Docs/ Verification/ PGP signature check

PGP signature check

Four commands. Once per key. Then never again.

Why the check matters

A phishing clone can copy every pixel of the Anubis login page. The only thing it cannot copy is the operator PGP signature that comes with every published rotation. If a signature validates against the operator public key you already have on your keyring, the address inside came from the operator. If it does not, the message is fake and the address inside is worthless.

The four commands

Import the operator public key once. Save the signed rotation to a text file. Run gpg --verify on the file. Compare the onion inside the message to the current mirror set on reference/mirrors.

1. gpg --import anubis.asc         # once per keyring
2. save envelope to rotation.txt   # begin/end pgp signed message
3. gpg --verify rotation.txt       # exit 0 = trust address inside
4. compare onion to reference      # match wins

Success looks like Good signature from "Anubis <operator@...>". A trust-level warning is normal. It only means you have not personally signed the operator key.

Kleopatra path for Windows

Kleopatra ships with Gpg4win. Import the operator key file the same way (File → Import). Save the signed rotation as rotation.txt. Right-click the file, pick More GpgEX options → Verify. A window pops up saying either the signature is valid or the file has been modified.

Once, then never again

You import the operator public key one time. Every future rotation validates against the same fingerprint. No forum handle, no chat message, no directory can push a fake address on you once the operator key is on your keyring.

tip

Get the operator public key from at least two independent sources (the pinned Dread profile and the /pgp path on any current mirror). Cross-check the fingerprint. Match imports.