multiple signing keys

Marco Colombo
Mon Aug 20 11:25:01 2001

I need a little suggestion, I've read the FAQ but wasn't able to figure
out an answer.

Last year I created a key pair, with the only purpose of signing the RPMs
I make. I don't use it for e-mail, or other applications. At that time
I dediced to have the key expire in 2 years.

Now, I want to create a second key, and start signing new RPMs with that.
I'd like to know what is the best way to do that. I can think (being
a really naive user of GnuPG) of two ways:

- create a completely new key pair, and just stop using the old one;
- create a new signing subkey, and start using it.

My needs:
- I want the signature of a RPM to expire - the only way I'm aware of
  is to have the signing key expire;
- thus, once a year, I have to generate a new signing key;
- I want the RPMs to be signed (mostly) for the sake of an auto-upgrade
  program, which is able to validate a signed package (rpm had direct
  support for gpg signature, all you need is to import the public key
  of the signing entity on the keyring of the rpm user);

The first approach (creating a new key pair every year) has the
disadvantage I have to redistribute a new public key. While this is
still somewhat accettable (I can even think to automate it by
creating a RPM which installs the new key on the target system, this
RPMs being signed with the OLD key, of course), now that I'm less a
dumb GnuPG user (well, I've read the FAQ, at least), I'm seeking for
a better solution.

With the second approach, I should able to create signing keys that
espire, but with no need to redistribute a new public key every year
since the master signing key won't expire.

So, I think I need to:
- modify the expire date of the master key (with --edit-key);
- create a subkey (DSA, I suppose);
- start signing RPMs with the new key.

I've made some tests, and now I've got a few questions:
a) I believe I need to re-export the public key, since the expire date
   of the master key is changed. But I need to do this only once (now
   the expire is set to never). Is it true?
b) what it the correct way to select the signing subkey?
   --default-key <keyid> or -u <keyid> ?
c) do I need to generate a new encryption subkey? (I guess not)
d) is it correct that I can just wait for the old keys to expire, and
   then just delete them from my keyring, with no need to revoke them?
   If I understand well, revoking a subkey will just add something to
   my pubkey saying 'this <keyid> is revoked', but if the key has expired
   it's completely useless. I can remove it from the target public keyring,
   but that's just cleaning up. Is there a way with gpg to remove expired
   keys from the keyring (or does it do that automagically)?

Do you have other suggestions?

[ Please Cc: me since I'm not subscribed ]

      ____/  ____/   /
     /      /       /			Marco Colombo
    ___/  ___  /   /		      Technical Manager
   /          /   /			 ESI s.r.l.
 _____/ _____/  _/