On 5/5/11 2:52 AM, Andreas Heinlein wrote: > Hello, > > I hope you can give me some advice on the following problem: > > We have a OpenPGP key which we use for signing our software releases. > That key should be changed yearly and carry an expiration date to > enforce this change. However, for the signatures to be useful, the key > has to be signed by quite a lot of well-known people and institutions, > which means a considerable effort. > > If we just regenerate the whole key every year, we would have to get all > these signatures again. I have a feeling that generating new subkeys > might be a solution, but I have never worked with subkeys before, so I > thought you could give me some advice what would be the best thing to do. > > Thanks, > Andreas >
Some organizations create a master signing key, which is (supposedly) kept secure and usually off-line. That's used to sign the release keys. Then users sign the master key and/or see if the master key trusts the key used to sign the release. Like all the solutions proposed here, I have no idea how usable this strategy is for people who try to verify software packages, but only have a limited understanding of OpenPGP's trust model. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
