I saw that people on the dark web would sign their posts with a PGP key to prove that their account has not been compromised. I think I understand the concept of how private and public keys work but I must be missing something because I don’t see how it proves anything.
I created a key and ran gpg --export --armor fizz@… and I ran that twice and both blocks were identical. If I posted my public key block couldn’t someone copy and paste that under their message and claim to be me?
The short answer is no. A bit longer of an answer is that with the public key, anybody can encrypt data. Only the owner(s) of the private key can decrypt the data. That is a key point: encrypted data by itself is meaningless. If you were to attempt to decrypt random data (or change one single character of valid encrypted data), you’d get literal garbage output. But, valid encrypted data and the corresponding private key can always unencrypt back into the original format.
This is why emphasis is always made to never share or expose your private key. Couple the private key with the always-available public key and you’ve got a man-in-the-middle (MitM) attack. This is where an attacker could decrypt the data with the private key, change it, re-encrypt it with the public key, and send it along to the destination without anybody knowing it was altered.
I hope this helps.
This and the other comments in the thread help a lot. It’s very cool technology