Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • 3
    Don't key signatures go on the uid associated with the public key, as a signature that the claimed owner is genuine? Or are you referring to trust levels for saying how much you trust another person's signature on another key? Commented Mar 10, 2013 at 21:02
  • Are you sure the "data-signing public key which gets copied in the email"? The signature is not the same thing as the public key itself. Commented Mar 22, 2016 at 19:37
  • Normally, emails signed with PGP include some stuff that helps the recipient find out about the sender's key, either a copy of the key itself, or at least a reference to a key server. Recipient should still validate the key (with the WoT, or a phone-call-and-dictate-hash-value) but at least in some cases the signature public key itself is copied in the email. Commented Mar 22, 2016 at 19:44
  • @TomLeek Thanks, but I've learned that what you describe is just the behavior of some OpenPGP email tools like PEP. It would be more clear if the answer just focused on the signature that is appended to the email as key itself may or may not be (it is not in my case with GPGTools plugin for mac Mail) Commented Jun 15, 2020 at 23:12
  • @AdamPrescott is correct, the certification signatures are on a particular UID, not on the primary key itself (despite what people say when casually talking about a "key signature"). The Web Of Trust will indicate the whole "key" is signed if it is a valid, unexpired UID with a valid cert signature and that UID is properly certified by the primary key. Commented Jun 15, 2020 at 23:12