Secret Key replacement
David Shaw
dshaw at jabberwocky.com
Wed Sep 2 17:18:23 CEST 2009
On Sep 1, 2009, at 1:51 PM, Seidl, Scott wrote:
> We use gnupg in an automated mode within the organization to encrypt/
> decrypt documents exchanged between companies. The Key Pair we have
> is expiring soon and I am replacing it with a new key pair. This
> new key would be provided to the other companies before the other
> expires.
>
> I have a couple questions about the existing public keys we have
> imported to our key ring.
> 1 – it’s my belief that I have to sign/trust each of the keys with
> the new secret key, is that correct?
It depends. Many uses of GPG in an automated mode use "--trust-model
always" or "--always-trust", since there is no need for a web of trust
in their setup. If you are using one of those options, then there is
no need to sign anything. If you are not using one of those options,
you probably need to make some signatures.
> 2 – Is there any command to do a mass sign or must I do a gpg –u
> XXXXXXX --edit-key YYYYYY for each key?
No mass sign ability, but you can do some shell magic like:
for i in (the keyids here)
do
gpg -u XXXXXX --lsign $i
done
This assumes you don't have a passphrase on the key (otherwise you'd
have to type it multiple times as the shell loop ran), but no
passphrases is also a common setup for automated use.
David
More information about the Gnupg-users
mailing list