Verify Signed Content

Yes, this page is signed too.

This website publishes OpenPGP clear-signed copies of article and standalone page source files. The visible Signature: Download Copy links near the top of signed pages let you retrieve the actual armored file and verify it for yourself.

What Is Signed?

For articles and standalone pages, the signed payload contains:

• Reader-facing frontmatter fields, when present: title, menu, publishDate, updatedDate, category, and tags
• The Markdown or MDX body content

The following parts of the website are not signed:

• The final rendered HTML layout
• Navigation, headers, footers, and styling
• JavaScript behavior
• Images, audio, and other downloadable media

The subtle gray OpenPGP text shown above and below signed pages is only a visual indicator. For real verification, use the downloaded .asc file.

What You Need

To verify a page:

1. Download the signed .asc file from the page itself.
2. Download the public key linked above (or in the footer).
3. Import the public key into your OpenPGP software.
4. Verify the .asc file.

Trusting The Key

The public key linked on this website is convenient, but it should not be the only place you trust.

If this site were ever compromised, an attacker could theoretically replace both the page content and the hosted public key. Because of that, it is a good idea to compare the fingerprint from this site with the same key published somewhere else that is harder to fake all at once.

Good cross-check sources include:

• OpenPGP keyservers
• My GitHub-hosted public key endpoint: https://github.com/kylxbn.gpg
• Any other profile or repository of mine where the same fingerprint is published

The safest habit is to compare fingerprints across more than one source before treating the key as trusted.

Linux

Most Linux distributions provide GnuPG as gpg.

gpg --import content-signing-public-key.asc
gpg --verify article.asc

If the signature is valid, gpg will tell you that the signature is good and show the signing key information.

macOS

macOS can verify the files the same way if you have GnuPG installed.

If gpg is already available in Terminal:

gpg --import content-signing-public-key.asc
gpg --verify article.asc

If you prefer a GUI workflow, you can also use a macOS OpenPGP app that supports importing the public key and verifying a clear-signed file.

Windows

On Windows, the easiest approach is usually Gpg4win, which includes Kleopatra.

You can:

1. Import the public key into Kleopatra.
2. Download the signed .asc file.
3. Use Kleopatra to verify the file.

If you have gpg available in PowerShell or Command Prompt, the command-line flow is very similar:

gpg --import .\content-signing-public-key.asc
gpg --verify .\article.asc

Why Bother?

This makes it possible to independently verify that the signed source text was published by me and was not modified after signing.

It does not mean the entire rendered page source is cryptographically sealed. It is intentionally focused on the actual written content plus the core reader-facing metadata.

That balance keeps the signatures useful, stable, and easy to verify.