Project:Infrastructure/Updating Expired Gentoo Keys

Gentoo is using OpenPGP keys for a number of services, most notably to provide authenticity verification for various downloads, including stages and the gentoo.git repository. Our OpenPGP keys have expiration dates set. This guarantees that even if we lose access to both the primary keys and their respective revocation certificates, the now-orphaned keys will not remain valid forever. However, this also implies that our users need to periodically update the keys for them to remain valid.

How are the keys kept up-to-date?
There are currently two mechanisms employed to keep the syncing keys up-to-date:


 * 1) The  is periodically bumped to deploy updated keys.
 * 2) Portage automatically pulls key updates from the Gentoo servers while syncing.

The first mechanism is more permanent but it requires that the update is performed before the keys expire. The second mechanism works on top of expired keys but requires HTTPS access to gentoo.org, and therefore may not work behind strict firewalls.

How to update the keys manually?
If the keys on the system have expired already and it is not possible to automatically update them via Portage, the recommended approach is to manually update the keys for the next sync, then upgrade the key package.

The keys can be updated using one of the following methods:


 * 1) The /usr/share/openpgp-keys/gentoo-release.asc can be transferred from another, up-to-date Gentoo system.  This assumes that an automated update was possible on another system and the file can be securely copied.
 * 2) An equivalent file can be downloaded from the Gentoo servers over HTTPS.  Note that this approach uses a different security model:

Once the file is replaced, it should be possible to sync the Gentoo repository and update the key package: