Google Git
Sign in
apache / infrastructure-website / refs/heads/create-pull-request/patch / . / output / key-transition.html
blob: d76dd8a092750ffea571b3de377603e13f3b6b05 [file] [log] [blame]
<!doctype html>
<html class="no-js" lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>How to transition to a new PGP key - Apache Infrastructure Website</title>
<link href="/css/bootstrap.min.css" rel="stylesheet">
<link href="/css/fontawesome.all.min.css" rel="stylesheet">
<link href="/css/headerlink.css" rel="stylesheet">
<script src="/highlight/highlight.min.js"></script> </head>
<body class="d-flex flex-column h-100">
<main class="flex-shrink-0">
<div>
<!-- nav bar -->
<nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
<div class="container-fluid">
<a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarADP">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/team.html">About the team</a></li>
<li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
<li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link" href="/policies.html">Policies</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
<li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
<li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
<li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
<li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
<li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
<li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
<li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link" href="/stats.html">Status</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/contact.html">Contact Us</a>
</li>
</ul>
</div>
</div>
</nav>
<!-- page contents -->
<div id="contents">
<div class="bg-white p-5 rounded">
<div class="col-sm-8 mx-auto">
<h1>
How to transition to a new PGP key
</h1>
<h2 id="status">Introduction<a class="headerlink" href="#status" title="Permanent link">&para;</a></h2>
<p>This document is for project <strong>committers</strong> who wish to change the PGP key they use at Apache (for example to sign releases). It explains how to create a new PGP key and break it in, gradually having it replace the old key.</p>
<h2>Contents</h2>
<ul>
<li><a href="#important">Important note</a></li>
<li><a href="#motivation">Why replace a key?</a></li>
<li><a href="#single-keyring">Using a single keyring for two keys</a></li>
<li><a href="#transition-export">Exporting both new and old keys</a></li>
<li><a href="#transition-fingerprints">Fingerprinting new and old keys</a></li>
</ul>
<h2 id="important">Important note<a class="headerlink" href="#important" title="Permanent link">&para;</a></h2>
<p>If your key has been compromised, you <strong>must not</strong> use a transition period as described below. Revoke the compromised key immediately and create a new one. Consider all <a href="/release-signing.html#web-of-trust" target="_blank">web of trust</a> links signed by the old key as suspect. You must establish a completely new set of links.</p>
<h2 id="motivation">Why replace a key?<a class="headerlink" href="#motivation" title="Permanent link">&para;</a></h2>
<p>When replacing one uncompromised key with a newer (typically longer) one, using a transition period when both keys are trustworthy and participate in the <a href="/release-signing.html#web-of-trust" target="_blank">web of trust</a> uses <em>trust transitivity</em> to use links to the old key to trust signatures and links created by the new key. During a transition, both keys are trustworthy but you only use the newer one to sign documents and certify links in the web of trust.</p>
<p>This document describes how to use <a href="openpgp.html">GnuPG</a> to create a new key and manage both keys during this transition period.</p>
<h2 id="single-keyring">Using a single keyring for two keys<a class="headerlink" href="#single-keyring" title="Permanent link">&para;</a></h2>
<p>It is best to use a single keyring containing both keys.</p>
<h3 id="generate-new-key">Generate a new key<a class="headerlink" href="#generate-new-key" title="Permanent link">&para;</a></h3>
<p>Generate the new key either:</p>
<ul>
<li>directly in the keyring containing the old key</li>
<li>in a new keyring, and then transfer the new key to the keyring containing the old key</li>
</ul>
<p>To generate a strong <a href="release-signing.html#rsa">RSA key</a> follow <a href="openpgp.html#generate-key">these instructions</a>. If you use a separate keyring, follow <a href="openpgp.html#secret-key-transfer">these instructions</a> to transfer it.</p>
<p>Both new and old keys should now be contained in the same keyring. Verify this by:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--list-secret-keys<span class="w"> </span>
alice/secring.gpg
sec<span class="w"> </span>1024D/AD741727<span class="w"> </span><span class="m">2009</span>-08-20
