I saw that people on the dark web would sign their posts with a PGP key to prove that their account has not been compromised. I think I understand the concept of how private and public keys work but I must be missing something because I don’t see how it proves anything.

I created a key and ran gpg --export --armor fizz@… and I ran that twice and both blocks were identical. If I posted my public key block couldn’t someone copy and paste that under their message and claim to be me?

  • deejay4am@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    2
    ·
    1 year ago

    For signing, it’s backwards - you encrypt with the private key, and then everyone else can decrypt with the public key. If that doesn’t work, they know that the message wasn’t signed by the private key paired with the public key they have, and therefore is invalid and is not to be trusted.

    Signing proves authenticity (only the private key holder can sign), encryption provides privacy (only the private key holder can read)