[tor-dev] tor ignores --SigningKeyLifetime when keys exist
nusenu
nusenu at openmailbox.org
Sat Nov 28 12:26:55 UTC 2015
> I think [2] is the wrong link? There's nothing about this in there.
thanks for pointing that out, correct URL:
https://trac.torproject.org/projects/tor/ticket/17603
> I think this is expected and correct behavior.
>
> If medium term signing key exists, and is sufficiently valid in the
> future for Tor, it won't try to automatically renew them.
> It will use the new SigningKeyLifetime value for the NEW keys, once
> the ones it already has are _about_ to expire and Tor _wants_ to
> generate new medium term signing key.
The important info for me here is: How is "about to expire" defined?
x days before expiry or
80% of its lifetime is over?
Can it be configured?
> If you already have medium term signing key valid 30 days in the
> future you can't replace it using the automated key generator in Tor
> (no manual --keygen).
>
> I think it should stay like this. If you want to change the lifetime
> of the medium term signing key with --orport, do a rm -rf
> ed25519_signing_* before that command.
>
> P.S. also if they master id key is not encrypted you can use --keygen
> in a non-interactive way afaik.
yes that is correct. So for the workaround of the workaround I will
simply invoke tor twice.
First time without --keygen for key generation,
then with --keygen for signing key renewal.
thanks for the quick reply.
More information about the tor-dev
mailing list