My thoughts on Slackware, life and everything

Transitioning to a new GPG key

 

I have generated a new GPG key to replace my old one which was based on a 1024-bit DSA primary key. The new primary key is 4096-bit RSA. I will be transitioning away from my old one.

The old key will continue to be valid, but i prefer all future correspondence to use the new key. I would also like this new key to be re-integrated into the web of trust. The online version of this message is signed by both my keys (old and new) to certify the transition.

The old key was:

pub 1024D/A75CBDA0 2003-01-17
 Key Fingerprint = F2CE 1B92 EE1F 2C0C E97E 581E 5E56 AAAF A75C BDA0

And the new key is:

pub 4096R/769EE011 2016-08-21
 Key Fingerprint = 2AD1 07EA F451 32C8 A991 F4F9 883E C63B 769E E011

To fetch the full key (including a photo uid, which is commonly stripped by public keyservers), you can get it with either of these two commands:

wget -q -O- http://slackware.com/~alien/alien.gpg.asc | gpg --import -
 wget -q -O- http://alienbase.nl/alien.gpg.asc | gpg --import -

Or, to fetch my new key from a public key server, you can simply do:

gpg --keyserver pgp.mit.edu --recv-key 769EE011

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs 769EE011

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint 769EE011

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:

gpg --sign-key 769EE011

Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

gpg --armor --export 769EE011 | mail -s 'GPG Signatures' alien@slackware.com

Or you can just upload the signatures to a public keyserver directly:

gpg --keyserver pgp.mit.edu --send-key 769EE011

Please let me know if there is any trouble, and sorry for the inconvenience.

Eric

Some reading material in case you too want to transition to a new key or even want to start using GPG:

Note:
The above text is based on a “gpg-transition-document” template which seems to be pretty widely used on the Internet for purposes of GPG key transitioning. My own text (the one of this blog post) can also be found here: http://www.slackware.com/~alien/gpg_transition_20160821.txt . That text file has been digitally signed with my old and new keys so that you can verify the correctness of my statements.

 

17 Comments

  1. kjhambrick

    Thanks Eric !

    All set here.

    — kjh

  2. Tonus

    Thanks Eric for giving a full process, useful and interesting.

    As usual shall I say…

    BTW great to see you’re still there and hope your new job is at least as great as the former one.

  3. Alexander

    Thanks!
    There is a problem with copy-pasting commands like:
    gpg –keyserver pgp.mit.edu –recv-key 769EE011

    Double dash converted to some nonstandard dash.

  4. alienbob

    I have changed the commands to “preformatted text” which will make the double-dashes visible again. But the .txt file I link to also has properly formatted text that can be copied and pasted.

  5. Jen

    Thanks for the reminder. I should regenerate a PGP key. I used to use one all the time, but got out of the habit.

  6. gegechris99

    I uploaded your signed key to a public keyserver.

  7. Mike Coddington

    Eric,
    If you’re interested, I can get you an invite to Keybase which is kind of like an enhanced idea of a keyserver. https://keybase.io is its URL. Actually, I’m going to put an invite link here. Other people, don’t be jerks and grab it. If someone got to it before you did Eric, drop me an email.
    https://keybase.io/inv/e6a2240562

  8. alienbob

    Hi Mike.

    I consumed that invite and I am going to investigate the scope and usefulness of that site and its tech. Thanks.

  9. Tonus

    Hi Eric,
    I might have missed something or being posting that in the wrong place :
    When I use your repo with slackpkg+ I’ve got a gpg error on the kde_frameworks repo (url http://bear.alienbase.nl/mirrors/alien-kde/current/testing/x86_64/kde/frameworks/CHECKSUMS.md5)
    Is there something I can do on my side ?
    Regards

  10. alienbob

    Do not use the /current/testing/ repository please. It is not up to date. Use the /current/latest/ or the /14/2/latest/ repository, those are being maintained.

    • Tonus

      I knew I had to pay more attention : I now remember reading something about it…

      Thank you and sorry for the noise!

  11. Geremia

    I’m not sure if this is related to your changing to a new key, but I keep getting gpg errors when trying to install, with slackpkg:

    libktorrent-2.0.1-x86_64-1alien.txz

    from:

    https://bear.alienbase.nl/mirrors/alien-kde/current/latest/x86_64/kde/applications-extra/libktorrent-2.0.1-x86_64-1alien.txz

    I ran “slackpkg update gpg,” but it’s using your old key.

  12. alienbob

    Geremia, the GPG signature for that package _is_ bad. I just verified. I need to re-create that one.
    And by the way, I am still using the old GPG key for my package repositories.

  13. Geremia

    I still get an MD5SUM error with libktorrent-2.0.1-x86_64-1alien.txz:

    ==============================================================================
    WARNING! One or more errors occurred while slackpkg was running
    ——————————————————————————
    libktorrent-2.0.1-x86_64-1alien.txz.asc: md5sum
    libktorrent-2.0.1-x86_64-1alien.txz.asc: md5sum

  14. alienbob

    Yeah I did not generate the MD5SUMS file again after fixing the .asc file.
    Live with it for now. You know it is still the correct file despite the error. Next month with the new ktown update, this issue will be gone.

  15. Seb

    Hello Eric,
    I just dowloaded calibre from your builds repository.
    The package is signed with the old key A75CBDA0. Is it OK ?
    (Thanks a lot for your work).

  16. alienbob

    All the packages in my SlackBuild repositories are still being signed with the old key. The ktown repository is signed with the new key.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 Alien Pastures

Theme by Anders NorenUp ↑