[tor-dev] tor ignores --SigningKeyLifetime when keys exist

nusenu nusenu at openmailbox.org
Sat Nov 28 11:48:36 UTC 2015

(thread split from [1])

s7r wrote:
> - - when you run tor --orport [...] just to generate the keys in a
> non-interactive way, include a PublishServerDescriptor 0 in the
> command as well, send the log to /dev/null and terminate the process
> immediately. The descriptor will have to be published by the Tor
> process actually running the relay. If the master id private key is
> not encrypted, --keygen should be able to renew the medium term
> signing key in a non-interactive way. But it's not a big deal if you
> decide to do it with tor --orport [...] if it's easier for you this way.

Turns out my workaround to generate keys without a passphrase
non-interactively is not working entirely in every case since tor
apparently ignores --SigningKeyLifetime (when used without --keygen)
when keys exist: Signing keys are not (re)generated according to the
(new) SigningKeyLifetime parameter (signing key/cert remains unchanged).

mkdir tdata
tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata
--list-fingerprint --quiet

(new signing key with default expiry created)

attempt to change (reduce) expiry:
tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata
--SigningKeyLifetime "1 week" --list-fingerprint --quiet

expected result: key lifetime is reduced to 7 days
actual result: key lifetime is not changed (remains at 1 month)

(invoking tor with --keygen causes the expected lifetime but can not be
run non-interactively if keys do not exist)

So I reopened [2].

[1] https://lists.torproject.org/pipermail/tor-dev/2015-November/009959.html
[2] https://trac.torproject.org/projects/tor/ticket/17127

More information about the tor-dev mailing list