Skip to content

Instantly share code, notes, and snippets.

@TheSherlockHomie
Created January 3, 2021 16:36
Show Gist options
  • Save TheSherlockHomie/a91d3ecdce8d0ea2bfa38b67c0355d00 to your computer and use it in GitHub Desktop.
Save TheSherlockHomie/a91d3ecdce8d0ea2bfa38b67c0355d00 to your computer and use it in GitHub Desktop.
Updating expired GPG keys and backing them up πŸ”‘πŸ”πŸ’»

Updating expired GPG keys and their backup πŸ”‘πŸ”πŸ’»

I use a GPG key to sign my git commits.

An error like this one might be a sign of an expired GPG key.

error: gpg failed to sign the data fatal: failed to write commit object

1. Check if you have an expired key

  • On your machine, open up the shell (git bash on Windows) and type
gpg --list-secret-keys --keyid-format LONG
  • This will list out all your secret keys in the following fomat:
/home/TheSherlockHomie/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096/HJ6582DC8B78GTU 2020-12-09 [SC] [expires: 2025-05-01]
      15JHUG1D325F458624HF7521B3F5D82DC458H
uid                 [ultimate] TheSherlockHomie (Key to sign git commits) <[email protected]>
ssb   rsa4096/11HGTH5483DD0A 2020-12-09 [E] [expires: 2025-05-01]
  • If your keys are expired, you'll se expired instead of the expiration date.

2. Renew the expired key

  • Now that you know for sure that your commit signing key has expired, let's renew the expiration date:
gpg --edit-key KEYID

// where KEYID is of the key you want to renew. Here, it is HJ6582DC8B78GTU
  • Now in the intearctive gpg shell,
gpg> expire
  • When prompted type 1y or however long you want the key to last for.
  • Now to renew all our subkeys too.
key 1
key 2 //and so on, depending on the subkeys you have
  • A star will sppear before all selected keys.
gpg> expire
  • Again, set the expiration time for your subkeys.

3. Set the trust level

  • Since the key has changed, we now need to trust it. We might get a warning There is no assurance this key belongs to the named user otherwise.
gpg> trust
  • Set the trust level 5 (for ultimate) or whatever is the trust level of the key.

4. Save your work

gpg> save

5. Updating the expired key on Github

  • For the gpg key you updated, export its public key:
$ gpg --armor --export KEYID
# Prints the GPG key ID, in ASCII armor format
  • Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----
  • Navigate to Github>Settings>SSH and GPG keys
  • Delete the expired key.
  • Add the new key that you copied.
  • "Your previous commits and tags will show as verified, as long as the key meets all other verification requirements." - Github

6. Backup your key and trust database

gpg --output backupkeys.pgp --armor --export-secret-keys --export-options export-backup [email protected]
  • This will create a file backupkeys.pgp on your present working directory. Make sure to store it safely.
  • If this key is important to you, you may want to print out the key on paper using paperkey, and store it in a fireproof/waterproof safe.
  • Now export the trust database
gpg --export-ownertrust > ownertrust-gpg.txt
  • This will create a file ownertrust-gpg.txt on your present working directory. Keep it along with your backup keys.

7. Importing the backed-up keys

  • You might have multiple machines where you need the key, or you might have a setup like me, where I use Ubuntu on WSL and Windows both for development.
  • Transfer the keys to your machine, open a shell (or Git Bash), and type:
gpg --import backupkeys.pgp
gpg --import-ownertrust ownertrust-gpg.txt
  • Now verify that you have the keys
gpg --list-secret-keys --keyid-format LONG
gpg --list-keys --keyid-format LONG
  • Which should show your secret and public keys respectively.
  • If you do not have the owner trust backup file, you'll need to manually set the trust level:
gpg --edit-key KEYID
gpg> trust
  • And set the trust level accordingly.

8. References

@chartgerink
Copy link

@TheSherlockHomie - I only wanted to let you know that this is my guide every year I renew my keys. Thank you so much for this guide πŸ™ I inevitably forget how to do this and I rely on your resource every time πŸ˜„

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment