From f0e5ae9a8b1892e01cf488ba0f9ab97e4e23f50f Mon Sep 17 00:00:00 2001 From: ryan Date: Tue, 16 Apr 2024 13:03:40 -0400 Subject: [PATCH] keyfork-derive-openpgp: document KEYFORK_OPENPGP_EXPIRE --- crates/derive/keyfork-derive-openpgp/src/lib.rs | 10 +++++++--- crates/keyfork/src/cli/derive.rs | 8 ++++++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/crates/derive/keyfork-derive-openpgp/src/lib.rs b/crates/derive/keyfork-derive-openpgp/src/lib.rs index 276620b..fd1b4db 100644 --- a/crates/derive/keyfork-derive-openpgp/src/lib.rs +++ b/crates/derive/keyfork-derive-openpgp/src/lib.rs @@ -59,8 +59,12 @@ pub enum Error { #[allow(missing_docs)] pub type Result = std::result::Result; -/// Create an OpenPGP Cert with derived keys from the given derivation response, keys, and User -/// ID. +/// Create an OpenPGP Cert with private key data, with derived keys from the given derivation +/// response, keys, and User ID. +/// +/// Certificates are created with a default expiration of one day, but may be configured to expire +/// later using the `KEYFORK_OPENPGP_EXPIRE` environment variable using values such as "15d" (15 +/// days), "1m" (one month), or "2y" (two years). /// /// # Errors /// The function may error for any condition mentioned in [`Error`]. @@ -109,7 +113,7 @@ pub fn derive(xprv: XPrv, keys: &[KeyFlags], userid: &UserID) -> Result { let cert = cert.insert_packets(vec![Packet::from(userid.clone()), binding.into()])?; let policy = sequoia_openpgp::policy::StandardPolicy::new(); - // Set certificate expiration to one day + // Set certificate expiration to configured expiration or (default) one day let mut keypair = primary_key.clone().into_keypair()?; let signatures = cert.set_expiration_time(&policy, None, &mut keypair, Some(expiration_date))?; diff --git a/crates/keyfork/src/cli/derive.rs b/crates/keyfork/src/cli/derive.rs index 27cd731..24a4004 100644 --- a/crates/keyfork/src/cli/derive.rs +++ b/crates/keyfork/src/cli/derive.rs @@ -20,8 +20,12 @@ pub enum DeriveSubcommands { /// Derive an OpenPGP Transferable Secret Key (private key). The key is encoded using OpenPGP /// ASCII Armor, a format usable by most programs using OpenPGP. /// - /// The key is generated with a 24-hour expiration time. The operation to set the expiration - /// time to a higher value is left to the user to ensure the key is usable by the user. + /// Certificates are created with a default expiration of one day, but may be configured to + /// expire later using the `KEYFORK_OPENPGP_EXPIRE` environment variable using values such as + /// "15d" (15 days), "1m" (one month), or "2y" (two years). + /// + /// It is recommended to use the default expiration of one day and to change the expiration + /// using an external utility, to ensure the Certify key is usable. #[command(name = "openpgp")] OpenPGP { /// Default User ID for the certificate, using the OpenPGP User ID format.