Slightly over a year ago, I set up a new hardware-backed GPG key on my yubikey device. Today I needed to sign a release, and noticed my key expired two days ago. It’s time to renew it.
Possible approaches
When a key expires, there are three alternatives on how to address this:
- Generate a new key pair. This requires updating my public key everywhere
(e.g.: on services that use my public key, in the README for projects where I
sign releases, etc), which is somewhat of a nuisance.
When using keys stored on-disk, this has a slight advantage in terms of security: if the key was inadvertently leaked during the last year, then switching to a new key reduces the impact of that leak. This is irrelevant when using hardware backed keys. - Update the expiration date of the existing key, and generate new subkeys. This also requires redistributing the subkeys to people who verify signatures.
- Update the expiration date of the existing key and its subkeys. This seems to be the smoothest option. I’ll be taking this approach.
Updating the expiration date
It turns out that updating the expiration date of keys is pretty simple on recent GPG releases. First, update the expiration of the primary key:
gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y
# Provide the PIN
# Tap the Yubikey
And then the subkeys. List all the fingerprints for the subkeys with:
gpg --list-secret-keys --verbose --with-subkey-fingerprints
And then actually update the expiration of the subkeys:
gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y 94248F3453FE6C15B5D57FA369799729DDF6BDD3 3DEBAC5D65DBADD5FA6A20DFF32635370237664C
gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y
# Provide the PIN
# Tap the Yubikey
# Provide the PIN again
# Tap the Yubikey again
Check that everything looks correct:
gpg --list-secret-keys
And push the keys to public keyservers:
gpg --keyserver keyserver.ubuntu.com --send-keys 0x9D062837
gpg --keyserver pgp.mit.edu --send-keys 0x9D062837