Improved GPG key management experience (github#29113)

Author: davidstaheli

assets/images/help/settings/gpg-verified-with-expired-key.png

@@ -70,7 +70,7 @@ To sign commits using GPG and have those commits verified on {% data variables.p
 
 1. [Check for existing GPG keys](/articles/checking-for-existing-gpg-keys)
 2. [Generate a new GPG key](/articles/generating-a-new-gpg-key)
-3. [Add a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)
+3. [Add a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)
 4. [Tell Git about your signing key](/articles/telling-git-about-your-signing-key)
 5. [Sign commits](/articles/signing-commits)
 6. [Sign tags](/articles/signing-tags)

content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md

@@ -0,0 +1,72 @@
+---
+title: Adding a GPG key to your GitHub account
+intro: 'To configure your account on {% ifversion ghae %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %} to use your new (or existing) GPG key, you''ll also need the key to your account.'
+redirect_from:
+  - /articles/adding-a-gpg-key-to-your-github-account
+  - /github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
+  - /github/authenticating-to-github/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account
+  - /articles/updating-an-expired-gpg-key
+  - /authentication/troubleshooting-commit-signature-verification/updating-an-expired-gpg-key
+  - /github/authenticating-to-github/updating-an-expired-gpg-key
+  - /github/authenticating-to-github/troubleshooting-commit-signature-verification/updating-an-expired-gpg-key
+  - /authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghae: '*'
+  ghec: '*'
+topics:
+  - Identity
+  - Access management
+shortTitle: Add a GPG key
+---
+
+## About addition of GPG keys to your account
+
+To sign commits associated with your account on {% data variables.product.product_name %}, you can add a public GPG key to your personal account. Before you add a key, you should check for existing keys. If you don't find any existing keys, you can generate and copy a new key. For more information, see "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" and "[Generating a new GPG key](/articles/generating-a-new-gpg-key)."
+
+You can add multiple public keys to your account on {% data variables.product.product_name %}. Commits signed by any of the corresponding private keys will show as verified. If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.
+
+{% ifversion upload-expired-or-revoked-gpg-key %}
+To verify as many of your commits as possible, you can add expired and revoked keys. If the key meets all other verification requirements, commits that were previously signed by any of the corresponding private keys will show as verified and indicate that their signing key is expired or revoked.
+
+![A verified commit whose key expired](/assets/images/help/settings/gpg-verified-with-expired-key.png)
+{% endif %}
+
+{% data reusables.gpg.supported-gpg-key-algorithms %}
+
+When verifying a signature, {% data variables.product.product_name %} extracts the signature and attempts to parse its key ID. The key ID is then matched with keys added to {% data variables.product.product_name %}. Until a matching GPG key is added to {% data variables.product.product_name %}, it cannot verify your signatures.
+
+## Adding a GPG key
+
+{% data reusables.user-settings.access_settings %}
+{% data reusables.user-settings.ssh %}
+3. Click **New GPG key**.
+   ![GPG Key button](/assets/images/help/settings/gpg-add-gpg-key.png)
+4. In the "Key" field, paste the GPG key you copied when you [generated your GPG key](/articles/generating-a-new-gpg-key).
+   ![The key field](/assets/images/help/settings/gpg-key-paste.png)
+5. Click **Add GPG key**.
+   ![The Add key button](/assets/images/help/settings/gpg-add-key.png)
+6. To confirm the action, enter your {% data variables.product.product_name %} password.
+
+{% ifversion upload-expired-or-revoked-gpg-key %}
+{% else %}
+## Updating an expired GPG key
+
+When verifying a signature, {% data variables.product.product_name %} checks that the key is not revoked or expired. If your signing key is revoked or expired, {% data variables.product.product_name %} cannot verify your signatures.
+
+If your key is expired, you must [update its expiration](https://www.gnupg.org/gph/en/manual.html#AEN329), export the new key, delete the expired key in your account on {% data variables.product.product_name %}, and add the new key to your account as described above. Your previous commits and tags will show as verified, as long as the key meets all other verification requirements.
+
+If your key is revoked, use the primary key or another key that is not revoked to sign your commits.
+
+If your key is invalid and you don't use another valid key in your key set, but instead generate a new GPG key with a new set of credentials, then your commits made with the revoked or expired key will continue to show as unverified. Also, your new credentials will not be able to re-sign or verify your old commits and tags.
+{% endif %}
+
+## Further reading
+
+- "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
+- "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
+- "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
+- "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
+- "[Signing commits and tags using GPG keys](/articles/signing-commits-and-tags-using-gpg)"
+- "[About commit signature verification](/articles/about-commit-signature-verification)"

