[tor-dev] tor ignores --SigningKeyLifetime when keys exist

nusenu nusenu at openmailbox.org
Sat Nov 28 12:26:55 UTC 2015

> I think [2] is the wrong link? There's nothing about this in there.

thanks for pointing that out, correct URL:

> I think this is expected and correct behavior.
> If medium term signing key exists, and is sufficiently valid in the
> future for Tor, it won't try to automatically renew them.
> It will use the new SigningKeyLifetime value for the NEW keys, once
> the ones it already has are _about_ to expire and Tor _wants_ to
> generate new medium term signing key.

The important info for me here is: How is "about to expire" defined?
x days before expiry or
80% of its lifetime is over?
Can it be configured?

> If you already have medium term signing key valid 30 days in the
> future you can't replace it using the automated key generator in Tor
> (no manual --keygen).
> I think it should stay like this. If you want to change the lifetime
> of the medium term signing key with --orport, do a rm -rf
> ed25519_signing_* before that command.
> P.S. also if they master id key is not encrypted you can use --keygen
> in a non-interactive way afaik.

yes that is correct. So for the workaround of the workaround I will
simply invoke tor twice.
First time without --keygen for key generation,
then with --keygen for signing key renewal.

thanks for the quick reply.

More information about the tor-dev mailing list