Because we use GraphQL, keys match the regular expression [_A-Za-z][_0-9A-Za-z]*, see "GraphQL", section "Names", hence contain only ASCII characters and are sorted the fastest using ASCII-code order, also called ASCIIbetical order. Another option would be to use the Unicode Collation Algorithm, which can be somewhat performantly implemented in C# with SortKeys.
Unnecessary whitespace are spaces, tabs, and new-lines outside of strings. In JavaScript, those spaces can be removed from the output by using 0 for the argument space of JSON#stringify. In C#, they are not output when the option JsonSerializerOptions#WriteIndented is set to false when calling JsonSerializer#Serialize.
There sadly is no stable not the oneGnuPG wrapper in C#. The most stable and maintained one I could find is PgpCore which is based on Bouncy Castle. What comes closest is gpgme-sharp but it's experimental and seems unmaintained, or Bouncy Castle which is rather low-level but maintained, or starksoft-aspen which seems better and kind of maintained, or PgpCore which is based on Bouncy Castle and maintained. We could also run shell commands directly as explained in GnuGP decryption in C#. Doing that requires spawning a new process for each run, which is expensive, turning input into strings, parsing the command-line output, and turning command-line errors into C# exceptions.
Your own keys could additionally be signed by some certificate authority like digicert, CAcert, and many more to give more credibility to its authenticity. The institution behind the metabase could also act as such an authority and check authenticity via phone, mail, e-mail, URL meta information, ..., for example, by receiving a public key (or just its fingerprint) printed on paper with some text that this key belongs to some institution and a signature by hand by a company representative (this is nothing but a classical contract in the real world and should be legally binding), and after receiving the institution behind the metabase could sign the key with its own key and send the signature back. How does the institution behind the metabase publish its public key? Through a key server or a web key directory or just through its URL or also additionally via mail with a signature by hand to make it legally binding?
Documents can be signed detached and signatures verified with GnuPG, see "Making and verifying signatures", section "Detached signatures" (for an introduction to GnuPG read The GNU Privacy Handbook and PGP and You which also talks about use cases like signing git commits and tags and e-mails). To turn JSON data into a document to sign or to verify a signature, sort all keys alphabetically, remove all unnecessary whitespace, and save the data in UTF-8.
[_A-Za-z][_0-9A-Za-z]*
, see "GraphQL", section "Names", hence contain only ASCII characters and are sorted the fastest using ASCII-code order, also called ASCIIbetical order. Another option would be to use the Unicode Collation Algorithm, which can be somewhat performantly implemented in C# withSortKey
s.0
for the argumentspace
of JSON#stringify. In C#, they are not output when the option JsonSerializerOptions#WriteIndented is set tofalse
when calling JsonSerializer#Serialize.Utf8JsonWriter
. If you pass options when creating theUtf8JsonWriter
instance, make sure that the option JsonWriterOptions#Indented is set tofalse
.There sadly is
no stablenot the one GnuPG wrapper in C#. The most stable and maintained one I could find is PgpCore which is based on Bouncy Castle.What comes closest is gpgme-sharp but it's experimental and seems unmaintained, or Bouncy Castle which is rather low-level but maintained, or starksoft-aspen which seems better and kind of maintained, or PgpCore which is based on Bouncy Castle and maintained. We could also run shell commands directly as explained in GnuGP decryption in C#. Doing that requires spawning a new process for each run, which is expensive, turning input into strings, parsing the command-line output, and turning command-line errors into C# exceptions.It may also be of interest to us to host an OpenPGP keyserver (see also GnuPG Manual Keyserver and Roll Your Own PGP Keyserver) or use an existing one. Existing frameworks are Sequoia written in Rust by former GnuPG developers deployed on keys.openpgp.org, and SKS written on Ocaml deployed on pgp.mit.edu (note that SKS has major problems as explained on Hagrid: A new verifying keyserver based on Sequoia and should not be used). The guides by Matt Rude on how to set-up a keyserver may be helpful. For security reasons (because keyservers cannot be trusted), there is a pool of keyservers and one is chosen randomly by tools. Also of interest may by Web Key Directories and Web Key Services (see also Roll Your Own WKS) --- those are said to be more secure than keyservers who before Sequoia suffered from the unverified e-mail address problem. On how to host web key directories see https://keyserver.mattrude.com/guides/web-key-directory/ and https://wiki.gnupg.org/WKDHosting
Side notes: