Date: 8th October, 2015
(You can also download this statement signed by both the old and the new key.)
For a number of reasons, i’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.
The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.
the old key was:
pub 2048R/DBAB60F2 2012-09-08 Key fingerprint = 99A7 D000 D012 7BD7 F497 BC51 C277 D526 DBAB 60F2
And the new key is:
pub 4096R/3F332AEF 2015-10-08 [expires: 2017-10-07] Key fingerprint = 39FB 5452 5236 AB4E 886E BA75 CE97 A663 3F33 2AEF
To fetch the full key (including a photo uid, which is commonly stripped by public keyservers), you can get it with:
wget -q -O- https://sirmacik.net/dl/mkarpezo.gpg | gpg --import -
Or, to fetch my new key from a public key server, you can simply do:
gpg --keyserver pgp.mit.edu --recv-key 3F332AEF
If you already know my old key, you can now verify that the new key is signed by the old one:
gpg --check-sigs 3F332AEF
If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:
gpg --fingerprint 3F332AEF
If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:
gpg --sign-key 3F332AEF
Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):
gpg --armor --export 3F332AEF | mail -s 'OpenPGP Signatures' firstname.lastname@example.org
Or you can just upload the signatures to a public keyserver directly:
gpg --keyserver pgp.mit.edu --send-key 3F332AEF
Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations, and other updates in a timely manner. You can do regular key updates by using parcimonie to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.
I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message 😉
Please let me know if there is any trouble, and sorry for the inconvenience.