Slightly over a year ago, I set up a new hardware-backed GPG key on my yubikey device. Today I needed to sign a release, and noticed my key expired two days ago. It’s time to renew it.
Possible approaches ¶
When a key expires, there are three alternatives on how to address this:
- Generate a new key pair. This requires updating my public key everywhere
(e.g.: on services that use my public key, in the README for projects where I
sign releases, etc), which is somewhat of a nuisance.
When using keys stored on-disk, this has a slight advantage in terms of security: if the key was inadvertently leaked during the last year, then switching to a new key reduces the impact of that leak. This is irrelevant when using hardware backed keys. - Update the expiration date of the existing key, and generate new subkeys. This also requires redistributing the subkeys to people who verify signatures.
- Update the expiration date of the existing key and its subkeys. This seems to be the smoothest option. I’ll be taking this approach.
Updating the expiration date ¶
It turns out that updating the expiration date of keys is pretty simple on recent GPG releases. First, update the expiration of the primary key:
gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y
# Provide the PIN
# Tap the Yubikey
And then the subkeys. List all the fingerprints for the subkeys with:
gpg --list-secret-keys --verbose --with-subkey-fingerprints
And then actually update the expiration of the subkeys:
gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y 94248F3453FE6C15B5D57FA369799729DDF6BDD3 3DEBAC5D65DBADD5FA6A20DFF32635370237664C
gpg --quick-set-expire 1204CA9FC2FFADEEDC2961367880733B9D062837 1y
# Provide the PIN
# Tap the Yubikey
# Provide the PIN again
# Tap the Yubikey again
Check that everything looks correct:
gpg --list-secret-keys
And push the keys to public keyservers:
gpg --keyserver keyserver.ubuntu.com --send-keys 0x9D062837
gpg --keyserver pgp.mit.edu --send-keys 0x9D062837
Sources ¶
- https://www.gnupg.org/documentation/manuals/gnupg24/gpg.1.html
- https://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg
- https://gist.github.com/krisleech/760213ed287ea9da85521c7c9aac1df0
Have comments or want to discuss this topic?
Send an email to ~whynothugo/public-inbox@lists.sr.ht
(mailing list etiquette)