refs #42099

howto/git.md

@@ -95,7 +95,7 @@ With this, ref updates in the Puppet Git repos are only performed if all
 commits since the trust-root are signed with authorized certificates contained
 in the TPA OpenPGP policy file.
 
-### Permission updates
+### Policy updates
 
 During bootstrap of this mechanism, the TPA OpenPGP policy file was first
 deployed to the Puppet server. This way, all changes are checked against the
@@ -104,17 +104,29 @@ While a certificate is still valid, it should then be able to push any change
 to the server, which includes the ability to perform updates of the
 `openpgp-policy.toml` file itself.
 
+To update certificates, make sure you have up-to-date versions in your local
+store and run:
+
+```
+sq-git policy sync --disable-keyservers
+```
+
+You can also edit the `openpgp-policy.toml` file manually and perform the
+needed changes.
+
 Note that, because we use a centralized OpenPGP policy file, when permissions
 are removed for a certificate, we may need to update the trust-root, otherwise
 old commits may fail to be authenticated against the new policy file.
 
 ### Expired certificates
 
-If a certificate expires before being it's been updated in the
-`openpgp-policy.toml` file, changes signed by that certificate will not be
-accepted, and you'll need to (1) ask another sysadmin with a valid certificate
-to perform the needed changes and (2) wait for or force deployment of the new
-file in the server.
+If a certificate expires before it's been updated in the `openpgp-policy.toml`
+file, changes signed by that certificate will not be accepted, and you'll need
+to (1) ask another sysadmin with a valid certificate to perform the needed
+changes and (2) wait for or force deployment of the new file in the server.
+
+See the above section for instructions on how to update the OpenPGP policy
+file.
 
 ### Manual override