I get this terminal error about every three to six months:

error: gpg failed to sign the data
fatal: failed to write commit object

When I see it I think “I really should have written down the problem last time”. So here we are, ready and willing to document.

The issue for me is that I set short expiration times for my gpg keys.

To verify my key is expired I run: $ gpg -K --keyid-format SHORT and get results like below:

sec   rsa4096/C990E8C4 2019-03-09 [SC] [expired: 2022-01-01]
      F8DA783FABA5CE386A0321A29BB0402DA8462BD1
uid         [ expired] Brian Pearce <brian @ email>

There we have it. My key is yet again expired. Now I’ve got two choices.

  1. Generate and distribute a new key
  2. Renew the expiry date on my existing key

1. Generating a new gpg key

  1. Kick off the generation process $ gpg --full-generate-key
  2. Follow all the prompts
  3. Once it’s done copy the key it provides. In this case it’s F8DA783FABA5CE386A0321A29BB0402DA8462BD1:
    pub   rsa4096 2022-01-05 [SC] [expires: 2022-07-04]
              F8DA783FABA5CE386A0321A29BB0402DA8462BD1
    uid                      Brian Pearce <brian @ email>
    sub   rsa4096 2022-01-05 [E] [expires: 2022-07-04]
    
  4. Print the private key with $ gpg --armor --export F8DA783FABA5CE386A0321A29BB0402DA8462BD1
  5. Copy the GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----

2. Renew the expiry date on an existing key

  1. Enter the gpg console $ gpg --edit-key F8DA783FABA5CE386A0321A29BB0402DA8462BD1
  2. Type expire and Follow the prompts
  3. save

You can now see the key is valid again:

sec   rsa4096/C990E8C4 2022-01-05 [SC] [expires: 2022-07-04]
      F8DA783FABA5CE386A0321A29BB0402DA8462BD1
uid         [ultimate] Brian Pearce <brian @ email>
ssb   rsa4096/53FD37EB 2022-01-05 [E] [expires: 2022-07-04]

Why pick one over the other

There is no recommendation against renewing existing keys. The most important factor is that you keep using expiries so that you control the option to renew or not in the event one of the keys becomes compromised.