undefined | Better HN

0 points3pt141597y ago0 comments

I've been signing my GPG commits for five years now.

The problem is that they don't allow GPG keys to be sunsetted. "Verified" should be a property on the commit, not something computed. If I replace my GPG key with something more secure, but I have no reason to believe my former GPG key was stolen, I should be able to keep trusting the other commits.

0 comments

4 comments · 1 top-level

Boulth7y ago· 3 in thread

If you rotate your signing subkey then this would work as expected.

Rotating primary/master keys is a problem in OpenPGP in general (not just Github).

3pt14159OP7y ago

Yeah.

I guess I've tended to shy away from subkeys because I figure losing the primary is a function of time. Basically at some point a virus, or improperly secured backup, is going to get my key.

Though I suppose the pro way of doing this would be to set up some kind of air gaped PC, generate the subkey, then display it as a QR code or something.

Boulth7y ago

Yes, that's what I did but instead of copying the subkey via QR I put it on a Yubikey. Actually it's more convenient that way as it's possible to use it on any computer.

But from my perspective if you keep your master key super secure subkeys can be your "operational keys" that are easily swapped when needed (I rotated my subs when Yubico Infineon bug surfaced).

mattigames7y ago

Air-gaped PC could be any old smartphone you (or some friend) have lying around and set it on airplane mode then use it to generate keys as QR images (if you are truly paranoid then root it and delete the wifi/bluetooth drivers or use a home-made faraday cage)

j / k navigate · click thread line to collapse