content/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account.md

@@ -50,13 +50,13 @@ If you're using a GPG key that matches your committer identity and your verified
   $ gpg --armor --export <em>3AA5C34371567BD2</em>
   # Prints the GPG key, in ASCII armor format
   ```
-11. Upload the GPG key by [adding it to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account).
+11. Upload the GPG key by [adding it to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account).
 
 ## Further reading
 
 - "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
 - "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
 - "[Using a verified email address in your GPG key](/articles/using-a-verified-email-address-in-your-gpg-key)"
-- "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)"
+- "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
 - "[Signing commits](/articles/signing-commits)"
 - "[Signing tags](/articles/signing-tags)"

content/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account.md

@@ -32,12 +32,12 @@ shortTitle: Existing GPG keys
       $ gpg --armor --export <em>3AA5C34371567BD2</em>
       # Prints the GPG key ID, in ASCII armor format
       ```
-      You can then [add your GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account).
+      You can then [add your GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account).
 
 ## Further reading
 
 * "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
-* "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)"
+* "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
 * "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
 * "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
 * "[Signing commits](/articles/signing-commits)"

content/authentication/managing-commit-signature-verification/associating-an-email-with-your-gpg-key.md

@@ -37,7 +37,7 @@ topics:
       ```
 4. At the prompt, specify the kind of key you want, or press `Enter` to accept the default.
 5. At the prompt, specify the key size you want, or press `Enter` to accept the default. Your key must be at least `4096` bits.
-6. Enter the length of time the key should be valid. Press `Enter` to specify the default selection, indicating that the key doesn't expire.
+6. Enter the length of time the key should be valid. Press `Enter` to specify the default selection, indicating that the key doesn't expire. Unless you require an expiration date, we recommend accepting this default.
 7. Verify that your selections are correct.
 8. Enter your user ID information.
 
@@ -56,12 +56,12 @@ topics:
   # Prints the GPG key ID, in ASCII armor format
   ```
 11. Copy your GPG key, beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with `-----END PGP PUBLIC KEY BLOCK-----`.
-12. [Add the GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account).
+12. [Add the GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account).
 
 ## Further reading
 
 * "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
-* "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)"
+* "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
 * "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
 * "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
 * "[Signing commits](/articles/signing-commits)"

content/authentication/managing-commit-signature-verification/checking-for-existing-gpg-keys.md

@@ -19,7 +19,7 @@ children:
   - /displaying-verification-statuses-for-all-of-your-commits
   - /checking-for-existing-gpg-keys
   - /generating-a-new-gpg-key
-  - /adding-a-new-gpg-key-to-your-github-account
+  - /adding-a-gpg-key-to-your-github-account
   - /telling-git-about-your-signing-key
   - /associating-an-email-with-your-gpg-key
   - /signing-commits

content/authentication/managing-commit-signature-verification/generating-a-new-gpg-key.md

@@ -54,7 +54,7 @@ If you have multiple keys or are attempting to sign commits or tags with a key t
 
 * "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
 * "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
-* "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)"
+* "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
 * "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
 * "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
 * "[Signing tags](/articles/signing-tags)"

content/authentication/managing-commit-signature-verification/index.md

@@ -33,7 +33,7 @@ topics:
 - "[Viewing your repository's tags](/articles/viewing-your-repositorys-tags)"
 - "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
 - "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
-- "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)"
+- "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
 - "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
 - "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
 - "[Signing commits](/articles/signing-commits)"

content/authentication/managing-commit-signature-verification/signing-commits.md

@@ -108,7 +108,7 @@ If you have multiple GPG keys, you need to tell Git which one to use.
 - "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
 - "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
 - "[Using a verified email address in your GPG key](/articles/using-a-verified-email-address-in-your-gpg-key)"
-- "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)"
+- "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
 - "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
 - "[Signing commits](/articles/signing-commits)"
 - "[Signing tags](/articles/signing-tags)"

content/authentication/managing-commit-signature-verification/signing-tags.md

@@ -15,7 +15,6 @@ topics:
   - Access management
 children:
   - /checking-your-commit-and-tag-signature-verification-status
-  - /updating-an-expired-gpg-key
   - /using-a-verified-email-address-in-your-gpg-key
 shortTitle: Troubleshoot verification
 ---

content/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key.md

@@ -0,0 +1,8 @@
+# Issue: 7123
+# Description: Allow adding expired and revoked GPG keys for verifying commit and tag signatures
+# Usage: {% ifversion upload-expired-or-revoked-gpg-key %} ... {% endif %}
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.6'
+  ghae: 'issue-7123'

content/authentication/troubleshooting-commit-signature-verification/index.md

@@ -5,7 +5,7 @@
    ```
 1. Copy your PGP key, beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with `-----END PGP PUBLIC KEY BLOCK-----`.
 1. Sign into {% data variables.product.prodname_ghe_server %} as the `web-flow` user.
-1. Add the public PGP key to the user's profile. For more information, see "[Adding a new GPG key to your {% data variables.product.prodname_dotcom %} account](/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account)."
+1. Add the public PGP key to the user's profile. For more information, see "[Adding a GPG key to your {% data variables.product.prodname_dotcom %} account](/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account)."
 
    {% note %}