I think it's telling that #GitHub, #GitLab, and even #Forgejo all don't have a workflow for "renew an #OpenPGP key", i.e. extend its validity before (or after) expiry. On all of them, you have to delete and re-add the key. It's as if nobody is following OpenPGP best practices and everyone is using keys without an expiry date.
@scy Do they even bother with expiry? I distincly remember having uploaded mine there way before the last lifetime extension, and while I've run into all sorts of trouble with expired PGP keys, there were none with the forges 🤔
@chrysn Yeah, they care little about it. Sometimes it's shown at least on the page where you manage your keys, and I think I've even seen some kind of indication next to a commit that it's signed, but the key has expired. Not 100% sure though.
Add comment