π

GnuPG/OpenPGP key transition: I've got a new key

Show Sidebar

I changed my GnuPG/OpenPGP-key. Please do update your set-up with it and sign my new key as well. Following statement can also be downloaded here and it is signed with both, my old key and my new key: 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Date: 2014-04-10
For a number of reasons[0], I've recently set up a new OpenPGP key,
and will be transitioning away from my old one.
The old key will continue to be valid for some time, but I prefer all
future correspondence to come to the new one.  I would also like this
new key to be re-integrated into the web of trust.  This message is
signed by both keys to certify the transition.
The old key was:
pub   1024D/2704CA24 2001-06-28
uid                  Karl Voit <mail@Karl-Voit.at>
uid                  Karl Voit (Linux user number 218353) <Karl.Voit@gmx.at>
uid                  Karl Voit <latex@Karl-Voit.at>
uid                  Karl Voit <news@Karl-Voit.at>
uid                  [jpeg image of size 4175]
sub   1024g/1177EA36 2001-06-28
Primary key fingerprint: 52D1 4FC9 65AD 58BA 7C96  48C6 DCB1 86AD 2704 CA24
And the new key is:
pub   4096R/8A614641 2014-04-09 [expires: 2017-04-08]
uid                  Karl Voit <mail@Karl-Voit.at>
uid                  Karl Voit <devnull@Karl-Voit.at>
sub   4096R/34DF759D 2014-04-09
Primary key fingerprint: 5AAD 1388 98EF BE1E 772D  D950 ECEC 7919 8A61 4641
To fetch the full key from a public key server, you can simply do:
  gpg --keyserver eu.pool.sks-keyservers.net --recv-key 8A614641
If you already know my old key, you can now verify that the new key is
signed by the old one:
  gpg --check-sigs 8A614641
If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:
  gpg --fingerprint '5AAD138898EFBE1E772DD950ECEC79198A614641'
If you are satisfied that you've got the right key, and the UIDs match
what you expect, I'd appreciate it if you would sign my key. You can
do that by issuing the following command:
NOTE: if you have previously signed my key but did a local-only
signature (lsign), you will not want to issue the following, instead
you will want to use --lsign-key, and not send the signatures to the
keyserver
  gpg --sign-key 5AAD138898EFBE1E772DD950ECEC79198A614641
I'd like to receive your signatures on my key. You can either send me
an e-mail with the new signatures (if you have a functional MTA on
your system):
  gpg --export '5AAD138898EFBE1E772DD950ECEC79198A614641' | \
  gpg --encrypt -r '5AAD138898EFBE1E772DD950ECEC79198A614641' --armor | \
  mail -s 'OpenPGP Signatures' mail@Karl-Voit.at
Additionally, I highly recommend that you implement a mechanism to keep your key
material up-to-date so that you obtain the latest revocations, and other updates
in a timely manner. You can do regular key updates by using parcimonie[1] to
refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring
from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits
for each key. The purpose is to make it hard for an attacker to correlate the
key updates with your keyring.
I also highly recommend checking out the excellent Riseup GPG best
practices doc, from which I stole most of the text for this transition
message ;-)
https://we.riseup.net/debian/openpgp-best-practices
Please let me know if you have any questions, or problems, and sorry
for the inconvenience.
Karl Voit
0. https://www.debian-administration.org/users/dkg/weblog/48
1. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFTRq4r3LGGrScEyiQRApYhAKCUDle9hP8hsxWTX5l/H1BoXMqd6QCg2HMq
vTunR98cBlWSWnz+VWsGeHs=
=OEC0
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIVAwUBU0auOOzseRmKYUZBAQIVzBAAieWL6edThw1rGkIxQ5Tb9kAMsSmWXksj
hJ6SyxYyX8nCVDThUMwdnnT0qn9oCHkewmTeL+PCSZ4FV9BfRvtWoHCjlEQP0ZPP
1oQ6AuANDeyF1MGUkNHgWqVxNT3cVX7gqXkYxLF1ubNkkZz7Hip9qDn/nXPvmQbN
bh/1rbo/Mksth50zrtjxhucZ9u/fz75ptxu0Z7nT43qbGIyHPPlrDLXdrCyaNF8N
JvAhgETligZJnr14GCxQVREu9rUtrFexxE3KU/NngH3RwNnw7gk+GIGMUdKimMPi
osrJ/gDiK5t7Z/VPMEq92IC5hyVlgdWF+6HCTluJYcQdKFj7iAE0NccI1mSsZ6q+
y6dpdUQUlA1jman3CfRgUMHjY3MzLt3XihP80iuVURcKDiPisU7qStURrLKlWrES
8k9SMBryZQfADGtlAy9iPJwLCiG5E3wCS4GRh28SY5e/eIaM3WOo/ZhEQsN91KUk
xsARfGar3dEUOIfrIb3aig3Tcag/jTpxMyuDGZroDB9eR/F8OrFakvnQulD8fJ99
9UQ1KryJupOGAG+wOpp6GOPv6Op0sSrr2bayP0RLa9MUgiCvJBGueQKdAgR/SHnc
LlqgYsDfNofFVv/HYElyoZbwkiji6M1DTORKlurSI93L26RbWPwhVxb4h4x4QqKv
i8OnxC7UmOo=
=hnjL
-----END PGP SIGNATURE-----

Comment via email (persistent) or via Disqus (ephemeral) comments below: