CalvinBackup/JGoyd
1
0
Fork 0
mirror of https://github.com/JGoyd/JGoyd.git synced 2026-06-25 10:39:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
JGoyd/scripts/publish_pgp_key.md
T
Joseph R. Goydish II 4ed1ae48b1 JGoyd Public Evidence System: 187 Verifiable Events | 5 CVE Rescores | 27 Global 
Cases
2026-05-18 22:58:05 -07:00

91 lines
3.1 KiB
Markdown
Raw Permalink Blame History

# Publishing your canonical PGP key
Before anchoring any evidence, the public must be able to fetch your signing key
without trusting you. Do this once.
## Step 0 — Reconcile keys
You have two fingerprints in public circulation today. Pick one as canonical
and either:
- Revoke the other and publish the revocation certificate, or
- Sign a public cross-attestation from each key to the other so a verifier can
walk between them. Save it as `canonical/key-cross-attestation.txt.asc`.
Until this is done, ANY verifier hitting your evidence will reasonably ask
which fingerprint is correct.
Pick CANONICAL_FPR before continuing:
```bash
CANONICAL_FPR=4A041F506D894F5EE391743864878B56A2EB2D11 # or the 6DCB… fingerprint
```
## Step 1 — Export the public key (ASCII-armored)
```bash
gpg --armor --export "$CANONICAL_FPR" > canonical/jgoyd-pgp-public.asc
```
Commit this file to `/canonical/` in the public repo.
## Step 2 — Upload to multiple independent keyservers
```bash
# keys.openpgp.org — verified-email keyserver, the default modern hub
gpg --keyserver hkps://keys.openpgp.org --send-keys "$CANONICAL_FPR"
# You will receive an email at the UID address; click the link to publish the UIDs.
# Ubuntu (SKS-style)
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys "$CANONICAL_FPR"
# MIT (SKS-style, legacy but still queried by many clients)
gpg --keyserver hkps://pgp.mit.edu --send-keys "$CANONICAL_FPR"
```
## Step 3 — Cross-publish the fingerprint everywhere it can be checked
Place the same fingerprint string in:
- `github.com/JGoyd` profile README — `/canonical/index.md` mirror committed there.
- `keybase.io/<handle>` profile (if used).
- LinkedIn "About" section.
- Substack bio.
- Mastodon / Bluesky profile bio.
- DNS TXT record on a domain you own — e.g.:
```
_pgp.your-domain.example. IN TXT "openpgp-fingerprint=4A041F506D894F5EE391743864878B56A2EB2D11"
```
This anchors the key to a domain a registrar controls, not you alone.
- If you control a TLS-served site, publish a `/.well-known/openpgpkey/...` Web Key Directory entry per RFC 7929.
The more independent fingerprint witnesses, the harder it becomes to fake your key.
## Step 4 — Sign an attestation file linking the key to your identity
```bash
cat > canonical/identity-attestation.txt <<'TXT'
I, Joseph R. Goydish II, attest that the OpenPGP key with fingerprint
4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11
is my canonical signing key for all evidence published under github.com/JGoyd.
Cross-references:
- github.com/JGoyd (profile)
- github.com/JGoyd/Running-Ledger
- keys.openpgp.org
- keyserver.ubuntu.com
- pgp.mit.edu
TXT
gpg --local-user "$CANONICAL_FPR" --clearsign canonical/identity-attestation.txt
```
Commit `canonical/identity-attestation.txt.asc` to the public repo.
OpenTimestamps-anchor it: `ots stamp canonical/identity-attestation.txt.asc`.
## Step 5 — Verify, as a third party would
From a clean machine:
```bash
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4A041F506D894F5EE391743864878B56A2EB2D11
gpg --verify canonical/identity-attestation.txt.asc
```
Expect: `Good signature` and a UID matching the email address on the key.
Reference in New Issue View Git Blame Copy Permalink