GPG key transition statement

Date: 8th October, 2015
(You can also download this statement signed by both the old and the new key.)

For a number of reasons, i’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.

the old key was:

pub   2048R/DBAB60F2 2012-09-08
      Key fingerprint = 99A7 D000 D012 7BD7 F497  BC51 C277 D526 DBAB 60F2

And the new key is:

pub   4096R/3F332AEF 2015-10-08 [expires: 2017-10-07]
      Key fingerprint = 39FB 5452 5236 AB4E 886E  BA75 CE97 A663 3F33 2AEF

To fetch the full key (including a photo uid, which is commonly stripped by public keyservers), you can get it with:

wget -q -O- https://sirmacik.net/dl/mkarpezo.gpg | gpg --import -

Or, to fetch my new key from a public key server, you can simply do:

gpg --keyserver pgp.mit.edu --recv-key 3F332AEF

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs 3F332AEF

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint 3F332AEF

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:

gpg --sign-key 3F332AEF

Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

gpg --armor --export 3F332AEF | mail -s 'OpenPGP Signatures' marcin@karpezo.pl

Or you can just upload the signatures to a public keyserver directly:

gpg --keyserver pgp.mit.edu --send-key 3F332AEF

Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations, and other updates in a timely manner. You can do regular key updates by using parcimonie to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.

I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message 😉
https://help.riseup.net/en/security/message-security/openpgp/best-practices

Please let me know if there is any trouble, and sorry for the inconvenience.

Continue Reading