ajgarlag/79DCD2BD-transition-statement.txt.asc

## 79DCD2BD-transition-statement.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Thu May 31 10:26:33 CEST 2018

For a number of reasons, I've recently set up a new PGP key
and will be transitioning away from my old one.

The old key will continue to be valid for a short period after
the posting of this message, but future signatures will be
created from the new key. This message is signed by both keys
to certify the transition.


The old key was:

    pub dsa1024 2010-02-05 [SC]
        9C5C56E7F161591AE6C1EB76394FA7AF79DCD2BD

The new key is:

    pub rsa4096 2018-05-29 [SC] [caduca: 2023-05-28]
        5EEF7C8B89A7F5EFDD87AB8A5704DAC38ACA70F3

Note that the signing of this message may have been done by a SUBKEY of
that key, which may make the key id listed in the signature not match
the fingerprint listed here. You can verify it by checking the key listed
here for the subkey used in signing this message.

To fetch the new key from a public key server, you can use the following:

    gpg --keyserver keys.gnupg.net --recv-key 8ACA70F3

If you already know my old key, you can verify that the new key has been
signed by the old one, so the trail of signatures can still be followed:

    gpg --check-sigs 8ACA70F3

If you don't know my old key, or you want to be extra careful, you can
check the fingerprint against the one above:

    gpg --fingerprint 8ACA70F3

You can verify the signatures on this message by downloading the plain
text file as linked and running:

    gpg --verify [name of downloaded file]

If you are satisfied that you have the right key, that the UIDs match what
you expect, and you are certain of my identity, I would appreciate it if
you would sign my new key:

    gpg --sign-key 8ACA70F3

And finally, if you have signed it, to upload the signatures:

    gpg --keyserver keys.gnupg.net --send-key 8ACA70F3

Sorry for any inconvenience.

Regards,

    Antonio J. García Lagar
-----BEGIN PGP SIGNATURE-----

iF0EAREKAB0WIQScXFbn8WFZGubB63Y5T6evedzSvQUCWw+0mwAKCRA5T6evedzS
vefzAJ44ZJ/A7CzSvQhnG/vb/BR+uAiLwACeKc7nYh49fbeAyDNcvkEk2KO4BeGJ
AjMEAQEKAB0WIQSelAOVRMbMXsEz63fRMdpO+RSKOAUCWw+0mwAKCRDRMdpO+RSK
OBn9D/9Yb+LuCmS3fvtaePK+vOgjvpfyBL/yT5gj8nLPh7lNMCjs/n60GX18waDM
OaTikY+vsYb27sZAUb0ReE2J5BxTwRZX3aMUeGzBMA7AHDDfhqPx6+JApYqBQskM
qk/Gr/euGxHIRLhk0MG68do7VbfYq/bBGko+old9YWoFgmqOhGEpZ+gPmjI6f4Op
nMVyRPRchm2D6e/mO5wf0Tvuxg67FLnzm5XA6SChXCxWYipaUBG9sO6lGap8jlDW
fq2zq1Hrs3SDpyq9Ll0BjWi7gw/4y4gYP2Om8nlF4J0Que1oCQn/u6UY+kWvngYW
6JesurH3y3F7hapak/R/6F21EGLdFo1H+Z1JGyQUHTFTXkNDAfjoR7RIXH4RAmsk
HgRFkyAlccULph1JX4g3KfJ/TDvwhdcDodUcHGzfPS9k0m4456mF7nKhuq8W6da0
VolHtZ90MPAiIKqRDbN9s9LI0c356owLmKSBfaaWfkPfQU2fEBOml8lfVDqK0KA2
0LES/ecoXPLYeU2TrVLO1bLA2a6NmKqIvjcb7BgIiLd5lyIFsurY91lTU5K2iwfd
0EdtuS8QKc+vy+BeN0tl+cBLbwH9IiQ6mKyhWTTfKbwpHn9N8M/evYl+vjAVhjLd
5AWcEL0XtIUPb98lI40PiP1gzmLRjabIwWfYrJNSFt4g00jqFw==
=Ncpu
-----END PGP SIGNATURE-----

## 99E8470E-transition-statement.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Thu May 31 10:26:33 CEST 2018

For a number of reasons, I've recently set up a new PGP key
and will be transitioning away from my old one.

The old key will continue to be valid for a short period after
the posting of this message, but future signatures will be
created from the new key. This message is signed by both keys
to certify the transition.


