OpenSSL release signing key expiration extended
26 views
Skip to first unread message
Blog on OpenSSL Library
Mar 20, 2026, 9:00:32 PM (4 days ago) Mar 20
to openss...@openssl.org
The expiration date of the OpenSSL release signing key with fingerprint
`BA5473A2B0587B07FB27CF2D216094DFD0CB81EF` has been extended from `08 Apr
2026` to `14 Jun 2026`.
Only the key expiration date has changed. The signing key itself remains the
same.
The updated public key is available at:
<https://keys.openpgp.org/search?q=BA5473A2B0587B07FB27CF2D216094DFD0CB81EF>
URL: https://openssl-library.org/post/2026-03-16-release-signing-key-validity/
`BA5473A2B0587B07FB27CF2D216094DFD0CB81EF` has been extended from `08 Apr
2026` to `14 Jun 2026`.
Only the key expiration date has changed. The signing key itself remains the
same.
The updated public key is available at:
<https://keys.openpgp.org/search?q=BA5473A2B0587B07FB27CF2D216094DFD0CB81EF>
URL: https://openssl-library.org/post/2026-03-16-release-signing-key-validity/
Michael Richardson
Mar 21, 2026, 4:28:23 PM (3 days ago) Mar 21
to openss...@openssl.org
Blog on OpenSSL Library <nor...@openssl.org> wrote:
> The expiration date of the OpenSSL release signing key with fingerprint
> `BA5473A2B0587B07FB27CF2D216094DFD0CB81EF` has been extended from `08 Apr
> 2026` to `14 Jun 2026`.
Why such a short extension?
Was there an intent to replace the key, but it won't be possible?
I'm all for having keys which expire within a year, but which are extended if
still safe. STAR/RFC8739-style. Three months seems too aggressive if that's
the pattern.
I do the expire key yearly, renewing for 365days on Jan.1. (Except when I
forget)
OpenPGP has a Preferred Key Server attribute.
"keyserver" in the GnuPG uid edit.
I don't know if any clients are willing to check such a URL for a fresh key,
but maybe it could become a thing.
Reply all
Reply to author
Forward
0 new messages