How to extend the expiry for a GPG key pair and retrieve passphrase

Paul Pan
2021-10-14 22:38

How to extend the expire GPG key pair deadline and retrieve passphrase

Affected Versions

6.x and 7.x

Description

Artifactory supports gpg key signing. In general, we suggest not to set an expiration date for the signing key pairs.

However, if you used an gig key pair that has expiration date. You can extend the expiration date. You will need the private.key at an minimum. You can download the public key and restore passphrase from artifactory if you don't have it.

Resolution

  1. Download public key from artifactory. If you don't know the passphrase, jump to step 10 to restore your passphrase first.

  2. Import public key using

  $ gpg --import public.key

  3. Import private key using

  $ gpg --import private.key

  4. Get the public key id:

$ gpg --list-keys

pub   rsa2048 2018-04-28 [SC] [expired: 2020-04-27]

      45E51D7FCBB41DB20F320B3935027CAC83A95B6C

uid           [ expired] paul pan <paulp@jfrog.com>

  5. Edit public key

$ gpg --edit-key 45E51D7FCBB41DB20F320B3935027CAC83A95B6C

  6. You should have entered the gpg shell by now. Use numbers to select the key you want to edited or run list to see all the keys. Enter 0 from primary key
 

gpg> list

gpg> key 0

   7. Once the key is elected, run expire command to change the expiration date

gpg> expire

  8.  Save changes

gpg> save

  9. Upload the public key back to Artifactory. You don't have to change private key since private key does not expire.
 

To restore passphrase for you gpg key pair.
 

10. Run this API the decrypt your system

$ curl -uadmin:password -X POST https://<Your_host>/artifactory/api/system/decrypt

  11. Check config descriptors in UI ( Admin -> Artifactory -> Config Descriptor ) or $ARTIFACTORY_HOME/etc/artifactory/artifactory.config.latest.xml

  Look for <passphrase> under <keyPair> section. 

   12. Save the passphrase and run encrypt api to encrypt your system again

$ curl -uadmin:password -X POST https://<Your_host>/artifactory/api/system/encrypt