The old key was:

    pub dsa1024 2010-02-06 [SC]
        EF48C9D600C4C772694109667A65D79099E8470E

The new key is:

    pub rsa4096 2018-05-29 [SC] [caduca: 2023-05-28]
        5EEF7C8B89A7F5EFDD87AB8A5704DAC38ACA70F3

Note that the signing of this message may have been done by a SUBKEY of
that key, which may make the key id listed in the signature not match
the fingerprint listed here. You can verify it by checking the key listed
here for the subkey used in signing this message.

To fetch the new key from a public key server, you can use the following:

    gpg --keyserver keys.gnupg.net --recv-key 8ACA70F3

If you already know my old key, you can verify that the new key has been
signed by the old one, so the trail of signatures can still be followed:

    gpg --check-sigs 8ACA70F3

If you don't know my old key, or you want to be extra careful, you can
check the fingerprint against the one above:

    gpg --fingerprint 8ACA70F3

You can verify the signatures on this message by downloading the plain
text file as linked and running:

    gpg --verify [name of downloaded file]

If you are satisfied that you have the right key, that the UIDs match what
you expect, and you are certain of my identity, I would appreciate it if
you would sign my new key:

    gpg --sign-key 8ACA70F3

And finally, if you have signed it, to upload the signatures:

    gpg --keyserver keys.gnupg.net --send-key 8ACA70F3

Sorry for any inconvenience.

Regards,

    Antonio J. García Lagar
-----BEGIN PGP SIGNATURE-----

iF0EAREKAB0WIQTvSMnWAMTHcmlBCWZ6ZdeQmehHDgUCWw+5kwAKCRB6ZdeQmehH
Dn1iAKCb/OwR2fY/hfjJeQs5tcH2NWCq9wCgsKMahHPaMQPsqyyS4U07d2lt8nOJ
AjMEAQEKAB0WIQSelAOVRMbMXsEz63fRMdpO+RSKOAUCWw+5kwAKCRDRMdpO+RSK
OIGYD/9ujYkKHlgfwlXGn97boZGsL9xvrsc/t+Xr0WaCyu++gQER/73AhzcqXoNg
qw093nT52NdiB9DyNsGb+AnLw3KXL22Ov1LpxIaaYU0RS/TWPmKuUwrwnGx1xZtt
iIlwD4dfYgpNecQx7C8GMhWcyMePwPp8+NmMcVFLhxlGhjjomI25dSBncRjsqLZA
Ki8cHMLSkuCPVcpw5w8RRMFQq72dhH0EKe5wWLrBtIemS0mqgl6yceil5Rt/bbV2
ValgcRuDqHa4itZq5Xs2r/VLYbX7OnG/MfZpWcN8ZSiaBryPVWfk98BcHABmGc/l
MaZmrfv2XlzDfH5TZYW+iYxW4Mj3wfNlf4djQLIWcWUZ9cv+ZsvBGiSJKWkEjxav
NPvhY4rLVYQIvCSYqzMPGNBLmgXtd7DWPvatiaTfg+44H8LbiDALHtnKcxi7a7zS
H2ASp4Ep5Q5MTMOxaBNSnNbU2EFRx3gV0D7RoILtHAQPM8hZmWx3gBIUDF9zBluh
sVV71VSI/HP/f6+9fSgJIwREIxUrMXifkb4xq7ujX2GhDYDqyX/wPx+Ds/xp2Iq7
eiRJxSwTVyRaGzedtI4xFPkWlf0o0NL6H17ERHsYSH+jBwIaghMkD7YVvasqE/ws
ZdqMB3cbUoEqHBavL3FHwUDbeu4WypmvyMx+COJ5vvkFEQGBEA==
=eqP7
-----END PGP SIGNATURE-----

## README.md

      
    Raw
  

              README.md
            
          
    gpg-key-transition-statements

Transition statements for migrating to new GPG keys from existing ones
What is this?

When migrating to new GPG keys, a chain of trust must be maintained from the old keys to the new ones.
The statements in this repository are signed with both the new and old keys and can be verified as being
authentic by downloading them (or cloning the repository) and running:
gpg --verify [statement file]
Both the old and new GPG keys will remain in public keyservers indefinitely, though old keys will
be revoked (and publicly displayed as such) shortly after their transitions are completed.
In some cases, the signature from the new keys may use a subkey of the new key, so the key ID shown
in the signature may not match the key ID of the parent key. This is okay; you can validate this
by looking up the parent key and finding the subkey contained in it.
Key Migrations

Key migration statements this repository contains.

79DCD2BD (superceded 2018-05-31) => 8ACA70F3
99E8470E (superceded 2018-05-31) => 8ACA70F3
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512


	Thu May 31 10:26:33 CEST 2018

	For a number of reasons, I've recently set up a new PGP key
	and will be transitioning away from my old one.

	The old key will continue to be valid for a short period after
	the posting of this message, but future signatures will be
	created from the new key. This message is signed by both keys
	to certify the transition.


	The old key was:

	pub dsa1024 2010-02-05 [SC]
	9C5C56E7F161591AE6C1EB76394FA7AF79DCD2BD

	The new key is:

	pub rsa4096 2018-05-29 [SC] [caduca: 2023-05-28]
	5EEF7C8B89A7F5EFDD87AB8A5704DAC38ACA70F3

	Note that the signing of this message may have been done by a SUBKEY of
	that key, which may make the key id listed in the signature not match
	the fingerprint listed here. You can verify it by checking the key listed
	here for the subkey used in signing this message.

	To fetch the new key from a public key server, you can use the following:

	gpg --keyserver keys.gnupg.net --recv-key 8ACA70F3

	If you already know my old key, you can verify that the new key has been
	signed by the old one, so the trail of signatures can still be followed:

	gpg --check-sigs 8ACA70F3

	If you don't know my old key, or you want to be extra careful, you can
	check the fingerprint against the one above:

	gpg --fingerprint 8ACA70F3

	You can verify the signatures on this message by downloading the plain
	text file as linked and running:

	gpg --verify [name of downloaded file]

	If you are satisfied that you have the right key, that the UIDs match what
	you expect, and you are certain of my identity, I would appreciate it if
	you would sign my new key:

	gpg --sign-key 8ACA70F3

	And finally, if you have signed it, to upload the signatures:

	gpg --keyserver keys.gnupg.net --send-key 8ACA70F3

	Sorry for any inconvenience.

	Regards,

	Antonio J. García Lagar
	-----BEGIN PGP SIGNATURE-----

	iF0EAREKAB0WIQScXFbn8WFZGubB63Y5T6evedzSvQUCWw+0mwAKCRA5T6evedzS
	vefzAJ44ZJ/A7CzSvQhnG/vb/BR+uAiLwACeKc7nYh49fbeAyDNcvkEk2KO4BeGJ
	AjMEAQEKAB0WIQSelAOVRMbMXsEz63fRMdpO+RSKOAUCWw+0mwAKCRDRMdpO+RSK
	OBn9D/9Yb+LuCmS3fvtaePK+vOgjvpfyBL/yT5gj8nLPh7lNMCjs/n60GX18waDM
	OaTikY+vsYb27sZAUb0ReE2J5BxTwRZX3aMUeGzBMA7AHDDfhqPx6+JApYqBQskM
	qk/Gr/euGxHIRLhk0MG68do7VbfYq/bBGko+old9YWoFgmqOhGEpZ+gPmjI6f4Op
	nMVyRPRchm2D6e/mO5wf0Tvuxg67FLnzm5XA6SChXCxWYipaUBG9sO6lGap8jlDW
	fq2zq1Hrs3SDpyq9Ll0BjWi7gw/4y4gYP2Om8nlF4J0Que1oCQn/u6UY+kWvngYW
	6JesurH3y3F7hapak/R/6F21EGLdFo1H+Z1JGyQUHTFTXkNDAfjoR7RIXH4RAmsk
	HgRFkyAlccULph1JX4g3KfJ/TDvwhdcDodUcHGzfPS9k0m4456mF7nKhuq8W6da0
	VolHtZ90MPAiIKqRDbN9s9LI0c356owLmKSBfaaWfkPfQU2fEBOml8lfVDqK0KA2
	0LES/ecoXPLYeU2TrVLO1bLA2a6NmKqIvjcb7BgIiLd5lyIFsurY91lTU5K2iwfd
	0EdtuS8QKc+vy+BeN0tl+cBLbwH9IiQ6mKyhWTTfKbwpHn9N8M/evYl+vjAVhjLd
	5AWcEL0XtIUPb98lI40PiP1gzmLRjabIwWfYrJNSFt4g00jqFw==
	=Ncpu
	-----END PGP SIGNATURE-----