Subkeys renewing/expiring strategy

Ingo Klöcker kloecker at
Thu Jan 5 14:42:16 CET 2023

On Dienstag, 11. Oktober 2022 19:44:19 CET Ingo Klöcker wrote:
> I'm going to experiment with 1-year-validity of the signing subkeys of my
> commit signing key. Since I use this key exclusively for commit signing, I
> can simply replace it with a completely different key if I change my mind.

Update: After the signing subkey expired, I have added a new subkey and signed 
two commits with the new subkey. In GitLab, I had to remove the old copy of 
the key before adding the new copy. GitLab keeps the verification state if a 
key is removed, but I added the updated key including the expired subkey. That 
was a bad idea because GitLab invalidated all commits signed with the expired 

To fix this I decided to extend the life time of the expired subkey and forget 
about the new subkey. I uploaded an export of the updated key *without* the 
new subkey to GitLab. After a day or so, GitLab has again marked all my old 
signed commits as verified. And the two new commits are still marked as verified 
(as GitLab promised).

Conclusion: Rotating signing subkeys isn't the best idea because you have to 
take extra care when you update the keys in GitLab (and probably also in 
GitHub, etc.). Simply generating completely new (signing) keys is easier. Or 
you simply keep using your existing signing key (as I'm doing for now).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Gnupg-users mailing list