Cryptographic keys

I have three kinds of keys at the moment: good old PGP/GPG keys that are mostly used to sign git commits, minisign keys that are used to sign software (being phased out), and sigstore keys that are used to sign software (being phased in).

GPG keys

These have an expiration date. I initially did 1-year keys, but that was too much trouble, so in 2015 I decided to use 10-year keys, possibly with more short-lived subkeys.

The keys are also available on public keyservers, e.g.:

Current key: passcod06 (2015–2025)

pub   4096R/E44FC474 2015-04-11 [expires: 2025-04-08]
key   C24C ED9C 5790 0009 12F3  BAB4 B948 C4BA E44F C474
uid   Félix Saparelli (:passcod) <>

passcod05 (2014–2015)

pub   4096R/AE1ED85D 2014-03-27 [expires: 2015-03-27]
key   E49C 3114 2E3D 10A4 69F0  86DC 6B09 4637 AE1E D85D
uid   Félix Saparelli (:passcod) <>

passcod04 (2013–2014)

pub   4096R/3C51B6EB 2013-03-27 [expired: 2014-03-27]
key   0417 E9C8 3281 CB17 E7CB  B0EA AE48 6FBE 3C51 B6EB
uid   Felix Saparelli (:passcod) <>

passcod03 (2012–2013)

pub   4096R/C2C15214 2012-09-26 [expired: 2013-03-25]
key   FE31 5C83 9FC5 0618 A49B  AEE3 8487 3386 C2C1 5214
uid   Felix Saparelli (:passcod) <>

Minisign keys

In minisign format.


Used for identity verification.

untrusted comment: minisign public key: DC4E60487F4A50B8


Used for signing software binaries and source.

untrusted comment: minisign public key: 2264BBE425DA952E

Sigstore keys

In sigstore/cosign format, used for signing artifacts (software binary releases, container images, etc).

Eventually this will disappear as keys move to be ephemeral and generated against my identity, but in the meantime you can use this key to verify artifacts, along these lines:

$ cosign verify \
  -key \


-----END PUBLIC KEY-----