Secret Key replacement

David Shaw dshaw at
Wed Sep 2 17:18:23 CEST 2009

On Sep 1, 2009, at 1:51 PM, Seidl, Scott wrote:

> We use gnupg in an automated mode within the organization to encrypt/ 
> decrypt documents exchanged between companies.  The Key Pair we have  
> is expiring soon and I am replacing it with a new key pair.  This  
> new key would be provided to the other companies before the other  
> expires.
> I have a couple questions about the existing public keys we have  
> imported to our key ring.
> 1 – it’s my belief that I have to sign/trust each of the keys with  
> the new secret key, is that correct?

It depends.  Many uses of GPG in an automated mode use "--trust-model  
always" or "--always-trust", since there is no need for a web of trust  
in their setup.  If you are using one of those options, then there is  
no need to sign anything.  If you are not using one of those options,  
you probably need to make some signatures.

> 2 – Is there any command to do a mass sign or must I do a gpg –u  
> XXXXXXX --edit-key YYYYYY for each key?

No mass sign ability, but you can do some shell magic like:

for i in (the keyids here)
   gpg -u XXXXXX --lsign $i

This assumes you don't have a passphrase on the key (otherwise you'd  
have to type it multiple times as the shell loop ran), but no  
passphrases is also a common setup for automated use.


More information about the Gnupg-users mailing list