Trusted GPG certificate

Question

I have a small question about GPG certificates and certificates authorities.

I am using GnuPG to sign a tarball that I am hosting on my server. I would like that users who wants to download this tarball to be able to encrypt it using my public key. At the moment, I'm storing my public key on another server that I own. There are 2 issues with this:

• The key isn't "trusted", and the user get a warning
• In the same idea, because the key isn't trusted, if the key is maliciously changed, the user won't see anything

I've read a bit about cryptography solutions in the past, and know a little bit how X.509 CA work, but I don't really understand how it is for PGP keys. I've tried to use my SSL (trusted) certificate in GPG, but it always fails (maybe there is an option I haven't found?). If it's not possible to use my SSL certificate, how can I "register" my PGP certificate to a CA?

Thanks!

Best,
Thibault.

Answer 1

For all practical purposes, X.509 certificates and OpenPGP key pairs live in separate worlds. X.509 certificates are trusted hierarchically (building certificate chains) and OpenPGP keys are trusted on peer-to-peer basis.

As the technologies are incompatible, they are not easily replaceable by each other. To let users trust your OpenPGP key, you can publish it in one of OpenPPG key repositories (keyservers), and hope (or suggest) that users do use it as a trusted source of OpenPGP keys.

Alternatively, you can use your server's certificate to create a detached PKCS#7/CMS signature of the archive you distribute, but unlike OpenPGP there are no widespread tools available to check PKCS#7/CMS signatures on end-user computers. (Well, maybe OpenSSL will work for your user audience.) Note that KeyUsage of the server's certificate probably won't be appropriate for signing, so the users will get a warning.

Please note that OpenPGP keys are called "keys", and X.509 certificates are called in this way too. There exist no "pgp certificates" as well as no "ssl certificates".