You’ll need to generate a PGP keypair to identify your site, if you
don’t already have a keypair you’d like to use. To generate a new
keypair, say gpg --gen-key and follow the prompts. Think
ahead of time about the e-mail you’d like to associate with the new
keypair.
Once you’ve got your keypair, you can get its identifier by saying
gpg --list-keys (the identifier is the long hexadecimal
string listed for each public key on your keyring). Say gpg
--output PATH-TO-YOUR-SOURCE/site-public.pgp --export KEYID to put a
copy of your site’s public key somewhere in your site’s source project
directory.
Add a link to your home page like:
<link rel="pgpkey" href="/site-public.pgp>
To test, go to https://indieauth.com and scroll down to the “Try It!” section.
Note that IndieAuth.com supports neither Twitter nor Mastodon for authentication purposes.
You should see a green button labelled “GPG”
along with your domain & the name of your public key. Click that and
you’ll be presented with a string to sign with your private key
(demonstrating ownership of the private key). Copy the challenge text
and say echo 'CHALLENGE-TEXT'|gpg -u KEYID --clearsign --armor. This
should produce output something like:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 eyJ0eXAiOiJKV1Qi... -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEr2ZwJM99NLbLOVkMca2Hl/Lwd1cFAmQqHdQACgkQca2Hl/Lw d1e1jwv/bpIrpr7+WNfD1xfiNzkq+PzbeeMT07B8kHo3ZKXJINB420jO3P+QqM8G S1WQF2XyhnzxKmo/ySk54HOV5iWZ62uBHIrn/Nn6YUBvVQUB6CiF0zeCvKrbreW/ 3omdbdLfCryPAMd120sQi8mQ5fDr798jq8Oq7QyIA4WusIh3ZesoDYboE4VJKryK ... -----END PGP SIGNATURE-----
Paste the entire messages into the box.