This is an automated archive.
The original was posted on /r/sysadmin by /u/TheCrazyPhoenix416 on 2024-01-21 18:15:53+00:00.
Question
I have two pgp public keys for the same company - one from their website, the other from the hockypuck keyserver.
These keys are different! ๐จ๐ฑ
Though, at least, the session encryption modulus (n) and exponent (e) are the same.
How do I verify if either key is trustworthy?
Details
I was browsing through IVPN's website and came across their warrant canary report with a link to their pgp public key to download. The question is, how can I verify the public key I download is trustworthy.
I downloaded this key from their website, and found the same pgp public key on the hockypuck keyservers. If they match, the key is probably trustworthy, but they aren't the same.
I've looked through the pgp key packets (using ), and they're mostly the same. The RSA session encryption keys (i.e. modulus n and exponent e) are the same. However, they have mismatched signature packets (though most are the same too).
Can anyone explain what this means?