Skip to content

Instantly share code, notes, and snippets.

@neoeinstein

neoeinstein/transition.md

Created January 4, 2018 23:40
Show Gist options
  • Save neoeinstein/87f01344fc77f3e0f3c82ef67efa0ca3 to your computer and use it in GitHub Desktop.
Save neoeinstein/87f01344fc77f3e0f3c82ef67efa0ca3 to your computer and use it in GitHub Desktop.
Download ZIP
PGP Key Transition
Raw
transition.md

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Date: January 4, 2018

For a number of reasons, I, Marcus Griep, have recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but I prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.

Ĉi tiu mesaĝo subskribiĝis per ambaŭ ŝlosiloj por atesti la ŝanĝo.

The old key was:

pub   1024D/675626E1070E3F2D 2009-05-24
      Key fingerprint = 2993 2378 1337 97F3 10D8  6BF8 6756 26E1 070E 3F2D

And the new key is:

pub   4096R/B811E1EB9ECF1476 2018-01-04
      Key fingerprint = 75DC AA9A 3686 D008 7D49  940C B811 E1EB 9ECF 1476

To fetch the full key from a public key server, you can simply do:

gpg --keyserver keys.riseup.net --recv-key '75DCAA9A3686D0087D49940CB811E1EB9ECF1476'

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs '75DCAA9A3686D0087D49940CB811E1EB9ECF1476'

If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint '75DCAA9A3686D0087D49940CB811E1EB9ECF1476'

If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key. You can do that by issuing the following command:

NOTE: if you have previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use --lsign-key, and not send the signatures to the keyserver

gpg --sign-key '7B9DB2C599E3B56211BC6282D7AB25F4D690912F'

I'd like to receive your signatures on my key. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

gpg --export '75DCAA9A3686D0087D49940CB811E1EB9ECF1476' | gpg --encrypt -r '75DCAA9A3686D0087D49940CB811E1EB9ECF1476' --armor | mail -s 'OpenPGP Signatures' <marcus@griep.us>

Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations, and other updates in a timely manner. You can do regular key updates by using parcimonie to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.

I also highly recommend checking out:

https://riseup.net/openpgp/best-practices

Please let me know if you have any questions, or problems, and sorry for the inconvenience.

Marcus Griep

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEddyqmjaG0Ah9SZQMuBHh657PFHYFAlpOu0UACgkQuBHh657P FHYByBAAoAdymM+9EQK8kuiqLB1Jb8hYHMbbc/83JrULdQdbWEOHhjWee6Y7Hbtc VNG4PWGBbMeHqQvRPD23hGCX7257tJdpkQJ58p96i796i9mdsGruDFtoc/6ruK1c ySAocK4Y7lmZKxEUoP2sk0+7R+vWF7aRHfskKLGQzlUksuL+/kvhXErPou3cOqyR qxUcK7YWxxNDS+kKKU0f3sF0oYvmfmXUgUDoI/PKWz0WJGeqVGkQVWS82oz7pzum jVdVSKt3aB8RimcHLJVEV/NNGBl8SAZd8GYdrF9G3JGvR2wkfA/cy3sQqW7PDa9k OLqycMHwM3p8PmWU/R540x5Poo6w9pjLzgBok40AK760j/5qPl+SswjKj3AWf096 PsRLcx6LUWgZxR6RMvBpud1AkxllA/4uZm4dHzfei3CvgWUG30p97RKXDjrQGjf7 2kfOoy47oKzBGMs0Y3FEEUtTekln3PRmgL4LGaGoBjCmcIjtACqkp76eAIG4ViJ7 k4CP6D4h4F3i0VyucNyMHnb1uTu18CnXEvP/O6y4ItTfvSPBrRGeBS1Sdh1TE4vC s0JpJlXT4YWsE7px5QHBqU1uKWbKMQ2b97JZD7506g6k9en66WkTqxaNWn/ddbVN lc4Xyg7jKRd7G3BNDWmQsnumTlFTBAlRyYjb1lwrFlL5kRYZ4P2JAjMEAQEIAB0W IQQampihQ3Vo7rHxqfgSye0FMkwBZgUCWk67RQAKCRASye0FMkwBZl65D/9CQ3WE 0d6fabnnOzTlnGl/z7jRvuaQrU6SYzlKGUXrPIVNE43/ewHRiJTkg9feTeLKiahg ftUs9IHdbc4+q6cLffKG+yzH6/YYrf3NRZlxiicb6bHdrCwSip/d6cgN/bQ0z9Rq 9q+2S56ZT3Bjtu7uSNVUmJ9s82nKkuAhUgikvKpKzRsJ6shFRTx/xn+/Hnvm6RsY /edb9LOvIuRlCf9qHKEpbd4l3Z9VglpwGfp768JYhCu6IJHO0BjpEv7Iiy0nf3ZG vgiVmaaYcMRDWOGRZrFnBXM3KzPQsIsa6W3No2RG2D5CL+Fu0A44nGJWpNnsPdCe CUIU31qv1SLAB5ERg7CWwCrt0uZC0R9qblUrWcIlabLMo6qEKB8KA9EPW3vEpG6h cdj9FrO8WFB8qA0QqdY5okt1+PCavVBH26CDA+hQFw8EKmZAxuKfAv8pxN6Xs3Yt dXIRI38aVWWif9zUBJ7YoH/xV6PagQpvZiZsOLUJhZPQMm3E90PBe68upEoecg0B 09B6FfqTccgHexUZ/WXSDdZWPYy2Zy2STsE9DrkBmKoIfMiajwDItdw3aREhl8xG rak93Y7Dfz9AmenbI6yLh6mmE9pKB96o14O0A6XqGTfu7WTjiubXCXLsDEWL1msh 4HDxgb+SietouLJ4puNmXR14XHAlseh8/q7OIg== =TZpK -----END PGP SIGNATURE-----

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment