What is PGP and Why Should You Care?

PGP (Pretty Good Privacy) is a method of encrypting and digitally signing messages to ensure confidentiality and authenticity. It’s widely used by developers, security enthusiasts, and privacy-conscious individuals to protect communications and verify identities.

I mostly use PGP to sign messages and files—kind of like leaving a digital fingerprint saying “Yep, this is really from me.” If someone ever hands you a suspicious-looking file claiming it’s mine, you can use my public key to verify it wasn’t sent by a coffee-fueled imposter. Go ahead, download the key and impress your inner cybersecurity nerd.

My PGP Public Key 🔑

If you’d like to verify a file or message I’ve signed—or maybe even send me an encrypted message worthy of a spy movie—you’ll need my PGP public key. It’s essentially the “trust anchor” you’ll use to check whether a signature really came from me, and not some sleep-deprived AI clone.

You can download my public key here. It comes in handy when you want to verify digital signatures I’ve made or encrypt something before sending it my way.

Below, you’ll also find my key fingerprint, which is a short and human-readable way to confirm the key’s authenticity—think of it like the license plate of a digital identity. 

# Fingerprint
9F61 4934 931F 3DA4 C13B  14CE 224B B560 9863 4140
# Key ID
0x98634140
# Valid Until
29 May 2027

PGP Signature Verification 🕵️

So, you’ve got a message or file from me and want to make sure it wasn’t tampered with—or worse, sent by an imposter pretending to be me (rude!). This is where PGP signature verification shines.

First, grab my public key (if you haven’t already), import it into your GPG keychain, and then verify the message. Whether it's a clear-signed message or a detached signature file, GPG’s got your back.

Here's how to do it, step by step: 

# Step 1: Download my public key (if you haven't already)
wget https://berkealp.net/berkealp-net.asc

# Step 2: Import the key into your local GPG keyring
gpg --import berkealp-net.asc

# Step 3a: To verify a clear-signed message (PGP block is part of the message)
gpg --verify message.txt

# Step 3b: To verify a detached signature (separate .sig file)
gpg --verify message.txt.sig message.txt

Try It Yourself 🧪

Here's a sample clear-signed message you can use to practice verifying with your public key: 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is a test message from Berke Alp.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn2FJNJMfPaTBOxTOIku1YJhjQUAFAmg5UE0ACgkQIku1YJhj
QUAGyBAAlJ1rD0li0GpAyXUjnVTiMj94+ua6G8xW7D1adjH/es2ZxGsz8euGDCUY
8KdR5O1sZwewwClbeuIN6/d8d5Pd/hFiQNdNrCcbxOA37ZvKkh4/oezrBaPQEtxt
w+oXUM9PtQi2v6MI8lUZugk0mY8/hIp5Jk49XwcsYNdz020ELW/HVwEeeSsv2YHx
OXOs8VTylLcOaw0F+RQucPTEcaAc4IYhxAD3uQbBkrDgoThA38ErUW2Md/EyzJ3Q
6LOJScE2hvNSaDEuRFXoyZcDVw7sE3odstAaO4GJPFxz/29cE8w2YTJ75c39ObpZ
Fqtw67ywEOhr0c0ypalihJPVOoYFg8Ta4xW9B93aA+wCLpktiAcdYYMa+7WuE2hB
zTP0puS1U/LmOzogA8TsDBDWPgczw4B5xpfJq7M2GBaamIiTAnT4wzuaMoQDXxFC
J8t4DsMJPFT1EOA0PgLop2pJILRSUcp46SBpTzkmgQz9iMV7lUEVa940exTYUNBE
DE5trCBBqQZyYRVeOoXmQD+DGVr8jwEtcUVKg5ZmeJzpHgKhm6Y2lSeAihay90Te
xqP3pWKkcDbsmwLs/WooRFtkCm7ghGgACEI178b04sf8fJErj62nh/aMvKfDQPqz
e7niz2NrNJaCo8Yim7WCSrhC7cWc4cXwKXJ0w5AKNttg2De9at4=
=iznf
-----END PGP SIGNATURE-----

Save this message to a file (e.g., test-message.txt) and run: 

gpg --verify test-message.txt

If everything’s set up correctly, you’ll see a message like this: 

gpg: Signature made Cum 30 May 2025 09:29:33 +03
gpg:                using RSA key 9F614934931F3DA4C13B14CE224BB56098634140
gpg: Good signature from "Berke Alp Çalışkan (Domain: berkealp.net) <[email protected]>" [ultimate]

This means the message hasn't been tampered with, and it was really signed by me.