Skip to content

Instantly share code, notes, and snippets.

@krisleech

krisleech/renew-gpgkey.md

Last active April 22, 2024 20:13
Show Gist options
  • Save krisleech/760213ed287ea9da85521c7c9aac1df0 to your computer and use it in GitHub Desktop.
Save krisleech/760213ed287ea9da85521c7c9aac1df0 to your computer and use it in GitHub Desktop.
Download ZIP
Renew Expired GPG key
Raw
renew-gpgkey.md

Renew GPG key

Given that your key has expired.

$ gpg --list-keys
$ gpg --edit-key KEYID

Use the expire command to set a new expire date:

gpg> expire

When prompted type 1y or however long you want the key to last for.

Select all the subkeys (the primary key, which we just set the expires date for, is key 0):

gpg> key 1
gpg> key 2
gpg> expire

A star will sppear before all selected keys.

Since the key has changed we now need to trust it, otherwise we get the error "There is no assurance this key belongs to the named user" when using they key:

gpg> trust

Test it out, do a round trip:

gpg -ea > secret.out
gpg -d secret.out

Backup the key:

gpg -a --export KEYID > kris.leech.gpg.public
gpg -a --export-secret-keys KEYID > kris.leech.gpg.private

Move the keys on to something like a USB drive and store it safely in another location.

Publish the public key:

gpg --keyserver keyserver.ubuntu.com --send-keys KEYID
gpg --keyserver pgp.mit.edu --send-keys KEYID

If you need to copy/paste the public key to a key server:

xclip -i kris.leech.gpgp.public -selection clipboard
@shirohana
Copy link

Remember to gpg> save your work.

@hiukky
Copy link

hiukky commented Jan 19, 2021

thanks!

@NicoHood
Copy link

Why do you need to set the trust setting? This only applies for keys you dont own, right?

@johnmee
Copy link

johnmee commented Oct 19, 2021
edited

WARNING: Your encryption subkey expires soon.

Repeat the process for the "ssb" key. Whilst still editing the key from above, perhaps something like

list
key 1
expire
1y
y
trust

@cankush625
Copy link

Great! It works as expected.

Adding a few steps that need to be done after that for updating the GPG key:

  1. Save your changes made in the GPG key
    gpg> save
  2. Get the content of the public key using the following command. Copy this public key.
    gpg -a --export KEYID
  3. Now, go to GitHub and delete your existing GPG key that has expired. And then click on the New GPG key button and paste the public key we have copied in step 2. Save this public key.
    In this way, you have successfully updated an expired GPG key and all of the commits that are signed with the expired key are now marked from unverified to verified.

@sanmai
Copy link

sanmai commented Sep 7, 2022

There's a quicker method if you just want to extend the expiration date:

gpg --quick-set-expire KEYID PERIOD

…and for the subkeys:

gpg --quick-set-expire KEYID PERIOD '*'

(Source)

@Torxed
Copy link

Torxed commented Jan 30, 2023

I'd like to chip in the use of keys.openpgp.org as well. It's been somewhat reliable. I keep striking out on pgp.mit.edu from time to time. Something worth noting on openpgp.org's key server tho is that it more or less needs email verification.

@jahway603
Copy link

Also found this short tutorial on how to renew your own GPG keys before they expire, which some might find helpful
https://filipe.kiss.ink/renew-expired-gpg-key/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment