Skip to content

Instantly share code, notes, and snippets.

@basilesimon

basilesimon/Using a subkey.md

Last active October 23, 2025 10:25
Show Gist options
  • Save basilesimon/8335de828d595b57422d9dd5e6194de6 to your computer and use it in GitHub Desktop.
Save basilesimon/8335de828d595b57422d9dd5e6194de6 to your computer and use it in GitHub Desktop.
Download ZIP
Using a subkey (Tigray)
Raw
Using a subkey.md

GPG Signing Subkey Tutorial

Why Use a Subkey?

Problem: You need someone else to sign git commits with your key, but sharing your primary private key is dangerous.

Solution: Create a temporary signing subkey that can be:

  • Shared safely (primary key stays secure)
  • Revoked easily after use
  • Used independently for signing

Security: Even if the subkey is compromised, your primary key remains safe and can revoke the subkey.

Prerequisites

  • GPG installed (gpg --version)
  • Access to Tigray Archive primary key: 55082AE8487FB65C
  • Key passphrase

Part 1: Create Signing Subkey (Key Holder)

Step 1: Edit the Key

gpg --edit-key 55082AE8487FB65C

You'll see:

gpg (GnuPG) 2.x.x; Copyright (C) ...
gpg: checking the trustdb
...
pub  rsa4096/55082AE8487FB65C
     created: 2025-10-15  expires: 2029-10-15  usage: SC
...
gpg>

Step 2: Add a New Subkey

At the gpg> prompt, type:

addkey

You'll be prompted for your passphrase, then see:

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection?

Choose 4 (RSA sign only)

Step 3: Configure Subkey

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)

Enter: 4096

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Enter: 3m (3 months - enough time for the task, short enough to limit exposure)

Confirm: y (yes)

Step 4: Save the Changes

gpg> save

This exits and saves the new subkey.

Step 5: Verify Subkey Creation

gpg --list-keys 55082AE8487FB65C

You should now see:

pub   rsa4096 2025-10-15 [SC] [expires: 2029-10-15]
      9945877FA0290DB20547B81C55082AE8487FB65C
uid           [ultimate] Tigray Archive <[email protected]>
sub   rsa4096 2025-10-15 [E] [expires: 2029-10-15]
sub   rsa4096 2025-10-20 [S] [expires: 2026-01-20]  <-- NEW SIGNING SUBKEY

Note the new [S] (signing only) subkey.

Part 2: Export Subkey to Basile

Step 6: Export the Signing Subkey

gpg --armor --export-secret-subkeys 55082AE8487FB65C! > tigray-signing-subkey.asc

Important: The ! after the key ID is crucial - it exports ALL subkeys but not the primary key.

Step 7: Secure Transfer

Options:

  • Share via secure messaging (Signal)

File to share: tigray-signing-subkey.asc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment