OpenPGP shifts as NIST guides safe key rotation

Grafana GPG key rotation: what it is and required actions

Grafana GPG key rotation is the planned replacement of the OpenPGP public/private keys used to sign Grafana packages, repositories, and release artifacts. In practical terms, rotation ensures that users and automated systems continue to validate Grafana downloads against a current, trusted key.

Required actions typically include fetching the new public key, adding it to the local GPG keyring used by apt, yum, or dnf, and verifying the published fingerprint before trusting it. During the transition, teams should accept signatures from both old and new keys, prepare for a defined cutover date, and complete key revocation of the old key only after broad distribution of the replacement.

Why this rotation matters: security, trust, and uninterrupted installs

Regular GPG key rotation reduces exposure if a key is compromised, supports cryptographic agility as algorithms evolve, and preserves trust in the software supply chain. It also prevents avoidable outages tied to key expiry and helps keep install and upgrade flows predictable.

According to a post‑mortem by the Robot Operating System (ROS) community, an expired GPG public key used for repository signing led to package verification failures, prompting stricter rotation practices. The incident illustrates a simple cause‑and‑effect: without early distribution of a new key and a clear timeline, production installs can fail when the old key expires.

Immediate impact: package verification, CI builds, and keyring updates

A rotation affects how package managers validate Grafana artifacts: systems using apt/dpkg or rpm/dnf must trust the new public key in their keyrings so signature checks continue to pass. CI pipelines that pin repository signing fingerprints need updates to avoid breakage; builds should be able to validate either key during a soft‑launch period and then enforce the new fingerprint after cutover.

As described by InfluxData in its package signing key rotation, a phased rollout, generate the new signing subkey, publish compatibility keys and documentation, migrate packages, and only then begin signing primarily with the new key, helps maintain continuous verification. This sequencing reduces risk of failed installs because users receive the new key material before the hard switch.

As reported by Falco, running a soft‑launch where both old and new keys are distributed, followed by a hard cutover to retire the old key, limits operational disruption. Publishing the fingerprints for both keys allows users and CI systems to verify they are trusting the intended material before enforcement tightens.

Standards-aligned policy: cryptoperiods per NIST SP 800-57 and Mozilla

According to NIST SP 800‑57, key management should define cryptoperiods, the valid lifetime of a key, based on key type, usage, and threat model, with rotation driven by risk and algorithm strength. This frames rotation not as a one‑off change but as a lifecycle control embedded in security policy.

The CMS Key Management Handbook recommends at least annual rotation for asymmetric keys and stresses distributing new public key material before retiring or expiring the old key to avoid outages. These controls align with supply‑chain resilience goals and incident response readiness when compromise or deprecation is suspected.

Mozilla’s security guidelines emphasize short, reliable lifetimes; as the document notes, “preferring 2‑year keys with reliable key rotation.” That guidance reinforces the need for scheduled changes, clear timelines, and published fingerprints so downstream systems can update trust stores without interrupting installs.