In light recent new attacks against SHA-1 [1,2], and the NIST guidance on 1024 bit keys and SHA-1 hashes [3,4], I have decided to move to a new OpenPGP key of a larger size. As such, I will be slowly transitioning away from my old key.
My old key will continue to be valid for some time to come, but I’d prefer all new correspondence to use the new one. I’ll also be switching my outgoing signatures (email and code) onto the new key. For this to work well, I’d like my new key to be re-integrated into the web of trust. So, I’ve signed this message with both the old and the new keys, to certify the transaction.
the old key was:
pub 1024D/365CC7A2 2004-06-28 Kanru Chen (koster) Primary key fingerprint: 3278 DFB4 BB28 6E8C 9E1F 1ECB B1B7 5B5F 365C C7A2
And the new key is:
pub 4096R/CEC6AD46 2009-10-19 Kan-Ru Chen (陳侃如) Primary key fingerprint: 374F F2AD 0A12 935F D0B0 C84F 1B13 2E01 CEC6 AD46
To fetch my new key from a public key server, you can simply do:
gpg --keyserver pgp.mit.edu --recv-key CEC6AD46
If you already know my old key, you can now verify that the new key is signed by the old one:
gpg --check-sigs CEC6AD46
If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:
gpg --fingerprint CEC6AD46
If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:
gpg --sign-key CEC6AD46
Lastly, if you could upload these signatures, I would appreciate it. Please could you just upload the signatures to a public keyserver directly:
gpg --keyserver pgp.mit.edu --send-key CEC6AD46
Please let me know if there is any trouble, and sorry for the inconvenience.
Sign 過的版本, 用
gpg –verify 驗證