The TorZon Handbook

a reader's guide
Edition  2026 · kept by hand
Chapter II

Chapter II. PGP verification

Signatures, keys, common errors

A phishing clone can copy every pixel of the TorZon login page. The only thing it cannot copy is the operator PGP signature that comes with every published rotation. Verifying that signature once per rotation is what tells you the address in the message really came from the operator, not from an attacker.

§1. What verification proves

PGP verification is a cryptographic check. If a signature validates against the operator public key you already have on your keyring, the message it wraps really came from the key holder, and nothing in the message has been altered since signing. If it does not validate, the message is fake, and the address inside is worthless.

§2. The four commands

Import the operator public key once. Save the signed rotation to a text file. Run gpg --verify on the file. Compare the onion inside the message to the current mirror set on the mirror list.

1. gpg --import torzon.asc          # once per keyring
2. save envelope to rotation.txt    # begin/end pgp signed message
3. gpg --verify rotation.txt        # exit 0 = trust address inside
4. compare onion to current list    # match wins

Success looks like Good signature from "TorZon <operator@...>". A trust-level warning is normal. It only means you have not personally signed the operator key, which is expected. What matters is Good signature.

§3. Kleopatra path for Windows

Kleopatra ships with Gpg4win on Windows. Import the operator key file the same way (File → Import). Save the signed rotation as rotation.txt. Right-click the file in the file manager, pick More GpgEX options → Verify. A window pops up saying either the signature is valid or the file has been modified. Same principle as gpg on the command line, different button.

§4. Common errors

§5. Fetch the key from a source you already trust

The public key must come from a source that is independently reliable. If you get the key from the same page as the new address, and both live on a phishing site, both match and the check passes with a fake key. Two safe sources: the pinned Dread profile of the operator, and the /pgp path on the login page of a mirror you already know works. Cross-check the fingerprint from both. If they agree, import the key. Never re-fetch.

§6. Once, then never again

You import the operator public key one time. After that, every future rotation gets verified against the same fingerprint. No forum handle, no chat message, no directory can push a fake address on you once the operator key is on your keyring. This is the whole point of the PGP model.