PGP Signature Verification

Every autographed item I sign comes with a QR code that links to a unique verification page on this site. Each verification page contains:

A photograph of the signed item
A PGP cleartext signature proving I signed it
A SHA-256 hash of the image for integrity verification
A downloadable proof bundle (.zip)

The verification page lets you cryptographically verify the signature directly in your browser using openpgp.js, or you can download the proof and verify it manually with GPG.

How it works

Scan the QR code on the physical item
View the signed photograph and PGP signature
Click "Verify Signature" for automatic browser-based verification
The system verifies the PGP signature and checks the image's SHA-256 hash

Public Key

My PGP key ID is 0x99D075B895118988. You can find the public key on the MIT PGP keyserver or download it from this site.

Key Transition

As of March 18, 2026, I have transitioned to a new PGP key. The old key (0x99D075B895118988) has been revoked. The new key is 0x99D075B895118988, available on keys.openpgp.org and on my GitHub account.

The signed transition statement is available at /key-transition.txt.asc.

View signed transition statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PGP SIGNED MESSAGE-----

I, Jimmy Song, am transitioning my PGP key.

Old key (revoked):
  C1D7 97BE 7D10 5291 228C  D70C FAA6 17E3 2679 E455

New key:
  DE9A 9438 F8B0 89DD AD17  82A3 99D0 75B8 9511 8988

The new key is available on keys.openpgp.org and on my GitHub account.

Please update your records accordingly.

Date: 2026-03-18

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTempQ4+LCJ3a0XgqOZ0HW4lRGJiAUCabra3gAKCRCZ0HW4lRGJ
iJqxAQCLrIUmpsC5uRPynmzOKvMcyUA9TC0zCvIbN3Fjv0nBSwEAozi1f1CuIQn5
lcEV4W7kXRH8kcdY767r0W+magqipgQ=
=d1jR
-----END PGP SIGNATURE-----

Manual Verification

gpg --import jimmy-song-pubkey.asc
gpg --verify proof.asc
sha256sum image.jpg