multiple signing keys
Mon Aug 20 11:25:01 2001
I need a little suggestion, I've read the FAQ but wasn't able to figure
out an answer.
Last year I created a key pair, with the only purpose of signing the RPMs
I make. I don't use it for e-mail, or other applications. At that time
I dediced to have the key expire in 2 years.
Now, I want to create a second key, and start signing new RPMs with that.
I'd like to know what is the best way to do that. I can think (being
a really naive user of GnuPG) of two ways:
- create a completely new key pair, and just stop using the old one;
- create a new signing subkey, and start using it.
- I want the signature of a RPM to expire - the only way I'm aware of
is to have the signing key expire;
- thus, once a year, I have to generate a new signing key;
- I want the RPMs to be signed (mostly) for the sake of an auto-upgrade
program, which is able to validate a signed package (rpm had direct
support for gpg signature, all you need is to import the public key
of the signing entity on the keyring of the rpm user);
The first approach (creating a new key pair every year) has the
disadvantage I have to redistribute a new public key. While this is
still somewhat accettable (I can even think to automate it by
creating a RPM which installs the new key on the target system, this
RPMs being signed with the OLD key, of course), now that I'm less a
dumb GnuPG user (well, I've read the FAQ, at least), I'm seeking for
a better solution.
With the second approach, I should able to create signing keys that
espire, but with no need to redistribute a new public key every year
since the master signing key won't expire.
So, I think I need to:
- modify the expire date of the master key (with --edit-key);
- create a subkey (DSA, I suppose);
- start signing RPMs with the new key.
I've made some tests, and now I've got a few questions:
a) I believe I need to re-export the public key, since the expire date
of the master key is changed. But I need to do this only once (now
the expire is set to never). Is it true?
b) what it the correct way to select the signing subkey?
--default-key <keyid> or -u <keyid> ?
c) do I need to generate a new encryption subkey? (I guess not)
d) is it correct that I can just wait for the old keys to expire, and
then just delete them from my keyring, with no need to revoke them?
If I understand well, revoking a subkey will just add something to
my pubkey saying 'this <keyid> is revoked', but if the key has expired
it's completely useless. I can remove it from the target public keyring,
but that's just cleaning up. Is there a way with gpg to remove expired
keys from the keyring (or does it do that automagically)?
Do you have other suggestions?
[ Please Cc: me since I'm not subscribed ]
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo@ESI.it