Managing signed git tags and expiring keys

Managing signed git tags and expiring keys

[Jonathan "Duke" Leto]

Howdy,

My question is about the Git workflow in a repository which has signed
tags and uses expiring keys in a chain of trust.

When the key changes, all existing tags are signed with the previous
key in the chain of trust.

Do people:
1) resign all the tags, causing people to overwrite their local tags
2) keep all versions of the keys in the chain of trust
3) something else more involved?

Is anybody doing this currently?

Thanks!

Duke

-- 
Jonathan "Duke" Leto <jonathan@leto.net>
Leto Labs LLC
209.691.DUKE // http://labs.leto.net
NOTE: Personal email is only checked twice a day at 10am/2pm PST,
please call/text for time-sensitive matters.

Re: Managing signed git tags and expiring keys

[Junio C Hamano]

"Jonathan \"Duke\" Leto" <jonathan@leto.net> writes:

> When the key changes, all existing tags are signed with the previous
> key in the chain of trust.
>
> Do people:
> 1) resign all the tags, causing people to overwrite their local tags
> 2) keep all versions of the keys in the chain of trust
> 3) something else more involved?
>
> Is anybody doing this currently?

Many kernel.org users (Linus and myself included) changed their signing
keys last year, so their project histories have tags signed with different
keys. I highly doubt anybody revoked old key and re-signed his tags with
new one.