Charlie Jonas

Last updated: March 23, 2021
(Key last refreshed on December 30, 2019 with a two-year expiry.)

Before reading this it would probably be worthwhile to note that I’m attempting to move away from PGP; many well-respected cryptographers have voiced their opinions on everything wrong with PGP. People often counter me by mentioning Debian/Ubuntu’s package archive signing or by saying “you should sign your Git commits for authenticity”; I am not Debian/Ubuntu and signing Git commits is not as simple as it sounds. Moving forwards:

17079536 is my primary PGP key. In can be found mirrored in several places on the web in order to corroborate its legitimacy:

It can also be found in my DNS zone file, secured with DNSSEC, which enables some of GnuPG’s automatic key location features. Import my key using any of the following commands (PKA support has been deprecated and removed from recent version of GnuPG so if one of these commands doesn’t work for you then try another):

gpg --auto-key-locate pka --locate-keys
gpg --auto-key-locate dane --locate-keys
gpg --auto-key-locate wkd --locate-keys
curl -sS | gpg --import
gpg --fetch-keys

You should always check the full key fingerprint to ensure that you have the correct key:

$ gpg --list-keys --fingerprint 17079536
pub rsa4096 2019-12-30 [SC] [expires: 2022-12-29]
8CD7 4A23 73F6 3BCB 63C6 7D53 D380 96FC 1707 9536
uid [ultimate] Charlie Jonas <>
sub rsa4096 2019-12-30 [E] [expires: 2022-12-29]

The exact output may vary depending on your operating system, client software and trust settings.