Renew an expired GPG Key

Signing commits has become a well established habit on source code platforms like Github or Gitlab for several reasons. One to proof that you are the actual author committing the code and preventing identity theft, two that no one can modify the metadata of the commit such as time you did the work.

The GPG key is like a digital signature to every piece of work that you contribute to your team’s repository.

Blog posts like this very well explained how to setup your workstation to sign commits. However what to do to renew your GPG key once it expires?

An expired key will fail your commit with an error message:

$ git commit -S -s -m "My commit trying to sign with expired key"
error: gpg failed to sign the data
fatal: failed to write commit object

Listing out the keys will show you the key with its “expired” status:

gpg --list-keys
/Users/effelow/.gnupg/pubring.kbx
-------------------------------------
pub   rsa4096 2022-01-27 [SC] [expired: 2022-01-28]
      46959A9D8C6006FC199A15273433969DFB4A448B
uid           [ expired] effelow (demo) <demo@myemail.com>

Here is how you fix that:

Copy the long key ID from the previous command to your clipboard and paste it at the end of the GPG edit-key command

gpg --edit-key 46859A9D8C6006FC199A15273433969DFB4A437B
gpg (GnuPG) 2.3.4; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec  rsa4096/3433969DFB4A448B
     created: 2022-01-27  expired: 2022-01-28  usage: SC
     trust: ultimate      validity: expired
[ expired] (1). effelow (demo) <demo@myemail.com>

gpg>

The GPG command line prompt opens. Type “expire”:

gpg> expire

Enter the expiry time that you want to set for the new key. I recommend to not choose “key does not expire”. Similar to password length, key length security standards change over time which is why it is good to renew the key every once in a while. In addition you do not want a none-expiring keys laying around on old retired hardware.

In this demo we choose “3m” for three months.

Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3m

Confirm with “y”.

Choose a passphrase for the key. The new expire date for the key gets displayed:

Key expires at Tue Apr 2 13:07:39 2022 CET
Is this correct? (y/N) ysec  rsa4096/3433969DFB4A448B
     created: 2022-01-27  expires: 2022-04-02  usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). effelow (demo) <demo@myemail.com>

gpg>

Enter “save” to save and leave the GPG command line.

gpg> save

Now export the new public key.

gpg --armo --export demo@myemail.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
qQINBGHyRi4BEADpxG++ewTF7Q9B7bAK2Pc3gifPrYcfz7vUkfOjTVp099S5rUGd
LLM2+yTTupzHdOtJFvdkD10A5rGxN8fVLOGZtdceEOtO0lAplq41a2ZTkq8zT7nx
aAcqAUTI3gz8HYiBVy2KirOlOEZpTK94rYcrGMQuXJWPybfS0yLYnDTu7pZ0YeQo
IRdQW45yGs6CBKfz1t1UlyrN2yFI6NT+6YDKhpylqb0Ghl3CAwLnFgNYpT93O7SP
vzQRZDptdZ4n4JQ60s7LZjYsFrSf2nrdzw8FRAYuIOc7lKuOSTlfWGA12PXS9rAl
WSAsYw0Ie6lI1okLwodWVO5CzWDdA41CutoGgR/TMq32VsmwSlgWzWQ3+dzfYSiX
d4oTQJp1Bf7Vb86C8P/G9PBoKY5ub1J0pbibxw/2YPsGJmsTSDvEjF4iFBazdl+U
JtfhPecO2CIgwiHAHIxuaCiwsL9FKxx9L84NfYy4UQLiGccy/xodPCjUHhUids/b
M3fm45dz0Zvaz3MOsO1i+vK3pSJXd9qYuOB+mzis/FyleQTPZ5WprvoQiXxRyt5m
Y+tFWJvMCqIqlB/IkRT5OoJuRqA87IGSVqx0R0tDvRtusJVFrUxwA/cbN4KTB8Im
VXjn3YHjbuTakwVFS3JPzcpwmlQzDwCmhMk3NK61NHDtfJsD7+xrfGTy8QARAQAB
tCtlZmZlbG93IChkZW1vKSA8ZmxvcmlhbmtuaXBAZ29vZ2xlbWFpbC5jb20+iQJY
BBMBCABCAhsDBQsJCAcCAyICAQYVCgkICwIEFgIPQQIeBwIXgBYhBEaVmp2MYAb8
GZoVJzQzlp37SkN7BQJh99ENBQkABtxfAAoJEDQzlp37SkN7cr0P/2cws/35zDdq
dZjhlvFV2Elo98UjUnpFUaq8uWIrNLCx1Cc0He6Q+VXHUPGsFft3x7x+enG4tNmE
ShhgPSRyKXctNW9rZAhXWdeIZwcYUxExXaVvgnULkQnkrA3eTnpEz5K3f4jg3+DX
4VDV9h+NvBjyJet0wxCo1V6fCRNw2MLpR6Z3+O8wnW0oDnZe6Ly/jGzRxgUKy8Y5
osSxYp7CO8MrbGLMqRhgdFikLUhtbtbImyVp5+/X2rq3/LK5wAaU6UQv/jCcjSY0
LtP418K9ZKF3xb5dp9yWWAU5EHmDI6B1w2exvhUTaDXS05PxT7sdsjgs9ak6AdJK
YAqW5nynNRSiiz+F8aU/jLCacjo2OP1qyHFUzt13nQWbDC6GVwOVeYiOLnHM+msq
/EDs7yamCMJC7YHWUj//5qikZpf3MtkREMuhvGHnAnPuZcKR3on+mpTTPj+N9bNd
ajWBvEZ/Y5Ew5j/ejhgh/SM4xVzctzhx5fJmg37BFIc+Y9hGDhL1vYj6Utu9juAJ
paYcWBiruGXyYHGplgauxq1pNtkRumU2vTxA/eCk3aCnbgUTAbNVrcFeKdMfXiwZ
nahM4hCbbPmn1CCYls2loY5q4nbTCQY27INqQpyxW0k7XOC5rpYsFEh+txXhxROp
WaSE2IUZsL4DWMqWgPb/+6L6Rfpy3DYr
=psJa
-----END PGP PUBLIC KEY BLOCK-----

Copy the output to your clipboard and save the public key to Github Profile as explained in the official documentation to add a GPG Key.

Since you already have the expired key in your profile, Github will complain until you removed the old one before you can upload the new one.

Press the “delete” button and confirm with “I understand, delete this GPG key”.

Try committing your change now. It should sign the commit with the renewed key.

git commit -S -s -m "My commit signed with gpg key"
[main d03bf10] My commit signed with gpg key
 1 file changed, 2 insertions(+)

Note that the new commit has the green “Verified” tag.

Congrats! You successfully renewed your GPG Key. 🥳

References:

Thanks to krislech Github Gist as the main source for this post
Blog Post withblue.ink — How and why to sign commits
[Update - December 8, 2023]: Since the original publication of this post, I came across this Medium article from Dan about the scenarios where signing commits can bring a real benefit.