Project

General

Profile

Feature #15890

Update our OpenPGP keys in 2019

Added by intrigeri about 1 year ago. Updated 10 days ago.

Status:
Confirmed
Priority:
High
Assignee:
Category:
-
Target version:
Start date:
09/01/2018
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

What we're supposed to do each year:

  • Bump the master key's expiration date by 1 year.
  • Generate a new signing subkey for each RM, and move it onto new smartcards (the old ones are still needed to keep the previous subkey during the transition period).
  • If needed, generate and split a revocation certificate for our signing key. See internal.git for details.
  • Update the public key in wiki/src/tails-signing.key.
  • Update references to the public key at least in wiki/src/doc/about/openpgp_keys.mdwn.
  • Create a ticket about updating our OpenPGP keys next year.

To be done at the summit during northern hemisphere summer.


Subtasks

Feature #15891: Ensure we have enough OpenPGP smartcard/GNUK hardware for our 2019 keys updateResolved


Related issues

Related to Tails - Bug #16327: Sign the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key Confirmed 01/08/2019
Copied from Tails - Feature #14484: Update our OpenPGP keys in 2018 Resolved 09/01/2017

History

#1 Updated by intrigeri about 1 year ago

#2 Updated by intrigeri about 1 year ago

  • Description updated (diff)

#3 Updated by sajolida 8 months ago

  • Related to Bug #16327: Sign the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key added

#4 Updated by sajolida 8 months ago

This could be a good time to do #16327.

If I'm part of the people doing the ritual (like last year) I don't mind working on this.

#5 Updated by intrigeri 5 months ago

  • Status changed from In Progress to Confirmed

#6 Updated by intrigeri 5 months ago

  • Target version changed from 2019 to Tails_3.16

#7 Updated by intrigeri 5 months ago

To be done at the summit during northern hemisphere summer.

Except the summit will happen much later, quite possibly too late, so we'll need to find some other way to fix that.

#8 Updated by intrigeri 5 months ago

Given the RMs won't meet in person at the right time for the necessary key update in ~August, there's no way we give them new signing subkeys on OpenPGP hardware in due time. So we have no choice but to:

  1. by the end of October: enough Tails folks meet to postpone the expiration date of the master (sic) key and the RM's signing subkeys; I'll try my best to make this happen
  2. ship these updated pubkeys in Tails 3.17 so updates from 3.17 to the next couple releases work
  3. next time enough RMs meet (probably November): generate fresh subkeys and move them to hardware tokens
  4. at some well chosen time after that, switch to the new subkeys when signing stuff

#9 Updated by intrigeri about 2 months ago

  • Priority changed from Normal to High

#10 Updated by intrigeri 24 days ago

  • Target version changed from Tails_3.16 to Tails_3.17

#11 Updated by intrigeri 10 days ago

  • Target version changed from Tails_3.17 to Tails_4.0

Also available in: Atom PDF