Skip to content

Instantly share code, notes, and snippets.

@ChristopherA

ChristopherA/Update-GPG-Key-Expiration.md

Last active September 4, 2021 12:21
Show Gist options
  • Save ChristopherA/356602e543233fdd48908aeb95248d15 to your computer and use it in GitHub Desktop.
Save ChristopherA/356602e543233fdd48908aeb95248d15 to your computer and use it in GitHub Desktop.
Download ZIP
Update GPG Key Expiration
Raw
Update-GPG-Key-Expiration.md

Update GPG Key Expiration

Works, but working on script to automate this

Do this annually on April 15th.

Update the expiration from command line:

cd ~/.private
stow -D base
git fetch
git merge
gpg --edit-key FDFE14A54ECB30FC5D2274EFF8D36C91357405ED

Inside gpg:

list
         
sec  rsa4096/F8D36C91357405ED
     created: 2015-04-16  expires: 2020-04-15  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/383F66747DB589DB
     created: 2015-04-16  expires: 2020-04-15  usage: E   
[ultimate] (1). Christopher Allen <[email protected]>
[ultimate] (2). [jpeg image of size 9272]

gpg> expire
Changing expiration time for a primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 365
Key expires at Thu Apr 15 12:59:51 2021 PDT
Is this correct? (y/N) y

sec  rsa4096/F8D36C91357405ED
     created: 2015-04-16  expires: 2021-04-15  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/383F66747DB589DB
     created: 2015-04-16  expired: 2020-04-15  usage: E   
[ultimate] (1). Christopher Allen <[email protected]>
[ultimate] (2). [jpeg image of size 9272]

gpg: WARNING: Your encryption subkey expires soon.
gpg: You may want to change its expiration date too.

gpg> key 1
          
sec  rsa4096/F8D36C91357405ED
     created: 2015-04-16  expires: 2021-04-15  usage: SC  
     trust: ultimate      validity: ultimate
ssb* rsa4096/383F66747DB589DB
     created: 2015-04-16  expired: 2019-04-16  usage: E   
[ultimate] (1). Christopher Allen <[email protected]>
[ultimate] (2). [jpeg image of size 9272]

gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 363
Key expires at Thu Apr 15 12:59:51 2021 PDT
Is this correct? (y/N) y
                        
sec  rsa4096/F8D36C91357405ED
     created: 2015-04-16  expires: 2021-04-15  usage: SC  
     trust: ultimate      validity: ultimate
ssb* rsa4096/383F66747DB589DB
     created: 2015-04-16  expires: 2021-04-15  usage: E   
[ultimate] (1). Christopher Allen <[email protected]>
[ultimate] (2). [jpeg image of size 9272]

gpg> trust
sec  rsa4096/F8D36C91357405ED
     created: 2015-04-16  expires: 2021-04-15  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/383F66747DB589DB
     created: 2015-04-16  expires: 2021-04-15  usage: E   
[ultimate] (1). Christopher Allen <[email protected]>
[ultimate] (2). [jpeg image of size 9272]

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
                                                             
sec  rsa4096/F8D36C91357405ED
     created: 2015-04-16  expires: 2021-04-15  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/383F66747DB589DB
     created: 2015-04-16  expires: 2021-04-15  usage: E   
[ultimate] (1). Christopher Allen <[email protected]>
[ultimate] (2). [jpeg image of size 9272]

gpg> save

Export the keys from the command line and test them:

stow -R base
ssh-add -A
gpg -a --export FDFE14A54ECB30FC5D2274EFF8D36C91357405ED > ~/.gnupg/Christopher\ Allen\ \(357405ED\)\ –\ Public.asc
gpg -a --export-secret-keys FDFE14A54ECB30FC5D2274EFF8D36C91357405ED > ~/.gnupg/Christopher\ Allen\ \(357405ED\)\ –\ Secret.asc
gpgconf --kill gpg-agent
export GPG_TTY=$(tty)
echo "test" | gpg --clearsign

Backup private keys to private repository:

# I don't keep my pubring.kbx under git control, as it is different on each machine, but I save it here.
mv ~/.gnupg/pubring.kbx ./base/.gnupg
git add ./base/.gnupg/Christopher\ Allen\ \(357405ED\)\ –\ Public.asc
git add ./base/.gnupg/Christopher\ Allen\ \(357405ED\)\ –\ Secret.asc 
git add ./base/.gnupg/trustdb.gpg
git commit -S -m "Update GPG expiration date to 2021"

Send to keyservers:

gpg --keyserver pgp.mit.edu --send-keys FDFE14A54ECB30FC5D2274EFF8D36C91357405ED
gpg --keyserver keyserver.ubuntu.com --send-keys FDFE14A54ECB30FC5D2274EFF8D36C91357405ED

Update Github:

First, delete old key:

open https://github.com/settings/keys

The copy old key and add new key:

cat ~/.gnupg/Christopher\ Allen\ \(357405ED\)\ –\ Public.asc | pbcopy
open https://github.com/settings/gpg/new

Keybase

Keybase doesn't seem to care about expiration dates. If you keybase pgp import --infile ~/.gnupg/secret.asc it will see that the key is the same and will not update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment