Independent encyclopedia — Tor connectivity, endpoints, and verification (not an operator site)
Copied

PGP Verification — Mirror List Authentication

Pretty Good Privacy (PGP) signatures provide mathematical proof that a published onion hostname list originated from the holder of a private key. This article documents the verification workflow analysts use before citing DrugHub endpoints in research — independent of any clearnet domain branding.

Key fingerprint

The connectivity reference publishes this fingerprint for mirror-list signing keys:

A7F3 9C2E 1B84 D560 4E8A 7F21 0C93 5D6E B1A4 8F72

Compare character-by-character after import. A single hex mismatch indicates wrong key or tampered export.

Importing the key

  1. Install GnuPG (Gpg4win/Kleopatra on Windows, GPG Suite on macOS, gnupg package on Linux).
  2. Fetch the public key from a keyserver using the fingerprint, or import a .asc file from a trusted offline source.
  3. Mark the key as ultimately trusted only after out-of-band fingerprint confirmation.

Verifying signatures

Detached signature files (e.g. mirrors.asc) accompany hostname lists. Run:

gpg --verify mirrors.asc mirrors.txt

Expected output includes Good signature from the key matching the fingerprint above. If verification fails, discard the hostname list — do not connect or cite those strings.

Failure modes

  • Wrong key imported. Similar filenames on paste sites; always verify fingerprint.
  • Expired subkey. Check key rotation notes on the Security page.
  • Cleartext list without signature. Unsigned lists are documentation-only; treat as unverified.

See also