[tor-dev] OfflineMasterKey / ansible-relayor

nusenu nusenu at openmailbox.org
Thu Nov 19 19:44:30 UTC 2015

> Some suggestions:
> - don't copy the ed25519_master_id_public_key file. If it is missing,
> Tor will just compute it from the certificate and save it to disk.
> But, if by accident an user copies the medium term signing keys
> related to another relay, Tor will detect they don't match the
> ed25519_master_id_public_key file and exit.

I'm copying ed25519_master_id_public_key to the relay to get rid of the
following [warn] level log entries:

[warn] No key found in .../keys/ed25519_master_id_secret_key or
[warn] Master public key was absent; inferring from public key in
signing certificate and saving to disk.

The goal was to reduce the noise at the warn log level.

> - when you run tor --orport [...] just to generate the keys in a
> non-interactive way, include a PublishServerDescriptor 0 in the
> command as well


>, send the log to /dev/null 

done [1]

> and terminate the process
> immediately. 

I'm using
for that.

The descriptor will have to be published by the Tor
> process actually running the relay. If the master id private key is
> not encrypted, --keygen should be able to renew the medium term
> signing key in a non-interactive way. But it's not a big deal if you
> decide to do it with tor --orport [...] if it's easier for you this way.

I can switch to --keygen
if it generates RSA keys (as long as they are a requirement for a relay)
as well and --no-pass is implemented,
but I'm also fine with the current way to generate keys.

> - make it as hard as you can for users to accidentally mix keys
> belonging to different relays. This will be a tough one.

I'm aiming to add a check that aborts if a key is found more than once
in ~/.tor/offlinemasterkeys.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151119/87e260ef/attachment.sig>

More information about the tor-dev mailing list