PGP has a deserved UX reputation. Matthew Green and Moxie Marlinspike have both written persuasive essays about why PGP's email-encryption use case is a mess: bad key discovery, bad forward secrecy, bad defaults. I agree with most of it. But PGP in 2026 is still the best tool I have for one specific job — signing long-lived statements as a known identity. That job matters, and technical leaders should have a key for it.

What PGP Is Good At

Forget encrypted email for a minute. Think of PGP as a general-purpose signing system you can apply to arbitrary bytes.

  • Signing public statements — a blog post, a disclosure, a policy document. Anyone who has your public key can verify the text hasn't been altered and came from the holder of the key.
  • Transparency canaries — a signed statement with a freshness proof, republished regularly. Essential for anyone running a privacy-sensitive service.
  • Signing commits and releases — Git supports PGP natively (git commit -S), and release tarballs from serious projects are still distributed with detached signatures.
  • Long-lived identity — an Ed25519 or RSA-4096 key with a 1–2 year expiry, rotated deliberately, gives you a cryptographic thread across years of output.

Key Rotation Without Drama

The single biggest mistake I see is people generating a key, posting the fingerprint, and then forgetting about it. Five years later the key is orphaned, probably on a laptop they no longer own, and a new key appears with no continuity.

Do it like this:

  1. Generate a primary key that is certify-only and lives offline — on a YubiKey, an air-gapped machine, or both.
  2. Generate subkeys for signing, encrypting, and authentication. These are the ones you use day-to-day.
  3. Give subkeys a 1–2 year expiry. When a subkey nears expiry, extend it with the primary key or replace it. The identity (fingerprint) stays stable for a decade.
  4. Publish the full public key (with subkeys) to keys.openpgp.org and to your own website under a stable URL.
gpg --full-generate-key  # pick Ed25519
gpg --edit-key YOURID
  addkey   # add signing subkey
  addkey   # add encryption subkey
  save
gpg --export YOURID > pubkey.asc

Web of Trust vs. Keybase-Style Attestation

The original Web of Trust — other people signing your key at keysigning parties — is essentially dead outside a few communities. What works in its place is public attestation: proof that the key is controlled by whoever controls specific public accounts. Keybase pioneered this (link a key to Twitter/GitHub/DNS). The project's trajectory has been unpleasant, but the pattern is sound and you can implement it manually:

  • Publish your fingerprint on your personal website under HTTPS with HSTS.
  • Add a .well-known/openpgpkey WKD entry so clients can fetch it automatically.
  • Post the fingerprint from your verified professional social accounts.
  • Sign a short statement linking the key to the accounts.

An adversary would need to compromise several independent systems simultaneously to fake the whole set.

Common PGP Sins

Things I've seen technical leaders do that undercut the entire exercise:

  • Using a key with no expiry — eternal but unmaintained, a liability when the laptop dies.
  • Keeping the primary key on the same laptop as subkeys — one compromise, entire identity gone.
  • Signing things casually with comments like "lol" — it's a cryptographic signature; treat it like one.
  • Losing the revocation certificate — generate it the moment you create the key and store it somewhere you'll actually find it in five years.

PGP is not a great everyday messaging tool. It is a great durable-signature tool. For the job of "this statement came from me and hasn't been changed," I haven't found anything better.