CalvinBackup/JGoyd
1
0
Fork 0
mirror of https://github.com/JGoyd/JGoyd.git synced 2026-06-25 06:20:03 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
JGoyd/scripts/publish_pgp_key.md
T
Joseph R. Goydish II 4ed1ae48b1 JGoyd Public Evidence System: 187 Verifiable Events | 5 CVE Rescores | 27 Global 
Cases
2026-05-18 22:58:05 -07:00

3.1 KiB
Raw Permalink Blame History

Publishing your canonical PGP key

Before anchoring any evidence, the public must be able to fetch your signing key without trusting you. Do this once.

Step 0 — Reconcile keys

You have two fingerprints in public circulation today. Pick one as canonical and either:

  • Revoke the other and publish the revocation certificate, or
  • Sign a public cross-attestation from each key to the other so a verifier can walk between them. Save it as canonical/key-cross-attestation.txt.asc.

Until this is done, ANY verifier hitting your evidence will reasonably ask which fingerprint is correct.

Pick CANONICAL_FPR before continuing:

CANONICAL_FPR=4A041F506D894F5EE391743864878B56A2EB2D11   # or the 6DCB… fingerprint

Step 1 — Export the public key (ASCII-armored)

gpg --armor --export "$CANONICAL_FPR" > canonical/jgoyd-pgp-public.asc

Commit this file to /canonical/ in the public repo.

Step 2 — Upload to multiple independent keyservers

# keys.openpgp.org — verified-email keyserver, the default modern hub
gpg --keyserver hkps://keys.openpgp.org --send-keys "$CANONICAL_FPR"
# You will receive an email at the UID address; click the link to publish the UIDs.

# Ubuntu (SKS-style)
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys "$CANONICAL_FPR"

# MIT (SKS-style, legacy but still queried by many clients)
gpg --keyserver hkps://pgp.mit.edu --send-keys "$CANONICAL_FPR"

Step 3 — Cross-publish the fingerprint everywhere it can be checked

Place the same fingerprint string in:

  • github.com/JGoyd profile README — /canonical/index.md mirror committed there.
  • keybase.io/<handle> profile (if used).
  • LinkedIn "About" section.
  • Substack bio.
  • Mastodon / Bluesky profile bio.
  • DNS TXT record on a domain you own — e.g.: 
    _pgp.your-domain.example.  IN  TXT  "openpgp-fingerprint=4A041F506D894F5EE391743864878B56A2EB2D11"
    This anchors the key to a domain a registrar controls, not you alone.
  • If you control a TLS-served site, publish a /.well-known/openpgpkey/... Web Key Directory entry per RFC 7929.

The more independent fingerprint witnesses, the harder it becomes to fake your key.

Step 4 — Sign an attestation file linking the key to your identity

cat > canonical/identity-attestation.txt <<'TXT'
I, Joseph R. Goydish II, attest that the OpenPGP key with fingerprint
4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11
is my canonical signing key for all evidence published under github.com/JGoyd.

Cross-references:
  - github.com/JGoyd (profile)
  - github.com/JGoyd/Running-Ledger
  - keys.openpgp.org
  - keyserver.ubuntu.com
  - pgp.mit.edu
TXT
gpg --local-user "$CANONICAL_FPR" --clearsign canonical/identity-attestation.txt

Commit canonical/identity-attestation.txt.asc to the public repo. OpenTimestamps-anchor it: ots stamp canonical/identity-attestation.txt.asc.

Step 5 — Verify, as a third party would

From a clean machine:

gpg --keyserver hkps://keys.openpgp.org --recv-keys 4A041F506D894F5EE391743864878B56A2EB2D11
gpg --verify canonical/identity-attestation.txt.asc

Expect: Good signature and a UID matching the email address on the key.

Reference in New Issue View Git Blame Copy Permalink