# Publishing your canonical PGP key

Before anchoring any evidence, the public must be able to fetch your signing key
without trusting you. Do this once.

## Step 0 — Reconcile keys

You have two fingerprints in public circulation today. Pick one as canonical
and either:
- Revoke the other and publish the revocation certificate, or
- Sign a public cross-attestation from each key to the other so a verifier can
  walk between them. Save it as `canonical/key-cross-attestation.txt.asc`.

Until this is done, ANY verifier hitting your evidence will reasonably ask
which fingerprint is correct.

Pick CANONICAL_FPR before continuing:
```bash
CANONICAL_FPR=4A041F506D894F5EE391743864878B56A2EB2D11   # or the 6DCB… fingerprint
```

## Step 1 — Export the public key (ASCII-armored)

```bash
gpg --armor --export "$CANONICAL_FPR" > canonical/jgoyd-pgp-public.asc
```

Commit this file to `/canonical/` in the public repo.

## Step 2 — Upload to multiple independent keyservers

```bash
# keys.openpgp.org — verified-email keyserver, the default modern hub
gpg --keyserver hkps://keys.openpgp.org --send-keys "$CANONICAL_FPR"
# You will receive an email at the UID address; click the link to publish the UIDs.

# Ubuntu (SKS-style)
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys "$CANONICAL_FPR"

# MIT (SKS-style, legacy but still queried by many clients)
gpg --keyserver hkps://pgp.mit.edu --send-keys "$CANONICAL_FPR"
```

## Step 3 — Cross-publish the fingerprint everywhere it can be checked

Place the same fingerprint string in:

- `github.com/JGoyd` profile README — `/canonical/index.md` mirror committed there.
- `keybase.io/<handle>` profile (if used).
- LinkedIn "About" section.
- Substack bio.
- Mastodon / Bluesky profile bio.
- DNS TXT record on a domain you own — e.g.:
  ```
  _pgp.your-domain.example.  IN  TXT  "openpgp-fingerprint=4A041F506D894F5EE391743864878B56A2EB2D11"
  ```
  This anchors the key to a domain a registrar controls, not you alone.
- If you control a TLS-served site, publish a `/.well-known/openpgpkey/...` Web Key Directory entry per RFC 7929.

The more independent fingerprint witnesses, the harder it becomes to fake your key.

## Step 4 — Sign an attestation file linking the key to your identity

```bash
cat > canonical/identity-attestation.txt <<'TXT'
I, Joseph R. Goydish II, attest that the OpenPGP key with fingerprint
4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11
is my canonical signing key for all evidence published under github.com/JGoyd.

Cross-references:
  - github.com/JGoyd (profile)
  - github.com/JGoyd/Running-Ledger
  - keys.openpgp.org
  - keyserver.ubuntu.com
  - pgp.mit.edu
TXT
gpg --local-user "$CANONICAL_FPR" --clearsign canonical/identity-attestation.txt
```

Commit `canonical/identity-attestation.txt.asc` to the public repo.
OpenTimestamps-anchor it: `ots stamp canonical/identity-attestation.txt.asc`.

## Step 5 — Verify, as a third party would

From a clean machine:
```bash
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4A041F506D894F5EE391743864878B56A2EB2D11
gpg --verify canonical/identity-attestation.txt.asc
```
Expect: `Good signature` and a UID matching the email address on the key.