Awazon mirror status markAwazon Mirror Statusverified onion pool
Safety and verification

Verifying a PGP signature

What a signature proves, and the check that proves it.

A PGP signature on the mirror list is how you know an address came from Awazon and not an impersonator. Here is what it proves and how to check it.

What it proves

Two things at once. That the message was signed by the holder of a specific private key, and that not one byte has changed since. For a mirror list, the addresses inside provably came from whoever holds the market key.

The trust anchor

The check is only as good as the key you check against. Fetch the market key once from two independent places, cross-check the fingerprint, and import it. Do not re-fetch it each time, because that is another chance to be handed the wrong key.

Running it

Save the signed list, run the verify with GnuPG, and look for the line that says the signature is good and names the market key. That line is the result. A warning that you have not certified the key is normal. A bad-signature line means the list was altered, and you trust none of it.