TorLinks Atlas compass mark TorLinksthe Tor Market Atlas
Field manual

Verifying a signature

What a PGP signature proves, and the two commands that prove it.

Every serious market in this atlas signs its mirror list with a PGP key. Verifying that signature is how you know a published address actually came from the market and not from someone impersonating it. This plate covers what the signature proves and how to check it.

What a signature proves

A PGP signature over a message proves two things at once. That the message was signed by the holder of a specific private key, and that not one byte has changed since it was signed. For a mirror list that means the addresses inside provably came from whoever holds the market key, and nobody has edited them in transit.

The trust anchor

The check is only as good as the key you check against. Fetch the market's public key once, from at least two independent places, cross-check the fingerprint, and import it. After that, every future list verifies against the same key on your keyring. Do not re-fetch the key each time, because re-fetching is another chance for someone to hand you the wrong one.

The two commands

Save the signed list to a file and run the verify against it with GnuPG. Look for the line that says the signature is good and names the market key. That line is the whole result. A warning that the key is not certified by you is normal and expected. A bad-signature line means the list was altered, and you trust none of the addresses in it.

Comparing the addresses

Once the signature checks out, compare the addresses in the verified list against the one in your bar. Match means you are on a genuine address. The signature and the address check are two different defences, and running both closes more than either alone.