Extending an expired GPG key

Slightly over a year ago, I set up a new hardware-backed GPG key on my yubikey device. Today I needed to sign a release, and noticed my key expired two days ago. It’s time to renew it.

Possible approaches ¶

When a key expires, there are three alternatives on how to address this:

• Generate a new key pair. This requires updating my public key everywhere (e.g.: on services that use my public key, in the README for projects where I sign releases, etc), which is somewhat of a nuisance.
  When using keys stored on-disk, this has a slight advantage in terms of security: if the key was inadvertently leaked during the last year, then switching to a new key reduces the impact of that leak. This is irrelevant when using hardware backed keys.
• Update the expiration date of the existing key, and generate new subkeys. This also requires redistributing the subkeys to people who verify signatures.
• Update the expiration date of the existing key and its subkeys. This seems to be the smoothest option. I’ll be taking this approach.

Updating the expiration date ¶

It turns out that updating the expiration date of keys is pretty simple on recent GPG releases. First, update the expiration of the primary key:

gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y
# Provide the PIN
# Tap the Yubikey

And then the subkeys. List all the fingerprints for the subkeys with:

gpg --list-secret-keys --verbose --with-subkey-fingerprints

And then actually update the expiration of the subkeys:

gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y 94248F3453FE6C15B5D57FA369799729DDF6BDD3 3DEBAC5D65DBADD5FA6A20DFF32635370237664C
gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y
# Provide the PIN
# Tap the Yubikey
# Provide the PIN again
# Tap the Yubikey again

Check that everything looks correct:

gpg --list-secret-keys

And push the keys to public keyservers:

gpg --keyserver keyserver.ubuntu.com --send-keys 0x9D062837
gpg --keyserver pgp.mit.edu --send-keys 0x9D062837

Sources ¶

• https://www.gnupg.org/documentation/manuals/gnupg24/gpg.1.html
• https://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg
• https://gist.github.com/krisleech/760213ed287ea9da85521c7c9aac1df0

Have comments or want to discuss this topic?
Send an email to ~whynothugo/public-inbox@lists.sr.ht (mailing list etiquette)