Chapter II. PGP verification
Signatures, keys, common errors
A phishing clone can copy every pixel of the TorZon login page. The only thing it cannot copy is the operator PGP signature that comes with every published rotation. Verifying that signature once per rotation is what tells you the address in the message really came from the operator, not from an attacker.
§1. What verification proves
PGP verification is a cryptographic check. If a signature validates against the operator public key you already have on your keyring, the message it wraps really came from the key holder, and nothing in the message has been altered since signing. If it does not validate, the message is fake, and the address inside is worthless.
§2. The four commands
Import the operator public key once. Save the signed rotation to a text file. Run gpg --verify on the file. Compare the onion inside the message to the current mirror set on the mirror list.
1. gpg --import torzon.asc # once per keyring
2. save envelope to rotation.txt # begin/end pgp signed message
3. gpg --verify rotation.txt # exit 0 = trust address inside
4. compare onion to current list # match wins
Success looks like Good signature from "TorZon <operator@...>". A trust-level warning is normal. It only means you have not personally signed the operator key, which is expected. What matters is Good signature.
§3. Kleopatra path for Windows
Kleopatra ships with Gpg4win on Windows. Import the operator key file the same way (File → Import). Save the signed rotation as rotation.txt. Right-click the file in the file manager, pick More GpgEX options → Verify. A window pops up saying either the signature is valid or the file has been modified. Same principle as gpg on the command line, different button.
§4. Common errors
- BAD signature, the file has been altered after signing. Do not trust the address inside.
- Can't check signature: No public key, the operator key is not on your keyring yet. Import it first.
- Signature made by different key ID, the message is signed by a key other than the operator. Do not import that key. Do not use the address inside.
- Warning: not certified with a trusted signature, normal. It only means you have not personally signed the key.
§5. Fetch the key from a source you already trust
The public key must come from a source that is independently reliable. If you get the key from the same page as the new address, and both live on a phishing site, both match and the check passes with a fake key. Two safe sources: the pinned Dread profile of the operator, and the /pgp path on the login page of a mirror you already know works. Cross-check the fingerprint from both. If they agree, import the key. Never re-fetch.
§6. Once, then never again
You import the operator public key one time. After that, every future rotation gets verified against the same fingerprint. No forum handle, no chat message, no directory can push a fake address on you once the operator key is on your keyring. This is the whole point of the PGP model.