instructions to extend key expiry #157
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rossabaker
reviewed
Feb 9, 2025
| It is written from the perspective of updating the Typelevel keys, but might (hopefully!) be useful to affiliate maintainers as well. | ||
|
|
||
| 1. If your keys are not in `gpg`, import them: | ||
| - `gpg --import public.asc` |
There was a problem hiding this comment.
This is not harmful, but probably not necessary. It should all be in private.asc.
Comment on lines
+11
to
+16
| 2. `gpg --edit-key $KEY_ID` will put you into the gpg command line | ||
| - type `expiry`, and follow the prompts to set the new expiry (we usually opt to extend the expiry by 1 year), and then type `save` to save the changes | ||
| - NOTE: the Typelevel key has a sub-key, and that expiry must also be extended: | ||
| - run `gpg --edit-key $KEY_ID` again | ||
| - type `key 1`, to edit the first sub-key | ||
| - follow the same steps as before to update the expiry, and `save` |
There was a problem hiding this comment.
gpg --quick-set-expire would make most of this go away, but I think you need the fingerprint and not just the KEY_ID.
| - Update the GitHub secret variable with the copied value (For users of sbt-typelevel, this secret is named `PGP_SECRET` in GitHub) | ||
|
|
||
| 5. Export the updated armored key files for safe keeping (e.g. in 1Password) | ||
| - `gpg --export --armor $KEY_ID > public.asc` |
There was a problem hiding this comment.
I guess this is better safe than sorry, but I'm pretty sure it's redundant with private.asc and definitely redundant with the key server and the website.
|
|
||
| 6. Update the public key in other locations. | ||
| - For example, the Typelevel site has a [Web Key Directory](https://wiki.gnupg.org/WKD) that needs to be updated | ||
| - in the Typelevel site repo, the key is at `.well-known/openpgpkey/hu/nwnwrk3rczw4ou5x56ibcrdatrgf1xag` |
There was a problem hiding this comment.
For posterity, hu is hardcoded, and the last segment comes from gpg-wks-client --print-wkd-hash [email protected]
Co-authored-by: Ross A. Baker <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.