-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello - see inline
On 2/3/2016 3:49 PM, Riccardo Mori wrote:
Hi everyone,
Two months ago I decided to try the new ed25519 key introduced in Tor 2.7 with OfflineMasterKey set so I can keep the master key in a different place and just upload the medium-term signing key every month. Last month everything went ok: I renewed the key and Tor accepted it. This time instead after generating the new signing key with
# tor --datadirectory path_to_my_master_key --signingkeylifetime '1 months' --keygen
Why do you use such a value for SigningKeyLifetime when the default is 30 days already? You can just skip --signingkeylifetime and have medium term signing key valid for 30 days (1 month). I am not totally sure *1 months* is a valid argument here (could be, not sure) - why not the default 30 days or more than 1 month?
Your problem is kind of strange so need to make sure of some things, apologies in advance if the questions seam too obvious. Before answering to all these make sure you try without --signignkeylifetime or with other argument than *1 months* like 2 months, 6 months, 10 days, 30 days, etc.
- - path_to_my_master_key is the path to the folder containing a 'keys' subfolder which contains the ed25519_master_id_secret_key or (_encrypted)?
- - the user running the 'tor --keygen' command has read/write permissions to the targeted folder from --datadirectory?
- - is the date on the server where the 'tor --keygen' command runs correct?
- - fixing the permissions you mean changing the owner of the files to the user actually running the Tor daemon on your system? (debian-tor, _tor, etc.)
and uploading ed25519_signing_cert and ed25519_signing_secret_key and fixing the permission, Tor keep saying
Feb 03 07:27:40.000 [notice] It looks like I need to generate and sign a new medium-term signing key, because the one I have is expired. To do that, I need to load the permanent master identity key. Feb 03 07:27:40.000 [warn] We needed to load a secret key from /var/lib/tor/keys/ed25519_master_id_secret_key, but couldn't find it. Did you forget to copy it over when you copied the rest of the signing key material? Feb 03 07:27:40.000 [warn] Can't load master identity key; OfflineMasterKey is set. Feb 03 07:27:40.000 [err] Error initializing keys; exiting
That raises two questions to me: - why does Tor think the new keys are already expired? - why is Tor searching ed25519_master_id_secret_key? With OfflineMasterKey set it shouldn't care about the master secret key
It doesn't -- the only problem is that it warns when it shouldn't. Only a log message issue which is known and reported here:
https://trac.torproject.org/projects/tor/ticket/18133
Thank you, patacca