‹ back home

Extending an expired GPG key

2023-07-13 #gpg #open-source #security #yubikey

Slightly over a year ago, I set up a new hardware-backed GPG key on my yubikey device. Today I needed to sign a release, and noticed my key expired two days ago. It’s time to renew it.

Possible approaches

When a key expires, there are three alternatives on how to address this:

Updating the expiration date

It turns out that updating the expiration date of keys is pretty simple on recent GPG releases. First, update the expiration of the primary key:

gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y
# Provide the PIN
# Tap the Yubikey

And then the subkeys. List all the fingerprints for the subkeys with:

gpg --list-secret-keys --verbose --with-subkey-fingerprints

And then actually update the expiration of the subkeys:

gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y 94248F3453FE6C15B5D57FA369799729DDF6BDD3 3DEBAC5D65DBADD5FA6A20DFF32635370237664C
# Provide the PIN
# Tap the Yubikey
# Provide the PIN again
# Tap the Yubikey again

Check that everything looks correct:

gpg --list-secret-keys

And push the keys to public keyservers:

gpg --keyserver keyserver.ubuntu.com --send-keys 0x9D062837
gpg --keyserver pgp.mit.edu --send-keys 0x9D062837

Sources

Have comments or want to discuss this topic?
Send an email to my public inbox: ~whynothugo/public-inbox@lists.sr.ht.
Or feel free to reply privately by email: hugo@whynothugo.nl.

— § —