Following is a record of select PGP keys and a description of the distinct methods used to independently verify each. Your mileage may vary.
0xa85a05711d47a724
0x01483f262a4b3ff0
0x9a804e97d7079c77
0x20d04e5a713660a7
0xa0616a85ce41ad88
0x378b845402277962
Key ID: 0x15AF5DAC6D745A60
Iām generally interested in software and systems calibrated for the enterprise environment (and when I say āenterprise,ā Iām specifically referring to highly used, highly disruptive, environments easily targeted by highly trained attackers): so whether itās for personal or professional use, I still treat it as potentially compromised binaries (i.e. I donāt install it) until I can verify their integrity and origin.
Unfortunately, the vendor was unable or unwilling to participate directly in verifying their key via exercise of its private key to decrypt a message I encrypted using their public key for the following reason given:
The private component of the signing key is in a vault that we cannot use nor access by normal means as it is used in automation ⦠with these measures in place, we wonāt be able to decrypt your gpg message.
The key in question here is used to sign releases of the enterprise operating system I was looking to evaluate: Rocky Linux.
Unable to derive assurance from a decrypted message from the vendor, I proceeded to build a logical path to sufficiently verify this key for my purposes:
...5A60
):
Using this process, ownership the following keys were minimally verified to a reasonable extent for my purposes:
7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60
091A 4404 7C3D 8B7A 331F 5E18 5489 E42B BBE2 C108
BFC3 D8F2 0D15 F4FD 4628 1D7F AA65 0F52 D6C0 94FA