Add self-signature to an old key which does not have one

If you are a crypto veteran, chances are you have some very old keys around your house. Some of those old keys might not even have a self-signature which can cause pains. This article exlains how to deal with such situations.

1. Import keys with missing self-signature

GPG Keychain does not import keys which do not have a self-signature. You need to enable expert settings. After that you will be able to import keys without a self-signature.

2. Add self-signature to your old sec/pub key

  1. create a new UserID for the key in question
  2. sign your old UserID with the same key
  3. delete the new UserID

Voilà, your old key now has a self-signature.

3. Disable GPG Keychain expert settings

To prevent any damage or unwanted action, once you are done, please disable expert settings.

4. Transition to a stronger key

Chances are, that if your key is that old, that it doesn't have a self-signature, it's length is rather short. 1024bit keys should no longer be used. So now is a good time to transition to a new key.

  1. create a new key (we default to 4096bit RSA)
  2. sign your new key with your old key
  3. if you want, upload your new public key to the key servers
  4. wait a day and then tell your friends to use your new key (and update your mail signature, homepage, business card... places where you make references to your public key)
  5. wait one month and give people time to do the transition on their side
  6. revoke your old key (and upload the revoked key to the key servers if it was uploaded earlier)