This repository is the canonical source for my work GPG key (Solace). It serves as a distribution point and a place for others to contribute signatures, building a verifiable web of trust without relying on keyserver infrastructure.
Note: I maintain a separate key for personal communications. The two keys are cross-signed with each other, so either can serve as a trust anchor for the other.
Signers: See SIGNER_GUIDE.md for a detailed guide including what out-of-band verification means, what the automation does and does not protect, and privacy considerations.
Key owner: See MAINTAINER_GUIDE.md for key lifecycle management, the attestations process, and maintainer responsibilities.
| Field | Value |
|---|---|
| Name | Benjamin Wiebe (Solace Employee Key) |
| benjamin.wiebe@solace.com | |
| Key type | Ed25519 / Curve25519 |
| Fingerprint | 1574 6FFA 864B 0DCB AE8D 4B0D ADEF C33E 229A 5A37 |
Import directly from this repository:
curl -sL https://raw.githubusercontent.com/bwiebe-solace/gpg-identity/main/pubkey.asc | gpg --importOr clone the repo and import locally:
gpg --import pubkey.ascAfter importing, verify the fingerprint matches exactly what is shown above:
gpg --fingerprint benjamin.wiebe@solace.comDo not trust a key that does not produce this exact fingerprint. If in doubt, verify out-of-band (in person, via a signed message, or through another trusted channel).
If you have verified my identity and would like to add your signature to my key, start by signing and exporting the updated key locally:
# 1. Import the current key from this repo
gpg --import pubkey.asc
# 2. Verify the fingerprint matches before signing (critical)
gpg --fingerprint benjamin.wiebe@solace.com
# 3. Sign the key with your own key
gpg --sign-key 15746FFA864B0DCBAE8D4B0DADEFC33E229A5A37
# 4. Export the updated key (now includes your signature)
gpg --armor --export 15746FFA864B0DCBAE8D4B0DADEFC33E229A5A37 > pubkey.ascThen submit the updated pubkey.asc using one of the two methods below.
Open a Submit Signature
issue, paste the contents of pubkey.asc into the form, and submit. A pull
request will be opened automatically on your behalf — no fork required.
Fork this repository, commit the updated pubkey.asc to your fork, and open a
pull request. The PR description template will guide you through the checklist.
PRs are merged manually by me on my local machine so that I can review the incoming signature and update my own keyring at the same time.
You can also send the signed key directly by email or any other channel — a GitHub account is not required. See SIGNER_GUIDE.md for details.
PRs are intentionally not merged via the GitHub UI. The recommended approach is the included script, which handles the full flow interactively:
bash accept-signature.shThe script lists open signature PRs, fetches the branch, imports the signer's public key from the issue if provided, shows current signatures, verifies them if possible, and prompts to accept or reject. Only accept signatures from people whose identity you can confirm — if the signer did not include their public key, verification must happen out-of-band.
# Fetch the PR branch
git fetch origin pull/<PR_NUMBER>/head:pr-<PR_NUMBER>
# Verify only pubkey.asc was changed
git diff main pr-<PR_NUMBER>
# Optionally import the signer's public key for verification
# (paste from the issue, or obtain directly from the signer)
gpg --import <signer-key.asc>
# Import the updated key and review signatures
git show pr-<PR_NUMBER>:pubkey.asc | gpg --import
gpg --list-sigs 15746FFA864B0DCBAE8D4B0DADEFC33E229A5A37
# Accept: merge, push, and clean up
git merge --no-ff pr-<PR_NUMBER> -m "merge: Accept signature from <SIGNER>"
git push origin main
git branch -d pr-<PR_NUMBER>
# Reject: close the PR
gh pr close <PR_NUMBER> --comment "Rejected: <REASON>"
git branch -d pr-<PR_NUMBER>To remove a signature from your local keyring after a rejection:
gpg --edit-key 15746FFA864B0DCBAE8D4B0DADEFC33E229A5A37
# At the gpg> prompt: uid 1 (select the uid), then: delsig