Project:Gentoo-keys/Edit an existing OpenPGP key

From Gentoo Wiki
Jump to:navigation Jump to:search
The information in this article is representative of former times and has been archived. It can be used for reference, but is most likely not appropriate for current usage. Generally, archived articles should not be edited.

Can I use my existing OpenPGP key?

Note that these instructions are only valid if you have a DSA or RSA key with a primary key with bit length of 2048 bits or higher, if the primary key doesn't satisfy this criteria you need to generate a new OpenPGP key. You can check for this using:

user $gpg --list-key nick@gentoo.org

The key algorithm and length is shown on a line starting with "pub"

If the primary key reports wrong usage flags (other than Certify and possibly Sign or Auth capabilities. A key that reports primary key with encryption capabilities needs to be discarded)

How can I change the expiry of my key?

In order to change the expiry of your key you can use:

user $gpg --edit-key 0xDEADBEEF

followed by the "expire" command in the interactive view. The expiry should be 900 days or less for the primary key.

How can I add a signing subkey?

In order to add a signing subkey you can use:

user $gpg --edit-key 0xDEADBEEF

followed by the "addkey" command. Follow the interactive instructions on how to generate a signing subkey.

How can I add my gentoo nick as UserID (UID)?

In order to add a new UserID you can use:

user $gpg --edit-key 0xDEADBEEF

followed by the "adduid" command. Follow the interactive instructions on how to generate an additional UID.

Submitting a key to a keyserver

After updating your key you need to ensure it is accessible to others by uploading it to a well-maintained keyserver pool.

user $gpg --keyserver pool.sks-keyservers.net --send-key 0xDEADBEEF

Updating LDAP

The full fingerprint of the primary OpenPGP key needs to be recorded as an LDAP entry known as gpgfingerprint. To get your fingerprint you can use:

user $gpg --with-fingerprint --list-key 0xDEADBEEF

Which can be updated on woodpecker using:

user $/usr/local/bin/fix-fp.sh DEVNAME "NEW_FP#1" ["NEWFP#2" ...]

If you have added or removed a primary OpenPGP key to LDAP, you must also ask Infra to update Gitolite afterwards!