undefined (#40957)

It appears that new subkeys have been generated in the past when expiration was coming - i'm curious if someone remembers/knows why that method is used, instead of just extending the expiration date on the existing key? There are pros/cons for each, but I've found that often people just don't even know you can extend the expiration.

The subkey is kept on our signing machine, while the main key is kept offline, so it's useful to create a new subkey to rotate the key we use.

Maybe for next time we can switch to a new subkey while the old one is still valid for a few months, so that last release can be verified without using an expired subkey.

boklm (@boklm):

boklm commented on a discussion: #40957 (comment 2945947)

The subkey is kept on our signing machine, while the main key is kept offline, so it's useful to create a new subkey to rotate the key we use.

Maybe for next time we can switch to a new subkey while the old one is still valid for a few months, so that last release can be verified without using an expired subkey.

That's what we actually used to do a couple of years back to avoid the exact problem which we encountered (again) in this issue... :)

The subkey is kept on our signing machine, while the main key is kept offline, so it's useful to create a new subkey to rotate the key we use.

Makes sense, thanks for the explanation!

Maybe for next time we can switch to a new subkey while the old one is still valid for a few months, so that last release can be verified without using an expired subkey.

Seems like a good idea :)

...

On 2023-09-21 07:25:02, boklm (@boklm) wrote:

And maybe once this instance is fixed we can open a new related issue "Update signing keys", setting its due date 2 weeks before the subkey expiration and keeping it open, up-to-date & rolling indefinitely 😄

yes, we should do for all our keys

We might need related issues on TPA and or web (a user said on IRC the key has not been updated on TPO).

They added this link: https://github.com/micahflee/torbrowser-launcher/issues/700#issuecomment-1727392723

We might need related issues on TPA and or web (a user said on IRC the key has not been updated on TPO).

We have not updated the key yet. We are still trying to get access to the key.

Sorry, my bad. They were saying the key was updated on openpgp.org, but I haven't checked myself.

Expiration date on the subkey has been extended by 5 months.

The ticket to update it in wkd is tpo/tpa/team#41333 (closed).

Activity