PGP Verification — Mirror List Authentication
Pretty Good Privacy (PGP) signatures provide mathematical proof that a published onion hostname list originated from the holder of a private key. This article documents the verification workflow analysts use before citing DrugHub endpoints in research — independent of any clearnet domain branding.
Key fingerprint
The connectivity reference publishes this fingerprint for mirror-list signing keys:
A7F3 9C2E 1B84 D560 4E8A 7F21 0C93 5D6E B1A4 8F72
Compare character-by-character after import. A single hex mismatch indicates wrong key or tampered export.
Importing the key
- Install GnuPG (Gpg4win/Kleopatra on Windows, GPG Suite on macOS, gnupg package on Linux).
- Fetch the public key from a keyserver using the fingerprint, or import a
.ascfile from a trusted offline source. - Mark the key as ultimately trusted only after out-of-band fingerprint confirmation.
Verifying signatures
Detached signature files (e.g. mirrors.asc) accompany hostname lists. Run:
gpg --verify mirrors.asc mirrors.txt
Expected output includes Good signature from the key matching the fingerprint above. If verification fails, discard the hostname list — do not connect or cite those strings.
Failure modes
- Wrong key imported. Similar filenames on paste sites; always verify fingerprint.
- Expired subkey. Check key rotation notes on the Security page.
- Cleartext list without signature. Unsigned lists are documentation-only; treat as unverified.