9

If I sign a git commit with an OpenPGP key that has an expiration date, what does that mean for people looking at that commit after the expiration date? Should all keys used for commit signing like this be permanent?

What if the verifying party have a new key from me? Or just my old? Or both?

I'm new to OpenPGP in general, especially in relation to signing git commits.

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
Captain Man
  • 6,997
  • 6
  • 48
  • 74

3 Answers3

9

OpenPGP's expiration date only indicates "this key should not be used after a given date", but does not render a key useless: the math still works fine.

If I sign a Git commit with a PGP key that has an expiration date, what does that mean for people looking at that commit after the expiration date?

When verifying signatures, OpenPGP implementations will compare the expiry date with the date the signature was issued. If the signature was issued within the expiration period, you're fine. If not, it will issue a warning (something like "the signature was fine, but issued after expiration).

What if the verifying party have a new key from me? Or just my old? Or both?

If they have your old key, they can verify signatures issued by your old key. For your new key, they can verify those issued by your new key. If they have both, they can verify both.

Should all keys used for commit signing like this be permanent?

Be aware that the expiration date does not really add up any security, as it can be changed arbitrarily as long as you have control over the secret primary key. Also, the signature date can be set arbitrarily, it is written by the OpenPGP implementation used for creating the signature; an attacker might just set a faked system time. I discussed the security of the expiration date in detail on the Information Security sister site in the question "Does OpenPGP key expiration add to security?".

Using an expiry date is fine if you want to indicate the key will not be used after a given time, but do not consider it a security feature. Lots of people with advanced OpenPGP key usage have a primary key with no expiry date and regularly escrow subkeys, which they issue with a limited validity period.

Creating new primary keys means others must validate your new key again. The primary key is the common trust anchor in OpenPGP, and creating a new one means losing all trust/certifications.

Community
  • 1
  • 1
Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • 1
    I believe there is a typo (too small for an edit): "which [t]hey issue with a limited validity period" –  Jul 23 '16 at 16:11
  • Indeed, there was. You'll be able to also issue such minor edits as soon as you reached 2k reputation points (so your edits will not have to be reviewed any more). – Jens Erat Jul 23 '16 at 16:20
1

You can and should still use expiring keys.

The idea of this system is that keys expire and you generate new ones. But in the PGP world you upload your keys to keyservers. They essentially work like a phone book (*) so everyone wanting to retrieve your public key to send you an encrypted message will be able to get access to it. And that is also the solution to your problem. The keyserver will still remember expired keys so your signature stays valid although expired (validation only depends on a correctly applied signature with a once valid key). Your users will see that when validating your signature for which they retrieved the key you used for this particular signature. But as you go along developing and releasing signed versions you will always sign with valid keys and people just keep retrieving your new ones.

(*) The comparison of a keyserver with a phonebook simplifies the situation but lacks one important portion of information: If you use a keyserver to retrieve a key of a person that is unknown to you keep in mind that this key may be compromised. E.g. Alice wants to communicate with Bob utilizing encryption (or just verify a git commit of Bob's) but she does not know him. She takes Bobs public key from a remote server but is not aware of the fact that Mallory forged it and placed it there. So the verification process is compromised and she will not notice. The way out: Bob can publish the fingerprints of his public key (or the key, too) together with the software that he signed on his website. Alice can now take a key, compare its fingerprint to the one Bob provided in order to verify she has Bob's genuine public key. With that she can now verify his signed commit on git. This also works if the key is expired.

Read here, here and especially here for more info.

harmonica141
  • 1,389
  • 2
  • 23
  • 27
  • I see `A revoked public key can still be used to verify signatures made by you in the past` in the section [Generating a revocation certificate](https://gnupg.org/gph/en/manual.html#REVOCATION). Is the same true for expired public keys? I think that is what I was my concern. – Captain Man Jul 21 '16 at 18:45
  • No. Technically this should not be possible but for sure it is conceptually not what you want. The workflow is as follows: You generate a key pair, put the public key on a keyserver and start signing stuff with your private one. This generates valid signatures on your git tags as you correctly apply a valid key to a commit. – harmonica141 Jul 21 '16 at 18:49
  • One day the key pair will expire and you start over. People retrieving your old commits needing to validate your signature will have to retrieve your old key from the keyserver in order to do so. But there is no sense in signing with old key as you want to prove that the current signature is created by your current self. This is what those keys are for. Signing with expired keys would mean to prove a commit in the presence was created by a version of yourself in the past. No need to ever do that... – harmonica141 Jul 21 '16 at 18:53
  • 1
    Okay, and now I read your question correctly. YES. Validating signatures with expired keys is very possible and absolutely necessary, see above. For a moment I understood you wanted to sign with expired keys, sorry. Sure, if you retrieve an expired or revoked key, the old signature stays valid. Though, if it is revoked you will have to ask yourself if it may be compromised. Sorry for the confusion here. – harmonica141 Jul 21 '16 at 18:59
  • I do not really agree with your answer. Do not compare OpenPGP key servers with phonebooks (issued by some company having control over it, listing its own customer information)! OpenPGP key severs distribute unvalidated, possibly malicious key information. They should never be used to query for keys without additional validation. Also, before recommending expiring keys, be aware about the [limitations of OpenPGP's expiry date](http://security.stackexchange.com/q/14718/19837). Finally, be aware about the (administrative) costs of creating and distributing a completely new set of keys. – Jens Erat Jul 23 '16 at 15:49
  • Yes, thank you for pointing that out. I will edit my answer accordingly. – harmonica141 Jul 25 '16 at 16:23
0

git show-signature/verify considers revoked keys to be invalid even if signed before the key was revoked, see this example from a revoked yubikey signature: https://www.flickr.com/photos/steve_l/37493124630/in/datetaken/

Given this outcome, I think it may be less traumatic to not revoke a key in such situations, but change the expiry date and push up an update to the keyservers saying "The key is expired". This way, existing commits are still validated.

stevel
  • 12,567
  • 1
  • 39
  • 50
  • That key was revoked, I'm talking about keys that have expired. Revocation is something you choose to do, an expired key is simply one being used after its expiration date. – Captain Man Oct 17 '17 at 13:51