Project

General

Profile

Feature #15890

Update our OpenPGP keys in 2019

Added by intrigeri about 1 year ago. Updated 27 days ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
Start date:
09/01/2018
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

What we're supposed to do each year:

  • Bump the master key's expiration date by 1 year.
  • Generate a new signing subkey for each RM, and move it onto new smartcards (the old ones are still needed to keep the previous subkey during the transition period).
  • If needed, generate and split a revocation certificate for our signing key. See internal.git for details.
  • Update the public key in wiki/src/tails-signing.key.
  • Update references to the public key at least in wiki/src/doc/about/openpgp_keys.mdwn.
  • Create a ticket about updating our OpenPGP keys next year.

To be done at the summit during northern hemisphere summer.


Subtasks

Feature #15891: Ensure we have enough OpenPGP smartcard/GNUK hardware for our 2019 keys updateResolved


Related issues

Related to Tails - Bug #16327: Certify the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key Resolved 01/08/2019
Related to Tails - Bug #17133: Update our OpenPGP keys in 2020 Confirmed
Copied from Tails - Feature #14484: Update our OpenPGP keys in 2018 Resolved 09/01/2017

Associated revisions

Revision 316b4e88 (diff)
Added by intrigeri about 1 month ago

Update the Tails signing public key (refs: #15890)

This postpones the expiration date of the master key and of the 4 current
signing subkeys.

Revision d02520a4 (diff)
Added by intrigeri about 1 month ago

Update the expiration date of the Tails signing key in our doc (refs: #15890)

History

#1 Updated by intrigeri about 1 year ago

#2 Updated by intrigeri about 1 year ago

  • Description updated (diff)

#3 Updated by sajolida 10 months ago

  • Related to Bug #16327: Certify the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key added

#4 Updated by sajolida 10 months ago

This could be a good time to do #16327.

If I'm part of the people doing the ritual (like last year) I don't mind working on this.

#5 Updated by intrigeri 7 months ago

  • Status changed from In Progress to Confirmed

#6 Updated by intrigeri 7 months ago

  • Target version changed from 2019 to Tails_3.16

#7 Updated by intrigeri 7 months ago

To be done at the summit during northern hemisphere summer.

Except the summit will happen much later, quite possibly too late, so we'll need to find some other way to fix that.

#8 Updated by intrigeri 7 months ago

Given the RMs won't meet in person at the right time for the necessary key update in ~August, there's no way we give them new signing subkeys on OpenPGP hardware in due time. So we have no choice but to:

  1. by the end of October: enough Tails folks meet to postpone the expiration date of the master (sic) key and the RM's signing subkeys; I'll try my best to make this happen
  2. ship these updated pubkeys in Tails 3.17 so updates from 3.17 to the next couple releases work
  3. next time enough RMs meet (probably November): generate fresh subkeys and move them to hardware tokens
  4. at some well chosen time after that, switch to the new subkeys when signing stuff

#9 Updated by intrigeri 3 months ago

  • Priority changed from Normal to High

#10 Updated by intrigeri 3 months ago

  • Target version changed from Tails_3.16 to Tails_3.17

#11 Updated by intrigeri 2 months ago

  • Target version changed from Tails_3.17 to Tails_4.0

#12 Updated by intrigeri about 1 month ago

  • Status changed from Confirmed to In Progress

#13 Updated by intrigeri about 1 month ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (intrigeri)

Bumped expiration date on the master branch, see the 2 commits that are cross-referenced with this ticket.

  • Create a ticket about updating our OpenPGP keys next year.

#17133

#14 Updated by intrigeri about 1 month ago

  • Related to Bug #17133: Update our OpenPGP keys in 2020 added

#15 Updated by anonym 27 days ago

  • Status changed from Needs Validation to Resolved

Everything looks in order to me!

Also available in: Atom PDF