PGP vs Signal — different threat models, not competing tools

Signal protects the message you sent five minutes ago even if your phone gets seized tomorrow. PGP protects the message you sent five years ago as long as your private key passphrase has not leaked. Pick the wrong tool for the wrong job and you are protecting against the wrong attacker.

The crypto sounds similar but is not

Both encrypt end-to-end. Both use modern primitives (X25519, AES-256, HMAC, HKDF). The difference is what each one rotates.

PGP uses a long-term keypair. The same private key decrypts everything you have ever received, going back as far as the key has existed. If that private key is compromised — copied off your laptop, extracted from a bad backup, decrypted because the passphrase was weak — every message you have ever received is exposed.

Signal uses the Double Ratchet protocol. Every message uses a fresh key derived from the previous one and from a Diffie-Hellman exchange that runs continuously in the background. Capture today's phone state and you compromise today's and tomorrow's messages — but yesterday's messages, even ones you can still read in your own chat history, are encrypted under keys that no longer exist anywhere.

This is forward secrecy: yesterday's ciphertext stays unreadable even after today's keys are compromised. PGP does not have it. Signal does.

Threat models

• PGP — defends against an attacker who reads the wire (network adversary, hostile mail server) but does not control your endpoint. Loses the moment your private key + passphrase is compromised, retroactively.
• Signal — defends against the same plus an attacker who eventually compromises your endpoint. They get the messages from after the compromise; the entire backlog from before is still safe.
• Both — fail if your endpoint is compromised in real-time (keylogger, screen recording). No crypto helps once the attacker is reading your screen.

Operational shape

Signal is real-time. Both parties need running clients with internet. Phone-number bound (with username support being added). Designed for chat, voice, video, and small file attachments. Messages can be set to disappear. Account is tied to a device, and recovery without backup is intentionally limited.

PGP is store-and-forward. Send to someone offline; they decrypt when convenient. Email-friendly, file-friendly. No real-time guarantees. Account is your private key — back it up properly and you can decrypt your archive 20 years from now.

Long-term identity

PGP is the only common end-user crypto with a stable long-term public identity. Your 0xDEADBEEF fingerprint can appear on a website, a business card, a humans.txt file, in commit signatures, and on a key server, and people can verify it years later. Signal usernames and safety numbers are tied to the current Signal account; if you re-install or switch devices the safety numbers change and contacts have to re-verify.

Concretely: a journalist publishes a PGP fingerprint on their newspaper bio for sources to use. A code maintainer signs releases with PGP so reproducible-build verifiers can confirm provenance years later. Neither use case maps cleanly to Signal.

Recommendation

• Day-to-day chat with someone you trust — Signal. Forward secrecy is real and matters.
• Sending an encrypted file or long-form message that the recipient will read at their leisure — PGP.
• Receiving a message from a stranger via a published identity (sources, bug reports, key submissions) — PGP.
• Signing a software release — PGP. Signal does not sign.
• Verifying a sender's identity over years — PGP fingerprints.
• Most security-conscious users use both. They are different shapes for different days.

The wrong question is "which is better." The right question is "which threat model am I protecting against." If forward secrecy matters and you can require both parties to use Signal, use Signal. If you need long-term identity, file encryption, or email, use PGP. They overlap on the very narrow strip of "real-time chat between two technical users" — and on that strip, Signal wins handily.