Yves-Alexis Perez: Expiration extension on PGP subkeys
So, last year I've switched to an OpenPGP smartcard setup for my
whole personal/Debian PGP usage. When doing so, I've also switched
to subkeys, since it's pretty natural when using a smartcard. I
initially set up an expiration of one year for the subkeys, and
everything seems to be running just fine for now.
The expiration date was set to october 27th, and I though it'd
be a good idea to renew them quite in advance, considering there's
my signing key in there, which is (for example) used to sign
packages. If the Debian archive considers my signature subkey
expired, that means I can't upload packages anymore, which is a bit
of a problem (although I think I could still upload packages signed
by the main key). dak (Debian Archive Kit, the software managing
the Debian archive) uses keys from the keyring provided by Debian
admins, which is usually updated every month or so from the
keyring.debian.org public key
server, so pushing the expiration date two months before the
due date seemed like a good idea.
I've just did that, and it was pretty easy, actually. For those
who followed my
setup last year, here's how I did it:
First, I needed my main smartcard (the one storing the
main key), since it's the only one able to do operations on the
subkeys. So I plug it, and then:
corsac@scapa: gpg --edit-key 71ef0ba8 gpg (GnuPG) 1.4.14; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/71EF0BA8 created: 2009-05-06 expires: never usage: SC trust: ultimate validity: ultimate sub 4096g/36E31BD8 created: 2009-05-06 expires: never usage: E sub 2048R/CC0E273D created: 2012-10-17 expires: 2013-10-27 usage: A sub 2048R/A675C0A5 created: 2012-10-27 expires: 2013-10-27 usage: S sub 2048R/D98D0D9F created: 2012-10-27 expires: 2013-10-27 usage: E [ultimate] (1). Yves-Alexis Perez <corsac@corsac.net> [ultimate] (2) Yves-Alexis Perez (Debian) <corsac@debian.org> gpg&> key 2 pub 4096R/71EF0BA8 created: 2009-05-06 expires: never usage: SC trust: ultimate validity: ultimate sub 4096g/36E31BD8 created: 2009-05-06 expires: never usage: E sub* 2048R/CC0E273D created: 2012-10-17 expires: 2013-10-27 usage: A sub 2048R/A675C0A5 created: 2012-10-27 expires: 2013-10-27 usage: S sub 2048R/D98D0D9F created: 2012-10-27 expires: 2013-10-27 usage: E [ultimate] (1). Yves-Alexis Perez <corsac@corsac.net> [ultimate] (2) Yves-Alexis Perez (Debian) <corsac@debian.org> gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 429d Key expires at mar. 28 oct. 2014 12:43:35 CET Is this correct? (y/N) yAt that point, a pinentry dialog should ask you the PIN, and the smartcard will sign the subkey. Repear for all the subkeys (in my case, 3 and 4). If you ask for PIN confirmation at every signature, the pinentry dialog should reappear each time. When you're done, check that everything is ok, and save:
gpg> save corsac@scapa: gpg --list-keys 71ef0ba8 gpg: checking the trustdb gpg: public key of ultimately trusted key AF2195C9 not found gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 4 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 4u gpg: depth: 1 valid: 5 signed: 53 trust: 5-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2013-12-28 pub 4096R/71EF0BA8 2009-05-06 uid Yves-Alexis Perez <corsac@corsac.net> uid Yves-Alexis Perez (Debian) <corsac@debian.org> sub 4096g/36E31BD8 2009-05-06 [expires: 2014-10-28] sub 2048R/CC0E273D 2012-10-17 [expires: 2014-10-28] sub 2048R/A675C0A5 2012-10-27 [expires: 2014-10-28] sub 2048R/D98D0D9F 2012-10-27 [expires: 2014-10-28]Now that we have the new subkeys definition locally, we need to push it to the keyservers so other people get it too. In my case, I also need to push it to Debian keyring keyserver so it gets picked at the next update:
corsac@scapa: gpg --send-keys 71ef0ba8 gpg: sending key 71EF0BA8 to hkp server subkeys.pgp.net corsac@scapa: gpg --keyserver keyring.debian.org --send-keys 71ef0ba8 gpg: sending key 71EF0BA8 to hkp server keyring.debian.orgMain smartcard now back in safe place. As far as I can tell, there's no operation needed on the daily smartcard (which only holds the subkeys), but you will need to refresh your public key on any machine you use it on before it gets the updated expiration date.