Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's very thorough, thank you!

I understand all those things in general, but I don't know the specific mechanism by which my local PGP install recognizes who else trusts this PGP key. I grant you that if the key is protected from MITM then all is well. I just still don't know this part:

What mechanism do I use, I who have no prior encounter with that key and no existing PGP setup or connection to any web, to validate that key?

I'm sure this is just a lack of familiarity with PGPs web of trust implementation, but lacking this info, I too just opted to trust the plain HTTP download (until I switched to Cygwin/OpenSSH to make it a moot point anyway).




Generally, you'd need to have a match (or chain) between keys you do trust and those signing a given key.

In general, I fetch signatures of keys and may add some of these as partially trusted if they're very well known keys.

A bit of bash scripting that helps with this:

    gpg --list-sigs <key ID>  | grep 'not found' |
        cut -c 13-22 | sort -u |
        xargs --max-args 10 gpg --recv-keys
xargs speeds the process by requesting multiple keys at a time. I think keeping that below 20 keys helps keep the keyservers happy. Sort + uniq eliminates duplicate requests of the same key.

You cannot run parallel processes as your local gpg instance cannot do concurrent updates to the keyring.


For those already using PGP, that sounds great. For me, who is not using PGP, my set of trusted keys is currently empty. So it is unverified.

Which, arguably, might be safer than being overly trusting of my "trusted CAs", which is verified by a flawed system.

I guess I'm still not thrilled wih my options overall, but thank you for your time explaining how to use PGP.


The WoT is both PGP's strength and weakness. Lacking anything else, key security staff for various Linux distributions and key EFF members isn't a bad starting point for this. Assigning those "marginal" trust means that you'd have to have three of those signing a given key to trust it.


Ah, now that is what I was looking for but didn't know how to ask. A few starting points I might trust would go a long way.


Never mind, I see a higher ranked comment got an answer to this. I see the concept of keys signing keys and gpg --list-sigs. (Still no idea who might be at the end of that chain that I could actually verify though.)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: