|Users should always check and verify key fingerprints.|
Before adding any foreign repository or software source, it is necessary to fetch the associated signing key (if available) and verify the fingerprint.
It is not safe to only rely on the Whonix wiki for confirmation of a key's expected fingerprint. The reason is websites rely on fallible SSL or .onion architecture, which provides a lower verification standard than the OpenPGP implementation. In practice, this means:
- Researching the expected key fingerprint from multiple, trusted Internet sources.
- Explicitly checking the key fingerprint matches the expected output, before importing it or adding it to a trusted key-ring.
For the best possible security, users should always rely on the OpenPGP Web of Trust.