About the digital signature on my emails
Emails sent by windymelt include a mechanism called a digital signature. Using a compatible mail client or tool, this lets you, the recipient, confirm that the email really came from windymelt and that its content has not been altered since it was sent.
Because of this, you may see an unfamiliar attachment such as signature.asc on some emails.
This is not a suspicious file — it is a legitimate attachment used for the confirmation described above.
This applies to emails sent from the following two addresses.
windymelt@3qe.uswindymelt@capslock.dev
Depending on your mail software, it may not support this kind of confirmation, in which case the attachment will just look like an ordinary file. Also, an email without this signature, or one for which the check fails, cannot be confirmed as coming from windymelt.
If you would like to check this in more detail, see the technical details below.
Technical details
Email addresses covered
Emails sent from the following two addresses are signed with the same PGP key.
- Email addresses
windymelt@3qe.uswindymelt@capslock.dev
Signature format
This signature uses the PGP/MIME format, as specified in RFC 3156 ("MIME Security with OpenPGP"), and is not S/MIME.
In PGP/MIME, a message uses a multipart/signed structure consisting of two parts: the message body and the signature.
The signature part has a Content-Type of application/pgp-signature, as defined by RFC 3156.
The filename shown for the signature attachment (for example, signature.asc) can vary between mail clients, so please rely on the Content-Type and the verification result rather than the filename alone.
Public key information
Please use the following PGP public key to verify the signature. Always confirm the key by checking the full fingerprint.
- Fingerprint (40 hex digits)
FEFC B381 9ECB C25D C132 9D89 F2FC 63C2 42C0 4D9D- Short key ID (for reference only, verify against the full fingerprint)
F2FC 63C2 42C0 4D9D- Download the public key
- FEFCB3819ECBC25DC1329D89F2FC63C242C04D9D.asc
- QR code of the fingerprint

Cross-checking via an independent channel
In addition to the fingerprint on this page, we recommend confirming that the same fingerprint appears on independent, third-party key servers such as the following.
- keys.openpgp.org
- https://keys.openpgp.org/search?q=0xF2FC63C242C04D9D
- Keyoxide
- https://keyoxide.org/hkp/F2FC63C242C04D9D
How to verify
Verifying the signature requires a PGP-capable mail client or tool. Verification is possible in environments such as the following.
- Thunderbird's built-in OpenPGP support
- GPG Suite (macOS)
- Mailvelope (browser extension)
gpg --verifyon the command line
The general procedure is as follows.
- Download the public key above and import it into your key management tool.
- Confirm that the imported key's fingerprint matches the full 40-digit fingerprint listed on this page.
- Open the email in a PGP-capable client and check the result of the signature verification.
Simply opening an email that has a signature attached does not constitute verification. You need to confirm that a PGP-capable client has checked the signature and reports it as valid.
Caution
- An email without a signature, or one for which verification fails, cannot be confirmed as coming from Windymelt.
- Webmail services such as Gmail, and mail clients without PGP support, cannot verify the signature; in these cases the signature file simply appears as an ordinary attachment.
-
Of the keys listed on the top page,
FEF3 3498 5481 CD94and9FE0 A201 73C0 8B1Dare not used for the current signature.