A recent discussion on debian-project remind me I have to do this:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1,SHA256 Hello, I am transitioning GPG keys from an old 1024-bit DSA key to a new 4096-bit RSA key. The old key will continue to be valid for some time, but I prefer all new correspondance to be encrypted in the new key, and will be making all signatures going forward with the new key. This transition document is signed with both keys to validate the transition. If you have signed my old key, I would appreciate signatures on my new key as well, provided that your signing policy permits that without reauthenticating me. The old key, which I am transitional away from, is: pub 1024D/9057B5D3 2002-02-07 Key fingerprint = 7AA1 9755 336C 6D0B 8757 E393 B0E1 98D7 9057 B5D3 The new key, to which I am transitioning, is: pub 4096R/31ED8AEF 2009-05-08 Key fingerprint = DE8F 92CD 16FA 1E5B A16E E95E D265 C085 31ED 8AEF To fetch the full new key from a public key server using GnuPG, run: gpg --keyserver keys.gnupg.net --recv-key D265C08531ED8AEF If you have already validated my old key, you can then validate that the new key is signed by my old key: gpg --check-sigs D265C08531ED8AEF If you then want to sign my new key, a simple and safe way to do that is by using caff (shipped in Debian as part of the "signing-party" package) as follows: caff D265C08531ED8AEF Please contact me via e-mail at <firstname.lastname@example.org> if you have any questions about this document or this transition. Remi vanicat email@example.com firstname.lastname@example.org email@example.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iD8DBQFST8iPsOGY15BXtdMRAggfAJ4z5wEpUy8Bcicv9KTGOjsUAZF2xACfYKv9 GWXh8iT1N2Qqjhwtpvx9B3aJAhUDBQFST8iP0mXAhTHtiu8BCPldEADYM9e/22yu En8lcZ5UUI/eQ5jFgZaxTZ90ShS0vPD/Mgn6xyKoeigA0Bk4ltTjDXA7vEWXLjOK gbGv3SvffPJIsR1WJmhYtVyNquJXXjyElEBsbxvCJ/awYdU9BFXPqtLlLVCObvSc bE9xlJhoLdk3bDqSSTO3nqoDa0qgPnJvwKNYIMBrNavGyIW3QT0BRUCKyBssqh+u P4x8VhpHiR2Ee4LHfRVeJk+5ncvSXYluAohOXka5AnV2GgFQoVYfFqxn2Gh3BMWC sqf/NUPnFOCSRw++oNP3mBv3jn/jZuo8BcVOECKL+/dO6/3otgO6a/5tUspfnAJA m/UxBdc2vs7LkZ0wUipIHg10x4154f+hZfx4WuCJ05X0dqcKeh4eJ0zFBvxMyh+A o2TfifT9WJlyb+Hah/w1MFAXI8cAj5RvwdVgTzcodXpggtpBpdLDvv3G1KYFm/TG Zev480N6bGrBb3JKgUtAMuTls8+FngYtYg9YKBiajEDM3MVC+H4MiOzVNKV++y/n YW3z59Oc04ZMi9hV+uR3kwq8D7aUJmc0QFeOGmq7W9LOjvVO+lTf87l3jh2ahxx/ FgiinSZr1YzE+9OtNj8CTsmAmApIxsTJUCR6h554z+lyrTwc0pdeUwzSWqV84k7G V6HBmTiw9IGs22+W15pRzq/mCVYdrYT7zQ== =c5fJ -----END PGP SIGNATURE-----
Here is the link to the .txt version for easier checking of signature.