This page provides information about my GPG keys.

I sign my Git commits and software releases with my personal GPG key. This allows anyone to verify that a commit or release was actually made by me.

GPG keys


View on MIT keyserver - Download public key

I am actively using this key, as of .
Expires .


View on MIT keyserver

Not used as of . Superseded by 0xC991E66D062F7FB9.
Do not trust anything signed with this key after .

Used key servers

I distribute my GPG public keys on the following key servers:

You can also download my active public key directly from my website:

Signing my GPG key

If you would like to sign my GPG key to acknowledge its authenticity, follow these steps:

  1. Retrieve my GPG public key from a keyserver:

    gpg --keyserver --recv-keys 0xC991E66D062F7FB9
  2. Verify the fingerprint of the retrieved key:

    gpg --fingerprint 0xC991E66D062F7FB9

    The fingerprint should be 4443 6051 2E05 0CAD 7FA0 05D2 C991 E66D 062F 7FB9.

  3. Sign the key with your private key (passphrase may be required):

    gpg --sign-key 0xC991E66D062F7FB9
  4. Validate your signature:

    gpg --check-sig 0xC991E66D062F7FB9

    Ensure that the “good signature” message is display.

  5. After signing the key, encrypt it with my public key (passphrase may be required):

    gpg --armor --export 0xC991E66D062F7FB9 | gpg -se -r 0xC991E66D062F7FB9 > 0xC991E66D062F7FB9.asc.pgp
  6. Send the signed and encrypted key file (0xC991E66D062F7FB9.asc.pgp) to me via email: [email protected].

  7. Once I receive your email, I will decrypt and import the signed key, then send the key with your signature attached to my used keyservers.

© Joshua Sing. All Rights Reserved.joshuasing/website - main@984f029