Document signing key cross-signing transition
When replacing an old signing key with a new one, sign the new key with the old key for improved proof of provenance. Change-Id: Ic7b863565c8f264bede1ec4f49c4e00161920152
This commit is contained in:
parent
0e4bcbe0b0
commit
18ed16c1ec
|
@ -326,6 +326,40 @@ be valid only for as long as its associated master key is valid:
|
||||||
|
|
||||||
gpg> save
|
gpg> save
|
||||||
|
|
||||||
|
Next, sign the new master key with the key from the previous cycle
|
||||||
|
(specified with the ``--default-key`` option). This proves that the
|
||||||
|
new key was created by a party with access to its predecessor, so
|
||||||
|
provides some added assurance of its validity:
|
||||||
|
|
||||||
|
.. code-block:: shell-session
|
||||||
|
|
||||||
|
root@puppetmaster:~# gpg --homedir signing.gnupg --default-key 0x70CA2E45DF30B1B8 --sign-key 0x120D3C23C6D5584D
|
||||||
|
|
||||||
|
pub 2048R/0x120D3C23C6D5584D created: 2016-07-07 expires: 2017-02-02 usage:SC
|
||||||
|
trust: ultimate validity: ultimate
|
||||||
|
sub 2048R/0x1F215B56867C5D9A created: 2016-07-07 expires: 2017-02-02 usage:E
|
||||||
|
sub 2048R/0xC0224DB5F541FB68 created: 2016-07-07 expires: never usage:S
|
||||||
|
[ultimate] (1). OpenStack Infra (Pike Cycle) <infra-root@openstack.org>
|
||||||
|
|
||||||
|
|
||||||
|
pub 2048R/0x120D3C23C6D5584D created: 2016-07-07 expires: 2017-02-02 usage:SC
|
||||||
|
trust: ultimate validity: ultimate
|
||||||
|
Primary key fingerprint: 120D 3C23 C6D5 584D 6FC2 4646 64DB B05A CC5E 7C28
|
||||||
|
|
||||||
|
OpenStack Infra (Some Cycle) <infra-root@openstack.org>
|
||||||
|
|
||||||
|
This key is due to expire on 2017-02-02.
|
||||||
|
Are you sure that you want to sign this key with your
|
||||||
|
key "OpenStack Infra (Previous Cycle) <infra-root@openstack.org>" (0x70CA2E45DF30B1B8)
|
||||||
|
|
||||||
|
Really sign? (y/N) y
|
||||||
|
|
||||||
|
You need a passphrase to unlock the secret key for
|
||||||
|
user: "OpenStack Infra (Previous Cycle) <infra-root@openstack.org>"
|
||||||
|
2048-bit RSA key, ID 0x70CA2E45DF30B1B8, created 2016-11-03
|
||||||
|
|
||||||
|
Enter passphrase: ********************************
|
||||||
|
|
||||||
Now send the master key to the keyserver network. The subkeys are
|
Now send the master key to the keyserver network. The subkeys are
|
||||||
all submitted along with it, so do not need to be specified
|
all submitted along with it, so do not need to be specified
|
||||||
separately:
|
separately:
|
||||||
|
|
Loading…
Reference in New Issue