Feature #15890

Update our OpenPGP keys in 2019

Added by intrigeri 2018-09-01 09:50:25 . Updated 2019-10-18 11:53:31 .

Status:
Resolved
Priority:
High
Assignee:
Category:
Target version:
Start date:
2018-09-01
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

What we’re supposed to do each year:

  • Bump the master key’s expiration date by 1 year.
  • Generate a new signing subkey for each RM, and move it onto new smartcards (the old ones are still needed to keep the previous subkey during the transition period).
  • If needed, generate and split a revocation certificate for our signing key. See internal.git for details.
  • Update the public key in wiki/src/tails-signing.key.
  • Update references to the public key at least in wiki/src/doc/about/openpgp_keys.mdwn.
  • Create a ticket about updating our OpenPGP keys next year.

To be done at the summit during northern hemisphere summer.


Subtasks

Feature #15891: Ensure we have enough OpenPGP smartcard/GNUK hardware for our 2019 keys update Resolved

0


Related issues

Related to Tails - Bug #16327: Certify the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key Resolved 2019-01-08
Related to Tails - Bug #17133: Update our OpenPGP keys in 2020 Confirmed
Copied from Tails - Feature #14484: Update our OpenPGP keys in 2018 Resolved 2017-09-01

History

#1 Updated by intrigeri 2018-09-01 09:50:25

#2 Updated by intrigeri 2018-09-01 09:56:57

  • Description updated

#3 Updated by sajolida 2019-01-10 09:46:35

  • related to Bug #16327: Certify the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key added

#4 Updated by sajolida 2019-01-10 09:47:22

This could be a good time to do Bug #16327.

If I’m part of the people doing the ritual (like last year) I don’t mind working on this.

#5 Updated by intrigeri 2019-04-13 08:23:25

  • Status changed from In Progress to Confirmed

#6 Updated by intrigeri 2019-04-13 08:23:46

  • Target version changed from 2019 to Tails_3.16

#7 Updated by intrigeri 2019-04-25 13:40:56

> To be done at the summit during northern hemisphere summer.

Except the summit will happen much later, quite possibly too late, so we’ll need to find some other way to fix that.

#8 Updated by intrigeri 2019-04-25 16:19:13

Given the RMs won’t meet in person at the right time for the necessary key update in ~August, there’s no way we give them new signing subkeys on OpenPGP hardware in due time. So we have no choice but to:

  1. by the end of October: enough Tails folks meet to postpone the expiration date of the master (sic) key and the RM’s signing subkeys; I’ll try my best to make this happen
  2. ship these updated pubkeys in Tails 3.17 so updates from 3.17 to the next couple releases work
  3. next time enough RMs meet (probably November): generate fresh subkeys and move them to hardware tokens
  4. at some well chosen time after that, switch to the new subkeys when signing stuff

#9 Updated by intrigeri 2019-08-05 08:29:09

  • Priority changed from Normal to High

#10 Updated by intrigeri 2019-08-29 06:38:41

  • Target version changed from Tails_3.16 to Tails_3.17

#11 Updated by intrigeri 2019-09-12 14:25:21

  • Target version changed from Tails_3.17 to Tails_4.0

#12 Updated by intrigeri 2019-10-08 13:13:55

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|316b4e889b88891b9759693e77e83d76a1917370.

#13 Updated by intrigeri 2019-10-08 13:24:46

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (intrigeri)

Bumped expiration date on the master branch, see the 2 commits that are cross-referenced with this ticket.

> * Create a ticket about updating our OpenPGP keys next year.

Bug #17133

#14 Updated by intrigeri 2019-10-08 13:24:54

  • related to Bug #17133: Update our OpenPGP keys in 2020 added

#15 Updated by anonym 2019-10-18 11:53:31

  • Status changed from Needs Validation to Resolved

Everything looks in order to me!