Skip to content

How to actually revoke a GitHub GPG key? #108355

Closed Answered by Vectorial1024
Vectorial1024 asked this question in Code Security
Discussion options

You must be logged in to vote

Experimented on this a bit, and basically, yes, revoke the key and re-add it to GitHub.

Ideally, you should add an expiry date to your keys when they are being created, but let's say your keys do not expire, and you want to revoke them. GitHub does recommend not setting an expiration date for your keys; see https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key . Let's say you suddenly want to revoke a GitHub GPG key.

Here are the steps:

  1. List keys & find your key

gpg --list-keys

  1. Revoke your key; export the revocation certificate

gpg --output revoke.asc --gen-revoke KEYID

  1. Import the revocation certificate back to your (local) keyring

Replies: 2 comments 4 replies

Comment options

You must be logged in to vote
3 replies
@loicalbertin
Comment options

@Vectorial1024
Comment options

@ReenigneArcher
Comment options

Answer selected by Vectorial1024
Comment options

You must be logged in to vote
1 reply
@frankpengau
Comment options

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Code Security Build security into your GitHub workflow with features to keep your codebase secure Question
4 participants