Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/28/2015 2:26 PM, nusenu wrote: > The important info for me here is: How is "about to expire" > defined? x days before expiry or I think 24 hours before expiry. > 80% of its lifetime is over? No. > Can it be configured? No. This would not be helpful - complicating the already complicated code for this feature which wouldn't solve/fix or make anything better/easier. > yes that is correct. So for the workaround of the workaround I > will simply invoke tor twice. First time without --keygen for key > generation, then with --keygen for signing key renewal. > > thanks for the quick reply. Hey, welcome :) That sounds good to me. Yeah, we built it with a logic that will work for all types of operators, people with less experience with Tor and can easily make mistakes, misconfigurations, etc. Advanced users like you who code scripts can always find workarounds. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJWWaK1AAoJEIN/pSyBJlsRF04IANfxG9/i+WbAVt2HwY5yOWb5 SwCYQvyMHWrUBFC8MexdOQZnKZ9NLfngJ4O5yO+4+BTDFSNy1FZilkjN3MY1Uaix ZIG9hmFiZMRpEks7LJWtL1SvQF5bE/H4UlyEsrPmNjE3m+mZqPB1XfRj4f0/dXFE pFrHIV3YCHBgezpN7ZxMiyQZZGpTXmOh+ee0MLJ51NvHzZwYFCrAiIEbMYJdnuQ4 as4WEzT9frX1N9Tmq0Tkg9BmeROvyeUsFfuKvgh+g2AeaNHgI8HJUWbM86IFDKSd Gs+OpkL9ot+3ecZ//PdlfBzSobkyZ4gwh53CrPNLgyptXwGoU2T4HWd0hWb9L8g= =ncc0 -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] tor ignores --SigningKeyLifetime when keys exist
(thread split from [1]) s7r wrote: > - - when you run tor --orport [...] just to generate the keys in a > non-interactive way, include a PublishServerDescriptor 0 in the > command as well, send the log to /dev/null and terminate the process > immediately. The descriptor will have to be published by the Tor > process actually running the relay. If the master id private key is > not encrypted, --keygen should be able to renew the medium term > signing key in a non-interactive way. But it's not a big deal if you > decide to do it with tor --orport [...] if it's easier for you this way. Turns out my workaround to generate keys without a passphrase non-interactively is not working entirely in every case since tor apparently ignores --SigningKeyLifetime (when used without --keygen) when keys exist: Signing keys are not (re)generated according to the (new) SigningKeyLifetime parameter (signing key/cert remains unchanged). reproducer: mkdir tdata tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata --list-fingerprint --quiet (new signing key with default expiry created) attempt to change (reduce) expiry: tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata --SigningKeyLifetime "1 week" --list-fingerprint --quiet expected result: key lifetime is reduced to 7 days actual result: key lifetime is not changed (remains at 1 month) (invoking tor with --keygen causes the expected lifetime but can not be run non-interactively if keys do not exist) So I reopened [2]. [1] https://lists.torproject.org/pipermail/tor-dev/2015-November/009959.html [2] https://trac.torproject.org/projects/tor/ticket/17127 ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/28/2015 1:48 PM, nusenu wrote: > (thread split from [1]) > > reproducer: mkdir tdata tor --PublishServerDescriptor 0 --orport > 1234 --datadirectory tdata --list-fingerprint --quiet > > (new signing key with default expiry created) > > attempt to change (reduce) expiry: tor --PublishServerDescriptor 0 > --orport 1234 --datadirectory tdata --SigningKeyLifetime "1 week" > --list-fingerprint --quiet > > expected result: key lifetime is reduced to 7 days actual result: > key lifetime is not changed (remains at 1 month) > > (invoking tor with --keygen causes the expected lifetime but can > not be run non-interactively if keys do not exist) > > So I reopened [2]. > > > > [1] > https://lists.torproject.org/pipermail/tor-dev/2015-November/009959.html > > [2] https://trac.torproject.org/projects/tor/ticket/17127 I think [2] is the wrong link? There's nothing about this in there. I think this is expected and correct behavior. If medium term signing key exists, and is sufficiently valid in the future for Tor, it won't try to automatically renew them. It will use the new SigningKeyLifetime value for the NEW keys, once the ones it already has are _about_ to expire and Tor _wants_ to generate new medium term signing key. If you already have medium term signing key valid 30 days in the future you can't replace it using the automated key generator in Tor (no manual --keygen). I think it should stay like this. If you want to change the lifetime of the medium term signing key with --orport, do a rm -rf ed25519_signing_* before that command. P.S. also if they master id key is not encrypted you can use --keygen in a non-interactive way afaik. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJWWZefAAoJEIN/pSyBJlsR3MkH/2NsRc9Ua22Mx4xDzvEJIU9C yNXgtabAD3w/UMHdgCC6q9dW2z7r+w97cPQ6ZBEZ34a98SPaM1HtUhvHG6/tM5wh M3vtWs+WdF72QNwfDKsXfbgg4HNdvKczsttuuIHMXEOhLk9+2ehKMqGw+WPn1Fst QNjN3Cup225m2wRc+n0EBaMUefQXhCfx6qQPnyjTi9wnCjNIpfhTRp3zzslObIcZ cteJaBP+nkxsoS81XA3M2M6HSCUdNeEq+IVjt7WgciOD4USfeJlEmijIldYbAGwW JFXihEsO6cIoaX3fOusjj7XIV5XaxeyfMFMC5g7Rnw3ueGYuCik82GP4UM+IXF8= =Yzi1 -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
> I think [2] is the wrong link? There's nothing about this in there. thanks for pointing that out, correct URL: https://trac.torproject.org/projects/tor/ticket/17603 > I think this is expected and correct behavior. > > If medium term signing key exists, and is sufficiently valid in the > future for Tor, it won't try to automatically renew them. > It will use the new SigningKeyLifetime value for the NEW keys, once > the ones it already has are _about_ to expire and Tor _wants_ to > generate new medium term signing key. The important info for me here is: How is "about to expire" defined? x days before expiry or 80% of its lifetime is over? Can it be configured? > If you already have medium term signing key valid 30 days in the > future you can't replace it using the automated key generator in Tor > (no manual --keygen). > > I think it should stay like this. If you want to change the lifetime > of the medium term signing key with --orport, do a rm -rf > ed25519_signing_* before that command. > > P.S. also if they master id key is not encrypted you can use --keygen > in a non-interactive way afaik. yes that is correct. So for the workaround of the workaround I will simply invoke tor twice. First time without --keygen for key generation, then with --keygen for signing key renewal. thanks for the quick reply. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
s7r: > On 11/28/2015 2:26 PM, nusenu wrote: >> > The important info for me here is: How is "about to expire" >> > defined? x days before expiry or > I think 24 hours before expiry. After trying this in practice I can confirm that tor renewed the signing key after it entered a timewindow not bigger than 24 hours before key expiry (not before). signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev