[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New signing key

From: Tobias Geerinckx-Rice
Subject: Re: New signing key
Date: Tue, 29 Jun 2021 16:40:35 +0200

Question: I think committers should be trusted with discretion in how they prefer to manage their keys, but how about briefly documenting a suggested sane key-management strategy to new committers, like we already describe some rando's editor set-up? :-)

I don't think most people *insist* on their current one, it's just what they know; and GPG is complex and gnarly.

Eric Bavier <> skribis:
In this case, the old key had already expired. I think others here
have reset the expiry date on their keys before?

Limiting validity to 1…2y is considered good hygiene, as is simply extending the date whenever it's about to expire. It proves you still control the private key. It doesn't matter if you miss the deadline.

It's what I'd suggest for Guix because it gives committers full control over renewal without the inherent risk of updating the keyring & .guix-authorizations each time. It also makes such commits less routine, which I think is good…

I like the idea of honoring the expiration dates I set

Excellent, but ^ this…

and creating a new key.

…doesn't imply ^ this.

Signing your existing key with a new expiry date is just as honourable^Wsecure, and much less hassle. You would have avoided the delay you encountered here. Others would get a better error message (‘expired’ vs. now ‘unknown’). Etc.

I'm not aware of any authority on best practices that would claim the opposite, but if you are, I'd be grateful to hear about it!

Kind regards,


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]