pgp_utils

Personal PGP key utilities. Small scripts for the operations I always have to look up in the GPG manual, wrapped so they're safe and repeatable.

Scripts

extend-key.sh — extend the expiration date of a private key

Works on a file (not on your ~/.gnupg keyring — it uses a disposable GNUPGHOME that's cleaned up on exit). Extends the primary key and all subkeys, then pushes the updated public key to the listed keyservers (unless --no-publish is given).

./extend-key.sh --help           # full usage
./extend-key.sh key.asc          # extend for 2y (default), publish to default keyservers
./extend-key.sh -e 5y key.asc    # extend for 5 years
./extend-key.sh --no-publish key.asc   # extend locally only, don't touch keyservers

The passphrase is read from $PGP_PASSPHRASE or prompted interactively. Never pass the passphrase on the command line — CLI args are visible to other users via ps.

Development

# Drop into the dev shell (Nix flake or direnv)
nix develop
# or, with direnv installed:
direnv allow

# Run the test suite (generates a throwaway fixture key, no real keys used,
# no network)
./test/test-extend-key.sh

# Lint
shellcheck extend-key.sh test/test-extend-key.sh

Safety notes

• The script uses mktemp -d + chmod 700 + trap to keep the temporary GPG homedir isolated and cleaned up — even if it crashes or is Ctrl+C'd.
• The output file is written with umask 077 so it's readable only by the current user.
• The passphrase is never logged, never on the command line, and only passed to gpg via --pinentry-mode loopback --passphrase "$…" in memory.
• *.asc is in .gitignore. Don't commit key files.

License

Apache License 2.0 — see LICENSE.