Update our OpenPGP keys in 2019
What we're supposed to do each year:
- Bump the master key's expiration date by 1 year.
- Generate a new signing subkey for each RM, and move it onto new smartcards (the old ones are still needed to keep the previous subkey during the transition period).
- If needed, generate and split a revocation certificate for our signing key. See internal.git for details.
- Update the public key in
- Update references to the public key at least in
- Create a ticket about updating our OpenPGP keys next year.
To be done at the summit during northern hemisphere summer.
Update the Tails signing public key (refs: #15890)
This postpones the expiration date of the master key and of the 4 current
Given the RMs won't meet in person at the right time for the necessary key update in ~August, there's no way we give them new signing subkeys on OpenPGP hardware in due time. So we have no choice but to:
- by the end of October: enough Tails folks meet to postpone the expiration date of the master (sic) key and the RM's signing subkeys; I'll try my best to make this happen
- ship these updated pubkeys in Tails 3.17 so updates from 3.17 to the next couple releases work
- next time enough RMs meet (probably November): generate fresh subkeys and move them to hardware tokens
- at some well chosen time after that, switch to the new subkeys when signing stuff