Skip to Content [alt-c]

My PGP Key

This page describes how to retrieve and verify my PGP public key. These instructions are for GnuPG (GPG), but other OpenPGP implementations should work similarly.

I use PGP primarily for signing software which I distribute. All source tarballs and Git tags created by me after June 1, 2014 should be signed with this key. You can also use this key to encrypt sensitive email to me.

Details

TypePGPv4, 4096-bit RSA
Primary UIDAndrew Ayer <agwa@andrewayer.name>
FingerprintEF5D 84C1 838F 2EB6 D896 8C04 1037 8EFC 2080 080C

Getting My Key

From a public key server

gpg --keyserver hkp://pool.sks-keyservers.net --recv-key 0xEF5D84C1838F2EB6D8968C0410378EFC2080080C

From my website

Alternatively, download my public key and import it into GPG:

gpg --import 0xEF5D84C1838F2EB6D8968C0410378EFC2080080C.pub.asc

Verifying My Key

It is important that you verify that the key you downloaded actually belongs to me.

Best Option: Use my Business Card

Since June 2014, my key's fingerprint is printed on my business cards. If you have one of my business cards, and you are confident it came from me, you can verify that the key you downloaded has the same fingerprint as is listed on my business card. To calculate the fingerprint of the key you downloaded, run:

gpg --fingerprint agwa@andrewayer.name

Make sure the "Key fingerprint" that it outputs matches the fingerprint on my business card.

Second-Best Option: Use the Debian Keyring (for Debian/Ubuntu users)

Since my key has been signed by several Debian Developers, you can check my key against the Debian keyring if you are a Debian or Ubuntu user.

First, install the debian-keyring package if it's not already installed.

Then, check my key's signatures using the Debian keyring:

gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs agwa@andrewayer.name

You should look for the string sig! next to the ID of someone who is not me.

Second-Best Option: Use the Web of Trust (for advanced users)

My key is signed by other people who have vouched for my identity. If you know how to use the Web of Trust, you can use it to verify my key.

Weakest Option: Trust this Website

You can verify that the key you downloaded has the same fingerprint as is listed at the top of this page, provided that this page was served over HTTPS from my domain name. HTTPS provides some assurance that the page has not been altered. However, HTTPS is only as secure as the public certificate authority system. Thus you should consider this the weakest way to verify my key.

To calculate the fingerprint of the key you downloaded:

gpg --fingerprint agwa@andrewayer.name

Make sure the "Key fingerprint" that it outputs matches the fingerprint at the top of this page.

Using My Key

Once you have retrieved and verified my PGP key, you can use it to authenticate software that you have downloaded.

To verify a tarball, download both the tarball and the signature file (SIGFILE) to the same directory and run gpg --verify SIGFILE. Examine the output carefully for confirmation that the signature is good and came from my key.

To verify a Git tag (TAG), run git tag --verify TAG. Examine the output carefully for confirmation that the signature is good and came from my key.