Oh no my gpg key expired (like every year)

Who doesn’t love encryption and security? I like to sign my git commits, and for this I need PGP keys. They are cool when they work and you don’t need to think about them, but every now and then they need to be renewed (unless you use never expiring keys which of course you shouldn’t!).

So, as always when a key expires, I started looking around the internet what needs to be done because I only ever do this once a year and I cannot remember what I did.

Here’s what needs to be done:

• Run gpg --list-secret-keys
• Find the key to edit
• Run gpg --edit-key [key-id]
• This opens the gpg prompt (indicated by gpg>)
• Enter expire
• Follow the instructions to set the new expire date
• Type save

The key now has a new expiration date and can be uploaded to GitHub – the old one needs to be deleted first. This does not invalidate old signed commits!

The image shows the signed commit, signed with my PGP key, and verified on GitHub. This means that the commit was sent by me (or somebody with access to my key).

It’s a nice little add-on which I really like.

I globally configured my git to sign all commits via the ~/.gitconfig file

[user]
name = Kevin Gimbel
email = kevin@gimbel.dev
signingkey = A6937F93CF7FDC4E

[commit]
gpgsign = true

This config will sign all commits with my GPG key automatically. Yay!

More information

• https://riseup.net/en/security/message-security/openpgp/best-practices
• https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
• https://superuser.com/a/1141251