[tor-dev] tor ignores --SigningKeyLifetime when keys exist
s7r
s7r at sky-ip.org
Sat Nov 28 12:01:36 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/28/2015 1:48 PM, nusenu wrote:
> (thread split from [1])
>
> reproducer: mkdir tdata tor --PublishServerDescriptor 0 --orport
> 1234 --datadirectory tdata --list-fingerprint --quiet
>
> (new signing key with default expiry created)
>
> attempt to change (reduce) expiry: tor --PublishServerDescriptor 0
> --orport 1234 --datadirectory tdata --SigningKeyLifetime "1 week"
> --list-fingerprint --quiet
>
> expected result: key lifetime is reduced to 7 days actual result:
> key lifetime is not changed (remains at 1 month)
>
> (invoking tor with --keygen causes the expected lifetime but can
> not be run non-interactively if keys do not exist)
>
> So I reopened [2].
>
>
>
> [1]
> https://lists.torproject.org/pipermail/tor-dev/2015-November/009959.html
>
>
[2] https://trac.torproject.org/projects/tor/ticket/17127
I think [2] is the wrong link? There's nothing about this in there.
I think this is expected and correct behavior.
If medium term signing key exists, and is sufficiently valid in the
future for Tor, it won't try to automatically renew them.
It will use the new SigningKeyLifetime value for the NEW keys, once
the ones it already has are _about_ to expire and Tor _wants_ to
generate new medium term signing key.
If you already have medium term signing key valid 30 days in the
future you can't replace it using the automated key generator in Tor
(no manual --keygen).
I think it should stay like this. If you want to change the lifetime
of the medium term signing key with --orport, do a rm -rf
ed25519_signing_* before that command.
P.S. also if they master id key is not encrypted you can use --keygen
in a non-interactive way afaik.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBCAAGBQJWWZefAAoJEIN/pSyBJlsR3MkH/2NsRc9Ua22Mx4xDzvEJIU9C
yNXgtabAD3w/UMHdgCC6q9dW2z7r+w97cPQ6ZBEZ34a98SPaM1HtUhvHG6/tM5wh
M3vtWs+WdF72QNwfDKsXfbgg4HNdvKczsttuuIHMXEOhLk9+2ehKMqGw+WPn1Fst
QNjN3Cup225m2wRc+n0EBaMUefQXhCfx6qQPnyjTi9wnCjNIpfhTRp3zzslObIcZ
cteJaBP+nkxsoS81XA3M2M6HSCUdNeEq+IVjt7WgciOD4USfeJlEmijIldYbAGwW
JFXihEsO6cIoaX3fOusjj7XIV5XaxeyfMFMC5g7Rnw3ueGYuCik82GP4UM+IXF8=
=Yzi1
-----END PGP SIGNATURE-----
More information about the tor-dev
mailing list