How to rotate the Firefox Release signing GPG Key¶
This is a rough guide, and is likely going to be out of date every time we have to rotate the keys. It is likely you will have to take different or additional steps than described here. It’s always a good idea to look at the most recent rotation bug (like https://bugzilla.mozilla.org/show_bug.cgi?id=1703397) before getting started.
You should start this process at least a month prior to the current key expiring. Because rotation involves access to the offline master keychain, there’s usually a bit of lead time involved.
At a high level, the process is as follows: 1) Generate a new signing subkey 2) Publish the new public key 3) Import the new private key into autograph 4) Update the public key in a few places 5) Start signing with the new private key
Here’s slightly more detail on each step
Generate a new signing subkey¶
Publish the new public key¶
The new key needs to be published on keys.openpgp.org. Be sure to “verify” the key after publishing, by having them send an e-mail link to click on, to make sure users will see an identity associated with it (otherwise it’s useless).
A blog post like https://blog.mozilla.org/security/2019/06/13/updated-firefox-gpg-key/ should also be made.
Import the new private key into autograph¶
You will need to send the new private key and its passphrase to an autograph team member. They will handle importing it into autograph, and creating new credentials (if necessary).
Update the public key¶
We publish our public key in a couple of places, and store it in others to verify some of our own signatures. Specifically, at least the following will need to be updated: * The KEY file in the signingscript config in CloudOps` repo. (Private repo, purposely not linked here) * Fenix and reference-browser’s repositories. Eg: https://github.com/mozilla-mobile/fenix/pull/19691 and https://github.com/mozilla-mobile/reference-browser/pull/1610
Start signing with the new private key¶
This will probably involve changing the signingscript secrets to use new autograph credentials that are associated with the new key, and then deploying signingscript.