GPG Key Transition

posted saturday, 2019-04-27 at 10:35 in category tech
GnuPG Logo

My current PGP/GnuPG key is expiring, so I've rolled a new one. The ID of the new key is 0x3C7775DD37811E62 (full fingerprint: 1ED5 E5A3 01C3 D109 9040 2289 3C77 75DD 3781 1E62) and it should be in your favorite keyservers, cross-signed by my old key. You can also find it at https://files.roguelazer.com/roguelazer.gpg. It has also been attached to my keybase.io account and my Github profile. My previous key (0xAEE8F2454A41B87D) has not been revoked and has not been compromised, but you should still stop using it if possible. The new key is a 4096-bit RSA key with SHA-2 digest signatures — I'm not quite bold enough to switch to ECC for a long-lived key yet.

My signed transition document is below, and can also be found at 2019-04-27-key-transition-statement.txt.asc if you prefer to download it directly.

Additionally, I have generated a separately-signed key with ID 0x233E5EAF0EC3ABA9 (full fingerprint: 14E8 9660 188D BC9B 2C17 67AA 233E 5EAF 0EC3 ABA9). This key should not be used for communication, but will only be used to sign VCS commits/tags/&c (in Git and perhaps in Pijul1). It's going to be on my [managed] work computer2, so treat it with a grain of salt.

Transition Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

My name is James Matthew Brown. Today is Saturday, April 27th, 2019, and it
is 09:53am when I write this. I am of sound mind and body and am hereby
transitioning from my old PGP key (key ID 0xAEE8F2454A41B87D) to a new PGP
key with ID 0x3C7775DD37811E62.

The old key, which I am transitioning away from, is:

    pub   rsa4096/0xAEE8F2454A41B87D 2016-05-29 [SC] [expires: 2019-05-29]
          9C1BE267C7A5D559739F333AAEE8F2454A41B87D

The new key, which you should use for all communication going forward, is

    pub   rsa4096/0x3C7775DD37811E62 2019-04-27 [SC] [expires: 2022-05-29]
          1ED5E5A301C3D109904022893C7775DD37811E62

You can fetch the new key using GnuPG with

    gpg --keyserver hkp://pool.sks-keyservers.net --recv-key 1ED5E5A301C3D109904022893C7775DD37811E62

If you already trust my existing key, you can validate the new one with

    gpg --check-sigs 1ED5E5A301C3D109904022893C7775DD37811E62

I look forward to your ongoing secured communications.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEHtXlowHD0QmQQCKJPHd13TeBHmIFAlzEi2wACgkQPHd13TeB
HmIvRw//Z+m/qeFPnlHKu7KBO5IAbf+XDt7fp7R52bo1za1CBJM2z56L5eERgu4S
pRR3sJIgZsWPrI1OEKwITF5oZz0WEyPoDHU2jaQQqCA63Hxym4gzhJyjAOHdfQju
dVAwVxNk6TP64P44rNhZ/hzAcaJR6aDgGAduQn7nwWAju7egRU4pMQrNJY3Gtiuv
Eg6HOWpvsIoAaCgmNYr3fLuR5G9mfb6/13oQe5g1wiAvcHAgorFZ8xacK7ok5YJp
F70Wrn9kfNMO8RUI+PVM3lpHziyugU8v6fWFBR0m6ZuA7ky8aclYPEyOihpSj+k8
YVELkZDBnA3YGd4tf6sO7eo69kghGtKI3tIwDED3KveIYVc80s8hhhjHteE8vHqw
lIDlmLskDnbUv0k1LGuNr96Qg7sWmDX3vryTU7zTsTpjdvi9pSGd6oRgdJjDdUTE
GVlTlAMXSQu6R9mV/4eQbANKRBtoH63LroeeEw0D/awADrrN9QvYlHq3tGLUGu4S
A4RXQPiPvkRhFWiXM5qZbsntiDX38zfdUdhjHuaLX1feMy3jqMnoimTqyTVr/cv8
+KjK9vaW/VYDhMMxteuSwLKjQxAJhNHx+PPRvbqRsu79rwNx+NksBW19ykmdfpOO
RlveNooEOMs8k6FDSTbGfNY6R2QNayzXnGznTR4N9zWV7VTFcQGJAjMEAQEIAB0W
IQScG+Jnx6XVWXOfMzqu6PJFSkG4fQUCXMSLbAAKCRCu6PJFSkG4fZ/dEADWC85q
CdfJdVPADHZIXJtfGdE+vkp5fmBHwoEq1ek3TT5dhLA+l1C1woJXXCq1eIU3NaNR
rEuXmRksjNRwqJq02mt7LS2ccakyyhb/hRV1y9ZnXn6n1liuglhXBgE0i1AnkuuD
b8YjEksD+ePG3l8djqtGUDh0wBUz7Rs1ExUIr4Fq3m2gE267XfjueaM2Zkd6tvAF
WVoPb37ix4vDynl0uhFMFubjrI8ZaSmZ/mAvEois+YmXvNa+/C8Rxg69LpElA/1f
Sl1AU6/xdKUCaJceGMX+gttRRcinHtaKd2mfuWo1uxFAjG1x1OO/Xqj41I5OX0H9
pIaTVWV8DLoC+b0bg07L/QdcrlWERLPsitSuYPnJchSHCEncC0aT/1MrcWqAUzoa
TzMqQWpeKDAWAw8Zv76I7jpWiwXaTCoVRHrbJLLz/4+Us8ZNilAfgiPDOJ0Ce3+w
tOI1+zqrAWtrXbdqNCP2uqy+UszMF94gqya3jPUs8j4aUQ9sp5ac0IDvVRi0exzU
zdwEj+LOJ3c6yEKXOwznXgWqU87+bZCYQR0FOLGwBAMClAXgQSn/mkHkZeT4k/+3
lesfiwv9Mf4kxMJhFeU2o+Hx2X/NXz9tyWoVAhamrYwAJFzBmUGS/C9TuuXTELWX
IX2e9jpjTOx4Spa3axig9quR/aP1QQkHPdTaog==
=S1ku
-----END PGP SIGNATURE-----
1

I haven't actually used Pijul for anything yet but I always thought the Darcs model was neat and I'm ready to broaden my horizons. Spending the last few years trying and failing to teach engineers how to use Git surely hasn't helped.

2

I mean, the computer is managed by my team, so I don't think anything particularly nefarious is going to happen, but there's always a chance that our MDM vendor could be breached or that the company could make decisions in the future that I wouldn't agree with which would result in compromise of my workstation.

Want to comment on this? How about we talk on Mastodon instead? mastodon logo Share on Mastodon