uid<span class="w"> </span>Alice<span class="w"> </span>Example<span class="w"> </span><span class="o">(</span>EXAMPLE<span class="w"> </span>OF<span class="w"> </span>OLD<span class="w"> </span>KEY<span class="o">)</span><span class="w"> </span>&lt;alice@example.org&gt;
ssb<span class="w"> </span>1024g/268883A9<span class="w"> </span><span class="m">2009</span>-08-20
sec<span class="w"> </span>4096R/E2B054B8<span class="w"> </span><span class="m">2009</span>-08-20
uid<span class="w"> </span>Alice<span class="w"> </span>Example<span class="w"> </span><span class="o">(</span>EXAMPLE<span class="w"> </span>NEW<span class="w"> </span>KEY<span class="o">)</span><span class="w"> </span>&lt;alice@example.org&gt;
ssb<span class="w"> </span>4096R/4A6D5217<span class="w"> </span><span class="m">2009</span>-08-20
</code></pre></div>
<p>Both new and old keys should be listed.</p>
<h3 id="open-interaction-edit">Open interactive edit mode<a class="headerlink" href="#open-interaction-edit" title="Permanent link">&para;</a></h3>
<p>You need to perform a number of operations on the new key. Though you can perform them individually, saving and closing after each one, it is more convenient to use <em>interactive edit</em> mode.</p>
<p>Start by opening an edit session on the new key, for example E2B054B8</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--edit-key<span class="w"> </span>E2B054B8
gpg<span class="w"> </span><span class="o">(</span>GnuPG<span class="o">)</span><span class="w"> </span><span class="m">1</span>.4.9<span class="p">;</span><span class="w"> </span>Copyright<span class="w"> </span><span class="o">(</span>C<span class="o">)</span><span class="w"> </span><span class="m">2008</span><span class="w"> </span>Free<span class="w"> </span>Software<span class="w"> </span>Foundation,<span class="w"> </span>Inc.
This<span class="w"> </span>is<span class="w"> </span>free<span class="w"> </span>software:<span class="w"> </span>you<span class="w"> </span>are<span class="w"> </span>free<span class="w"> </span>to<span class="w"> </span>change<span class="w"> </span>and<span class="w"> </span>redistribute<span class="w"> </span>it.
There<span class="w"> </span>is<span class="w"> </span>NO<span class="w"> </span>WARRANTY,<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>extent<span class="w"> </span>permitted<span class="w"> </span>by<span class="w"> </span>law.
Secret<span class="w"> </span>key<span class="w"> </span>is<span class="w"> </span>available.
pub<span class="w"> </span>4096R/E2B054B8<span class="w"> </span>created:<span class="w"> </span><span class="m">2009</span>-08-20<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>SC
<span class="w"> </span>trust:<span class="w"> </span>unknown<span class="w"> </span>validity:<span class="w"> </span>unknown
sub<span class="w"> </span>4096R/4A6D5217<span class="w"> </span>created:<span class="w"> </span><span class="m">2009</span>-08-20<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E<span class="w"> </span>
<span class="o">[</span><span class="w"> </span>unknown<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>Alice<span class="w"> </span>Example<span class="w"> </span><span class="o">(</span>EXAMPLE<span class="w"> </span>NEW<span class="w"> </span>KEY<span class="o">)</span><span class="w"> </span>&lt;alice@example.org&gt;
Command&gt;<span class="w"> </span>
</code></pre></div>
<h3 id="trust-new-key">Trust the new key<a class="headerlink" href="#trust-new-key" title="Permanent link">&para;</a></h3>
<p>The new key needs to be marked as ultimately trusted in this keyring. This will ensure that the <a href="release-signing.html#web-of-trust" target="_blank">web of trust</a> links signed by this key will be trusted automatically.</p>
<div class="highlight"><pre><span></span><code><span class="n">Command</span><span class="o">&gt;</span><span class="w"> </span><span class="n">trust</span>
<span class="n">pub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="n">E2B054B8</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">SC</span>
<span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="k">unknown</span><span class="w"> </span><span class="nl">validity</span><span class="p">:</span><span class="w"> </span><span class="k">unknown</span>
<span class="n">sub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mi">4</span><span class="n">A6D5217</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">E</span><span class="w"> </span>
<span class="o">[</span><span class="n"> unknown</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">NEW</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="n">Please</span><span class="w"> </span><span class="n">decide</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">far</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">trust</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">correctly</span><span class="w"> </span><span class="n">verify</span><span class="w"> </span><span class="n">other</span><span class="w"> </span><span class="n">users</span><span class="s1">&#39; keys</span>
<span class="s1">(by looking at passports, checking fingerprints from different sources, etc.)</span>
<span class="s1">1 = I don&#39;</span><span class="n">t</span><span class="w"> </span><span class="n">know</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">won</span><span class="err">&#39;</span><span class="n">t</span><span class="w"> </span><span class="n">say</span>
<span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="n">trust</span>
<span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">trust</span><span class="w"> </span><span class="n">marginally</span>
<span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">trust</span><span class="w"> </span><span class="n">fully</span>
<span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">trust</span><span class="w"> </span><span class="n">ultimately</span>
<span class="w"> </span><span class="n">m</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">back</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">main</span><span class="w"> </span><span class="n">menu</span>
<span class="n">Your</span><span class="w"> </span><span class="n">decision</span><span class="vm">?</span><span class="w"> </span><span class="mi">5</span>
<span class="n">Do</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">really</span><span class="w"> </span><span class="n">want</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">ultimate</span><span class="w"> </span><span class="n">trust</span><span class="vm">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="n">pub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="n">E2B054B8</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">SC</span>
<span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span><span class="w"> </span><span class="nl">validity</span><span class="p">:</span><span class="w"> </span><span class="k">unknown</span>
<span class="n">sub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mi">4</span><span class="n">A6D5217</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">E</span>
<span class="o">[</span><span class="n"> unknown</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">NEW</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="n">Please</span><span class="w"> </span><span class="n">note</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">shown</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">validity</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">necessarily</span><span class="w"> </span><span class="n">correct</span>
<span class="n">unless</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">restart</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">program</span><span class="p">.</span>
</code></pre></div>
<p><h/3 id="sign-new-key">Use the old key to sign the new key<a class="headerlink" href="#sign-new-key" title="Permanent link">&para;</a></h3></p>
<p>Use the old key (AD741727, say) to sign the new key:</p>
<div class="highlight"><pre><span></span><code><span class="n">Command</span><span class="o">&gt;</span><span class="w"> </span><span class="nf">sign</span><span class="w"> </span><span class="n">AD741727</span>
<span class="n">pub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="n">E2B054B8</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">SC</span>
<span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span><span class="w"> </span><span class="nl">validity</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span>
<span class="k">Primary</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="nl">fingerprint</span><span class="p">:</span><span class="w"> </span><span class="n">FF96</span><span class="w"> </span><span class="mi">6261</span><span class="w"> </span><span class="n">C995</span><span class="w"> </span><span class="mi">1</span><span class="n">DDE</span><span class="w"> </span><span class="n">BF34</span><span class="w"> </span><span class="mi">5150</span><span class="w"> </span><span class="n">D5D2</span><span class="w"> </span><span class="n">BDB5</span><span class="w"> </span><span class="n">E2B0</span><span class="w"> </span><span class="mi">54</span><span class="n">B8</span>
<span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">NEW</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&amp;</span><span class="n">lt</span><span class="p">;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&amp;</span><span class="n">gt</span><span class="p">;</span>
<span class="k">Are</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">sure</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nf">sign</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">your</span>
<span class="k">key</span><span class="w"> </span><span class="ss">&quot;Alice Example (EXAMPLE OF OLD KEY) &lt;alice@example.org&gt;&quot;</span>
<span class="p">(</span><span class="n">AD741727</span><span class="p">)</span>
<span class="n">Really</span><span class="w"> </span><span class="nf">sign</span><span class="vm">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">unlock</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">for</span>
<span class="k">user</span><span class="err">:</span><span class="w"> </span><span class="ss">&quot;Alice Example (EXAMPLE OF OLD KEY) &lt;alice@example.org&gt;&quot;</span>
<span class="mi">1024</span><span class="o">-</span><span class="nc">bit</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="k">key</span><span class="p">,</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">AD741727</span><span class="p">,</span><span class="w"> </span><span class="n">created</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
</code></pre></div>
<h3 id="check-sha">Check preferences<a class="headerlink" href="#check-sha" title="Permanent link">&para;</a></h3>
<p>Make sure you are <a href="openpgp.html#sha1">avoiding SHA-1</a> in the <a href="openpgp.html#key-prefs">key preferences</a> of both the new and old keys.</p>
<h3 id="finish-off">Complete the edit<a class="headerlink" href="#finish-off" title="Permanent link">&para;</a></h3>
<p>It is convenient to add secondary user ids for current email accounts at this point.</p>
<p>Then save your changes, which will exit you from edit mode:</p>
<div class="highlight"><pre><span></span><code>Command&gt; save
</code></pre></div>
<h3 id="sign-old-with-new">Whether to sign the old key with the new<a class="headerlink" href="#sign-old-with-new" title="Permanent link">&para;</a></h3>
<p>Arguments can be made for and against signing the old key with the new. The old key is less trustworthy now and will be revoked in future, so signing with it may be misleading for those unaware of the potential weaknesses. However, without this signature, signers of the new key will not receive the transitive benefit of the links made from the old key. Anyone who chooses not to sign the old key with the new should made efforts to re-sign links made by the old key with the new key.</p>
<h3 id="set-default-to-new">Set the default to the new key<a class="headerlink" href="#set-default-to-new" title="Permanent link">&para;</a></h3>
<p>Next, change the default key on the keyring to the new. This ensures that all future signatures use the new key. Though you could still use the old key for signing by explicitly specifying it, avoid this since the signatures will be weak.</p>
<p>To make the new key the default, set the <code>default-key</code> in the <code>gpg.conf</code> configuration file. For example, to set the default to <code>E2B054B8</code> add:</p>
<div class="highlight"><pre><span></span><code><span class="k">default</span><span class="o">-</span><span class="k">key</span><span class="w"> </span><span class="n">E2B054B8</span>
<span class="n">This</span><span class="w"> </span><span class="n">setting</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">tested</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">creating</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">test</span><span class="w"> </span><span class="nl">signature</span><span class="p">:</span>
<span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">detach</span><span class="o">-</span><span class="n">sig</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span><span class="n">document</span>
<span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">unlock</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">for</span>
<span class="k">user</span><span class="err">:</span><span class="w"> </span><span class="ss">&quot;Alice Example (EXAMPLE NEW KEY) &lt;alice@example.org&gt;&quot;</span>
<span class="mi">4096</span><span class="o">-</span><span class="nc">bit</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="k">key</span><span class="p">,</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">E2B054B8</span><span class="p">,</span><span class="w"> </span><span class="n">created</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
</code></pre></div>
<p>Verify that the new key has been chosen by default.</p>
<h3 id="update-keys">Upload both keys<a class="headerlink" href="#update-keys" title="Permanent link">&para;</a></h3>
<p>Finish the process by uploading the new and old keys to the keyserver:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--send-keys<span class="w"> </span>E2B054B8<span class="w"> </span>AD741727
</code></pre></div>
<h3 id="backups">Create backups<a class="headerlink" href="#backups" title="Permanent link">&para;</a></h3>
<p>Follow <a href="openpgp.html#backup">these instructions</a>.</p>
<h3 id="revocation-certificates">Generate and store revocation certificates<a class="headerlink" href="#revocation-certificates" title="Permanent link">&para;</a></h3>
<p>Follow <a href="openpgp.html#revocation-certs">these instructions</a> to create and securely store [generic revocation certificates](release-signing.html#revocation-cert" for the new key.</p>
<h3 id="update-documents">Update documents<a class="headerlink" href="#update-documents" title="Permanent link">&para;</a></h3>
<p>The final stage in the process is to update documents containing references to the old key so that they contain both the new and old keys. For Apache documents, follow <a href="openpgp.html#update">this checklist</a>. Use the instructions for a transition when there is a choice.</p>
<p>For other documents:</p>
<ul>
<li>Update those that contain an <a href="release-signing.html#export">export</a> with a <a href="#transition-export">dual export</a>.</li>
<li>Update those that contain a <a href="release-signing.html#fingerprint&quot;">fingerprint</a> with <a href="#transition-fingerprints">both fingerprints</a>.</li>
</ul>
<h3 id="wot">Web of trust<a class="headerlink" href="#wot" title="Permanent link">&para;</a></h3>
<p>Read this <a href="openpgp.html#wot">Guide to Apache use</a> of the <a href="release-signing.html#web-of-trust">web of trust</a> and make arrangements to include your new key at the earliest opportunity.</p>
<h2 id="transition-export">Exporting both new and old keys<a class="headerlink" href="#transition-export" title="Permanent link">&para;</a></h2>
<p>During the transition period, use a single export containing both new and old public keys whenever you need an export. </p>
<p>To create a suitable export, supply both key IDs on the command line. For example, to export keys AD741727 (old) and E2B054B8 (new) to FILENAME use:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--export<span class="w"> </span>--armor<span class="w"> </span>--output<span class="w"> </span>FILENAME<span class="w"> </span>AD741727<span class="w"> </span>E2B054B8
</code></pre></div>
<p>This exports only the public keys, and so isn't confidential. Replace the old public key with this dual export everywhere it was published.</p>
<h2 id="transition-fingerprints">Fingerprinting new and old keys<a class="headerlink" href="#transition-fingerprints" title="Permanent link">&para;</a></h2>
<p>During the transitions, use both fingerprints. For example, to fingerprint old key <code>AD741727</code> and new key <code>E2B054B8</code>, use:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--fingerprint<span class="w"> </span>AD741727<span class="w"> </span>E2B054B8
pub<span class="w"> </span>1024D/AD741727<span class="w"> </span><span class="m">2009</span>-08-20
<span class="w"> </span>Key<span class="w"> </span><span class="nv">fingerprint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>CD0C<span class="w"> </span><span class="m">5281</span><span class="w"> </span>D0A9<span class="w"> </span>E963<span class="w"> </span>19AF<span class="w"> </span>F365<span class="w"> </span>AD81<span class="w"> </span>612A<span class="w"> </span>AD74<span class="w"> </span><span class="m">1727</span>
uid<span class="w"> </span>Alice<span class="w"> </span>Example<span class="w"> </span><span class="o">(</span>EXAMPLE<span class="w"> </span>OF<span class="w"> </span>OLD<span class="w"> </span>KEY<span class="o">)</span><span class="w"> </span>&lt;alice@example.org&gt;
sub<span class="w"> </span>1024g/268883A9<span class="w"> </span><span class="m">2009</span>-08-20
pub<span class="w"> </span>4096R/E2B054B8<span class="w"> </span><span class="m">2009</span>-08-20
<span class="w"> </span>Key<span class="w"> </span><span class="nv">fingerprint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>FF96<span class="w"> </span><span class="m">6261</span><span class="w"> </span>C995<span class="w"> </span>1DDE<span class="w"> </span>BF34<span class="w"> </span><span class="m">5150</span><span class="w"> </span>D5D2<span class="w"> </span>BDB5<span class="w"> </span>E2B0<span class="w"> </span>54B8
uid<span class="w"> </span>Alice<span class="w"> </span>Example<span class="w"> </span><span class="o">(</span>EXAMPLE<span class="w"> </span>NEW<span class="w"> </span>KEY<span class="o">)</span><span class="w"> </span>&lt;alice@example.org&gt;
sub<span class="w"> </span>4096R/4A6D5217<span class="w"> </span><span class="m">2009</span>-08-20
</code></pre></div>
<p>So the fingerprints are:</p>
<ul>
<li><code>CD0C 5281 D0A9 E963 19AF F365 AD81 612A AD74 1727</code> for <code>AD741727</code></li>
<li><code>FF96 6261 C995 1DDE BF34 5150 D5D2 BDB5 E2B0 54B8</code> for <code>E2B054B8</code></li>
</ul>
<p>For every fingerprint, the last 8 digits are the key ID.</p>
</div>
</div>
</div>
<!-- footer -->
<div class="row">
<div class="large-12 medium-12 columns">
<p style="font-style: italic; font-size: 0.8rem; text-align: center;">
Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
Apache&reg; and the Apache feather logo are trademarks of The Apache Software Foundation...
</p>
</div>
</div>
<script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script> </div>
</main>
<script>hljs.initHighlightingOnLoad();</script>
</body>
</html>