Tracker for issues related to GLEP 63 conformance.
Ok, here are some generic tips on solving key problems. Before you start, please make sure you understand the difference between the primary key (as a whole) and subkeys. Replacing the whole key creates a lot of hassle, so avoid this unless the text explicitly tells you to do that. Replacing subkeys is trivial and doesn't create hassle (it's enough if people --refresh keys). [E] algo:dsa:short DSA key too short (has 1024 bits, should be 2048 bits) [E] algo:rsa:short RSA key too short (has 1024 bits, should be at least 2048 bits) This means you're using a weak DSA/RSA key. This is the only case when you need to generate a new key. I'd suggest going for RSA-2048 (GLEP is in process of being updated to recommend this instead of RSA-4096; see GnuPG FAQ 11.4 and 11.5 [1]). While updating the key, please make sure to follow the full transition process, including signing the new key with the old one and waiting for new key to propagate before revoking and removing old. Note that infra needs ~6 hours for full rotation. Apache has some graphic instructions on replacing keys [2]. [W] algo:dsa:discouraged RSA key is recommended (DSA is being used) This means you're still using DSA. This meets the minimal spec but using RSA is recommended instead. Please consider replacing the key, see above. [E] expire:none No expiration date on public key (<3 years recommended, 5 years max) [E] expire:long Expiration date is too long (is YYYY-mm-dd HH:MM:SS, <X years recommended, 5 years max) [W] expire:long Expiration date is long (is YYYY-mm-dd HH:MM:SS, <X years recommended) GLEP 63 requires expiration dates on both primary key and all subkeys. The minimal spec allows for max 5 years (more than that gives [E]rror), recommendation is up to 3 years for primary key, up to 1 year for signing key (more than that gives [W]arning). Remember that you can renew the expiration date at any time. In order to fix this, edit the key and update expiration dates. Remember to send the updated key to the keyservers. [W] expire:short Expiration date is short (is 2018-12-29 18:59:46, renewal every 12 months recommended) This is just a friendly notice that your key is nearing expiry and you should consider renewing it. [E] validity:expired Public key has expired I think this one is pretty clear. If you want to continue using this key, you need to update expiration date and send it to keyservers. If you don't want to use it, remove it from LDAP, please. [E] validity:revoked Public key has been revoked Please remove revoked keys from LDAP. Given they're revoked, there's no reason why our git servers would want to accept commits made using those keys. [W] subkey:multipurpose Subkey has multiple capabilities enabled (has: [XXX]; use dedicated subkeys!) [E] subkey:none Having a dedicated signing subkey is required The first one indicates that you have one or more subkeys that have multiple capabilities enabled (it's a warning). The second one indicates that your key lacks a dedicated signing subkey (using this subkey is a GLEP 63 requirement). Generally you should have multiple subkeys, each one dedicated to a particular capability, i.e. usually one signing subkey and one encryption subkey. You may also want to have extra subkeys for authentication if you're using gpg-agent for SSH (see my blog post for more info on subkeys [3]). To fix this, edit your key. Create new subkeys dedicated to each purpose, and set one capability on every one of them. Then, revoke the old subkey and send your updated key to the keyservers. [W] uid:nogentoo @gentoo.org e-mail not in key UIDs This indicates that none of your UIDs list your @gentoo.org account. If you intend to use this key to commit to Gentoo, please add an UID with your @gentoo.org email to make it easier for users to find it. If you do not intend to use it for Gentoo, please remove it from LDAP. [1]:https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 [2]:https://www.apache.org/dev/key-transition.html [3]:https://blogs.gentoo.org/mgorny/2018/05/12/on-openpgp-gnupg-key-management/
It may be helpful to have some instructions as to how to transition a key. Apache Foundation does have a how to at: https://www.apache.org/dev/key-transition.html
(In reply to Aaron W. Swenson from comment #2) > It may be helpful to have some instructions as to how to transition a key. > Apache Foundation does have a how to at: > > https://www.apache.org/dev/key-transition.html It's in #c1, in the first section.
(In reply to Michał Górny from comment #3) > (In reply to Aaron W. Swenson from comment #2) > > It may be helpful to have some instructions as to how to transition a key. > > Apache Foundation does have a how to at: > > > > https://www.apache.org/dev/key-transition.html > > It's in #c1, in the first section. So it is! I missed it the first time.
