[tor-dev] tor ignores --SigningKeyLifetime when keys exist
nusenu
nusenu at openmailbox.org
Sat Nov 28 11:48:36 UTC 2015
(thread split from [1])
s7r wrote:
> - - when you run tor --orport [...] just to generate the keys in a
> non-interactive way, include a PublishServerDescriptor 0 in the
> command as well, send the log to /dev/null and terminate the process
> immediately. The descriptor will have to be published by the Tor
> process actually running the relay. If the master id private key is
> not encrypted, --keygen should be able to renew the medium term
> signing key in a non-interactive way. But it's not a big deal if you
> decide to do it with tor --orport [...] if it's easier for you this way.
Turns out my workaround to generate keys without a passphrase
non-interactively is not working entirely in every case since tor
apparently ignores --SigningKeyLifetime (when used without --keygen)
when keys exist: Signing keys are not (re)generated according to the
(new) SigningKeyLifetime parameter (signing key/cert remains unchanged).
reproducer:
mkdir tdata
tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata
--list-fingerprint --quiet
(new signing key with default expiry created)
attempt to change (reduce) expiry:
tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata
--SigningKeyLifetime "1 week" --list-fingerprint --quiet
expected result: key lifetime is reduced to 7 days
actual result: key lifetime is not changed (remains at 1 month)
(invoking tor with --keygen causes the expected lifetime but can not be
run non-interactively if keys do not exist)
So I reopened [2].
[1] https://lists.torproject.org/pipermail/tor-dev/2015-November/009959.html
[2] https://trac.torproject.org/projects/tor/ticket/17127
More information about the tor-dev
mailing list