Best practice for periodic key change?

Grant Olson kgo at
Thu May 5 19:30:46 CEST 2011

On 5/5/11 2:52 AM, Andreas Heinlein wrote:
> Hello,
> I hope you can give me some advice on the following problem:
> We have a OpenPGP key which we use for signing our software releases.
> That key should be changed yearly and carry an expiration date to
> enforce this change. However, for the signatures to be useful, the key
> has to be signed by quite a lot of well-known people and institutions,
> which means a considerable effort.
> If we just regenerate the whole key every year, we would have to get all
> these signatures again. I have a feeling that generating new subkeys
> might be a solution, but I have never worked with subkeys before, so I
> thought you could give me some advice what would be the best thing to do.
> Thanks,
> Andreas

Some organizations create a master signing key, which is (supposedly)
kept secure and usually off-line.  That's used to sign the release keys.
 Then users sign the master key and/or see if the master key trusts the
key used to sign the release.

Like all the solutions proposed here, I have no idea how usable this
strategy is for people who try to verify software packages, but only
have a limited understanding of OpenPGP's trust model.


"I am gravely disappointed. Again you have made me unleash my dogs of war."

More information about the Gnupg-users mailing list