r/onionarchive · verified darknet mirror archive
882
PINNED Posted by u/tor_doc · April 13, 2026 · verified PGP

GUIDE STICKY PGP for the absolute beginner — install, generate, sign, verify

This is a no-fluff getting-started guide for PGP / GnuPG. If you have never run a gpg command in your life, this thread takes you through the four operations you actually need: install, generate a keypair, sign a message, and verify a signature.

1. Install GnuPG

  • Linux (Debian/Ubuntu): sudo apt install gnupg
  • macOS: brew install gnupg
  • Windows: Download Gpg4win from gpg4win.org. Verify the installer signature against the published Gpg4win release key.

Test it: open a terminal, type gpg --version. You should see GnuPG 2.2 or later.

2. Generate a keypair

Run gpg --full-gen-key. Pick:

  • Key type: RSA and RSA (default; broadly compatible).
  • Key size: 4096 bits.
  • Expiry: 2 years is a sensible default. You can extend later.
  • Real name: a handle, not your legal name. The handle is published on the public keyserver if you upload.
  • Email: a [email protected] is fine. The email is metadata; you do not need a real address.
  • Passphrase: a long unique phrase, generated offline, written on paper. Lose this passphrase and you lose the key.

The key generation takes about a minute. Move the mouse / type random keys to feed entropy.

3. Sign a message

To clearsign (signed plaintext): gpg --clearsign message.txt. Output is message.txt.asc, which contains your message wrapped in a PGP signature block.

To detach-sign (binary): gpg --detach-sign --armor file.bin. Output is file.bin.asc, the signature alone, separate from the file.

4. Verify a signature

Pull the public key of whoever signed: gpg --recv-keys 0xKEYID (or import from a file). Then: gpg --verify message.txt.asc. Read the output. Good signature means you are talking to the person who controls the private key. Bad signature means the message was altered or the signature is fake. UNKNOWN means you do not have the public key yet.

The single habit that defeats phishing

Every time you log into a darknet market, copy the signed timestamp block from the login page footer and run gpg --verify. If it returns Good signature with the expected fingerprint, you are on a real mirror. If it returns anything else, close the tab. This is the single most useful habit you can build, takes ten seconds, and defeats every phishing clone we've seen.

← Back to r/onionarchive front page

◆ 96 comments ↩ share ⚑ save
Sort by Top · Best · New · Controversial · Old
u/first_paranoia · 78 points · April 15, 2026

Saved this thread. Spent an hour going through it last weekend, generated my key, verified the Nexus timestamp from the login page, all worked first try. Thanks for not assuming we know what an armoured ASCII block is.

ReplyShare
u/lc_serpent · 62 points · April 16, 2026

Pro tip: keep the private key on a YubiKey or Nitrokey. Never on a daily-driver disk. The hardware token is $50 and pays for itself the first time someone scrapes your machine.

ReplyShare
u/tor_doc · 44 points · April 17, 2026

Strong agree. Adding to the guide on the next edit pass. The hardware-token flow is a separate post but the short version is: generate the key on the token, never copy the private key off, sign with gpg --card-edit.

ReplyShare
u/novice_e · 34 points · April 18, 2026

What about Kleopatra on Windows? Is the GUI fine for someone who hates the command line?

ReplyShare
u/v3_only · 28 points · April 18, 2026

Kleopatra is fine. It's the same GnuPG underneath. The only thing the GUI hides is the gpg --verify output, which you do still want to read literally — right-click the .asc, “Verify,” read the result, do not click “OK” until you've actually read it.

ReplyShare