Project:Gentoo-keys/Edit an existing OpenPGP key

From Gentoo Wiki
Jump to: navigation, search

Can I use my existing OpenPGP key?

Note that these instructions are only valid if you have a DSA or RSA key with a primary key with bit length of 2048 bits or higher, if the primary key doesn't satisfy this criteria you need to generate a new OpenPGP key. You can check for this using:

user $gpg --list-key nick@gentoo.org

The key algorithm and length is shown on a line starting with "pub"

If the primary key reports wrong usage flags (other than Certify and possibly Sign or Auth capabilities. A key that reports primary key with encryption capabilities needs to be discarded)

How can I change the expiry of my key?

In order to change the expiry of your key you can use:

user $gpg --edit-key 0xDEADBEEF

followed by the "expire" command in the interactive view. The expiry should be 3 years or less for the primary key.

How can I add a signing subkey?

In order to add a signing subkey you can use:

user $gpg --edit-key 0xDEADBEEF

followed by the "addkey" command. Follow the interactive instructions on how to generate a signing subkey.

How can I add my gentoo nick as UserID (UID)?

In order to add a new UserID you can use:

user $gpg --edit-key 0xDEADBEEF

followed by the "adduid" command. Follow the interactive instructions on how to generate an additional UID.

Submitting a key to a keyserver

After updating your key you need to ensure it is accessible to others by uploading it to a well-maintained keyserver pool.

user $gpg --keyserver pool.sks-keyservers.net --send-key 0xDEADBEEF

Updating LDAP

The full fingerprint of the primary OpenPGP key needs to be recorded as an LDAP entry known as gpgfingerprint. To get your fingerprint you can use:

user $gpg --with-fingerprint --list-key 0xDEADBEEF

Which can be updated on woodpecker using:

user $/usr/local/bin/fix-fp.sh DEVNAME "NEW_FP#1" ["NEWFP#2" ...]

If you have added or removed a primary OpenPGP key to LDAP, you must also ask Infra to update Gitolite afterwards!