Is PGP Tool safe to use?

Yes. PGP Tool runs 100% in your browser — no data is ever sent to a server. All encryption and decryption happens client-side using openpgp.js. The code is open source under MIT license.

Can I use PGP Tool offline?

Yes. PGP Tool is a Progressive Web App (PWA) that works fully offline once installed. Enable air-gap mode to disable all network requests for maximum security.

What encryption algorithms does PGP Tool support?

PGP Tool supports RSA (2048–4096 bit) and ECC (Curve25519, P-384) for PGP key generation, AES-256-GCM for symmetric encryption and secure paste, and PBKDF2 with SHA-256 for key derivation.

How does the password generator work?

The password generator uses the browser's crypto.getRandomValues() API for cryptographically secure randomness. It supports random character passwords (6–128 chars) and EFF-wordlist passphrases (3–10 words). No passwords are stored or transmitted.

How does Secure Paste work without a server?

Secure Paste encodes the paste content directly into the URL fragment (after the # symbol). Optionally, content is encrypted with AES-256-GCM before encoding. The URL IS the paste — no server or database is involved.

What does "Good signature" mean exactly?

It means the signature was produced by the holder of the private key matching the public key you supplied, and the signed bytes have not been altered since signing. It does not say anything about whether the public key actually belongs to the person you think — that is a trust question, not a cryptographic one.

Why would verification fail?

Common causes: wrong public key, tampered content (even one extra newline can break it), corrupted signature block, or an expired/revoked signing key. The error message names the specific reason.

How do I know the public key really belongs to the signer?

Out-of-band verification: meet in person, video call, fingerprint comparison, web-of-trust signatures, or fetching from a verified keyserver. PGP itself only proves the cryptographic link between the key and the signature.

Does PGP Tool fetch public keys automatically?

Only via the Key Inspector tool, and only when air-gap mode is off. Verify itself never makes network requests.

Are timestamps inside signatures trustworthy?

They are signed, so they cannot be altered after the fact, but they reflect what the signer claimed at sign time — they are not externally certified. For independent timestamping, use the Notary tool.

Verify PGP signatures in your browser

Check the authenticity of OpenPGP clearsigned and detached signatures using the signer's public key. Tells you who signed it, when, and whether the content was tampered with.

Signature verification confirms three things: the signed content matches what was signed (integrity), the signer holds the corresponding private key (authenticity), and the signing key has not expired or been revoked (validity). The Verify tool checks all three and reports the signing key's fingerprint plus the signature timestamp.

Paste the signed content (clearsigned, ASCII-armored) along with the signer's public key. The result panel shows a green check on success, with the signer's identity and key fingerprint, or a red error explaining why verification failed (wrong key, tampered content, expired key, etc.).

For separate signature files (detached signatures over binary content), use the Detached Sign tool instead — it accepts a file plus its .sig file alongside the public key.

Frequently asked questions

What does "Good signature" mean exactly?: It means the signature was produced by the holder of the private key matching the public key you supplied, and the signed bytes have not been altered since signing. It does not say anything about whether the public key actually belongs to the person you think — that is a trust question, not a cryptographic one.
Why would verification fail?: Common causes: wrong public key, tampered content (even one extra newline can break it), corrupted signature block, or an expired/revoked signing key. The error message names the specific reason.
How do I know the public key really belongs to the signer?: Out-of-band verification: meet in person, video call, fingerprint comparison, web-of-trust signatures, or fetching from a verified keyserver. PGP itself only proves the cryptographic link between the key and the signature.
Does PGP Tool fetch public keys automatically?: Only via the Key Inspector tool, and only when air-gap mode is off. Verify itself never makes network requests.
Are timestamps inside signatures trustworthy?: They are signed, so they cannot be altered after the fact, but they reflect what the signer claimed at sign time — they are not externally certified. For independent timestamping, use the Notary tool.