
When using PGP/RSA encryption, you create a key pair: a public key for others to use and a private key that's kept secret. To communicate securely using PGP, you need to get someone else's public key, which you can usually ask for directly or find on their website. It's essential to ensure you trust the source of the key to avoid security risks.
So public keys are just those long strings of letters and numbers, right? But why aren't they more prominently displayed like the .asc files?