PGP for Tor by saghras

PGP for Firefox is a local-first PGP toolkit. Think Kleopatra, but as a Firefox addon — no servers, no accounts, no telemetry. Everything runs on your device.

What it does

• Page scanner. When you visit a page containing a PGP block (-----BEGIN PGP …-----), a small badge appears top-right with a context-aware action: Verify, Decrypt, Import to keyring, or Import & verify if both a key and a signed message are on the same page.
• Smart verification. Distinguishes between valid, valid but signing key has expired, invalid math, and signer not in keyring. For expired keys it explains exactly what happened — many tools just say "INVALID" and leave you guessing.
• Keyserver lookup. Click "Look up & verify" on an unknown signer and the addon queries keys.openpgp.org and keyserver.ubuntu.com for the missing public key. Lookups never fire on passive page scans — only on explicit click — so you don't leak which signed pages you read.
• Keyring management. Generate, import, export, and delete keys. Private keys are passphrase-encrypted by OpenPGP.js (the passphrase never leaves memory).
• Notepad. Free-form sign / verify / encrypt / decrypt against keys in your keyring.

Privacy

No outbound network requests on page load, no analytics, no remote logging. The content script reads page text only to locate PGP armor strings — that text never leaves your device.

Crypto

Powered by OpenPGP.js v6.1.1 — the LGPL-3.0 reference JS implementation. v6.1.1 specifically includes the fix for CVE-2025-47934 (May 2025), so verification of inline signed messages is trustworthy.