I have generated a new GPG key to replace my old one which was based on a 1024-bit DSA primary key. The new primary key is 4096-bit RSA. I will be transitioning away from my old one.
The old key will continue to be valid, but i prefer all future correspondence to use the new key. I would also like this new key to be re-integrated into the web of trust. The online version of this message is signed by both my keys (old and new) to certify the transition.
The old key was:
pub 1024D/A75CBDA0 2003-01-17 Key Fingerprint = F2CE 1B92 EE1F 2C0C E97E 581E 5E56 AAAF A75C BDA0
And the new key is:
pub 4096R/769EE011 2016-08-21 Key Fingerprint = 2AD1 07EA F451 32C8 A991 F4F9 883E C63B 769E E011
To fetch the full key (including a photo uid, which is commonly stripped by public keyservers), you can get it with either of these two commands:
wget -q -O- http://slackware.com/~alien/alien.gpg.asc | gpg --import - wget -q -O- http://alienbase.nl/alien.gpg.asc | gpg --import -
Or, to fetch my new key from a public key server, you can simply do:
gpg --keyserver pgp.mit.edu --recv-key 769EE011
If you already know my old key, you can now verify that the new key is signed by the old one:
gpg --check-sigs 769EE011
If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:
gpg --fingerprint 769EE011
If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:
gpg --sign-key 769EE011
Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):
gpg --armor --export 769EE011 | mail -s 'GPG Signatures' alien@slackware.com
Or you can just upload the signatures to a public keyserver directly:
gpg --keyserver pgp.mit.edu --send-key 769EE011
Please let me know if there is any trouble, and sorry for the inconvenience.
Eric
Some reading material in case you too want to transition to a new key or even want to start using GPG:
- https://www.apache.org/dev/key-transition.html
- https://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
- https://danielpocock.com/rsa-key-sizes-2048-or-4096-bits
- https://wiki.archlinux.org/index.php/GnuPG
Note:
The above text is based on a “gpg-transition-document” template which seems to be pretty widely used on the Internet for purposes of GPG key transitioning. My own text (the one of this blog post) can also be found here: http://www.slackware.com/~alien/gpg_transition_20160821.txt . That text file has been digitally signed with my old and new keys so that you can verify the correctness of my statements.
Thanks Eric !
All set here.
— kjh
Thanks Eric for giving a full process, useful and interesting.
As usual shall I say…
BTW great to see you’re still there and hope your new job is at least as great as the former one.
Thanks!
There is a problem with copy-pasting commands like:
gpg –keyserver pgp.mit.edu –recv-key 769EE011
Double dash converted to some nonstandard dash.
I have changed the commands to “preformatted text” which will make the double-dashes visible again. But the .txt file I link to also has properly formatted text that can be copied and pasted.
Thanks for the reminder. I should regenerate a PGP key. I used to use one all the time, but got out of the habit.
I uploaded your signed key to a public keyserver.
Eric,
If you’re interested, I can get you an invite to Keybase which is kind of like an enhanced idea of a keyserver. https://keybase.io is its URL. Actually, I’m going to put an invite link here. Other people, don’t be jerks and grab it. If someone got to it before you did Eric, drop me an email.
https://keybase.io/inv/e6a2240562
Hi Mike.
I consumed that invite and I am going to investigate the scope and usefulness of that site and its tech. Thanks.
Hi Eric,
I might have missed something or being posting that in the wrong place :
When I use your repo with slackpkg+ I’ve got a gpg error on the kde_frameworks repo (url http://bear.alienbase.nl/mirrors/alien-kde/current/testing/x86_64/kde/frameworks/CHECKSUMS.md5)
Is there something I can do on my side ?
Regards
Do not use the /current/testing/ repository please. It is not up to date. Use the /current/latest/ or the /14/2/latest/ repository, those are being maintained.
I knew I had to pay more attention : I now remember reading something about it…
Thank you and sorry for the noise!
I’m not sure if this is related to your changing to a new key, but I keep getting gpg errors when trying to install, with slackpkg:
libktorrent-2.0.1-x86_64-1alien.txz
from:
https://bear.alienbase.nl/mirrors/alien-kde/current/latest/x86_64/kde/applications-extra/libktorrent-2.0.1-x86_64-1alien.txz
I ran “slackpkg update gpg,” but it’s using your old key.
Geremia, the GPG signature for that package _is_ bad. I just verified. I need to re-create that one.
And by the way, I am still using the old GPG key for my package repositories.
I still get an MD5SUM error with libktorrent-2.0.1-x86_64-1alien.txz:
==============================================================================
WARNING! One or more errors occurred while slackpkg was running
——————————————————————————
libktorrent-2.0.1-x86_64-1alien.txz.asc: md5sum
libktorrent-2.0.1-x86_64-1alien.txz.asc: md5sum
Yeah I did not generate the MD5SUMS file again after fixing the .asc file.
Live with it for now. You know it is still the correct file despite the error. Next month with the new ktown update, this issue will be gone.
Hello Eric,
I just dowloaded calibre from your builds repository.
The package is signed with the old key A75CBDA0. Is it OK ?
(Thanks a lot for your work).
All the packages in my SlackBuild repositories are still being signed with the old key. The ktown repository is signed with the new key.