Proper procedure for updating an expired GPG key

[theoryshaw]

Does anyone know the proper procedure for updating an expired GPG key?

We use the following steps, and seemed to work, but wondering if this is the best approach...

• delete the old key in /.git-crypt/keys/default/0/ folder
• add the user again. The new key should have the same email address as the old key

---

Hypothetical speaking, however, what happens if a repo only has one person with a GPG key, and that expires. Is there anyway, after that, for that person to update their key? Or will they be locked out of the repo, at that point, going forward?

[yorikvanhavre]

It might be wise to save the symmetric key of such repos somewhere as a backup maybe..

[alerque]

You should be able to renew your GPG key normally and keep using git-crypt with no changes. The keys themselves don't change on renewal, only the marked validity date range.

If you are invalidating or otherwise dropping a key and adding a new one then of course you'll need to adjust access in your repos by adding a new key then dropping the old one (probably in that order, not the reverse you suggested above) but that is not the normal way to handle GPG key renewal. That would only apply if your private key was lost or compromised.