[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor not reading medium-term signing key.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

Let's recap (hope I am not missing something):

a) you make sure master_id_secret_key is available in
/home/[user]/.tor/keys
b) you run # tor --keygen and provide the correct passphrase
c) you *move* the newly generated ed25519_signing_secret_key and
ed25519_signing_cert *FROM* /home/[user]/.tor/keys *TO*
/var/lib/tor/keys or wherever your Tor datadirectory is (depending on
your OS / distro) and reload or restart Tor. You don't need to shut
down Tor while you use --keygen, you can only reload (HUP) or restart
after you've moved the new key and cert.

and you still get the same notice that the medium term signing key is
going to expire soon?

If yes, can you let me know other details about your setup? Do you use
a SigningKeyLifetime parameter in your torrc?

Also, the directory doesn't need to be /home/[user]/.tor/keys if you
are willing to pass it with --datadirectory argument (Tor will just
need write permission in the target folder):

# tor --datadirectory /some/path --keygen (the master_id_secret_key
needs to be inside a keys folder in /some/path, eg:
/some/path/keys/ed25519_master_id_secret_key).

The new medium term signing key and cert will be saved in the same
folder and you have to manually move them to your working Tor's
instance datadirectory folder as explained above.

We are working on making this simpler by allowing to manually set the
master id secret key path and ask for a different output folder for
the created files.


On 1/4/2016 9:53 PM, 12xBTM wrote:
> So my medium-term signing key expires tomorrow, and Tor notices.log
> is all up and down about:
> 
> Jan 04 19:22:46.000 [notice] It looks like I should try to generate
> and sign a new medium-term signing key, because the one I have is
> going to expire soon. But OfflineMasterKey is set, so I won't try
> to load a permanent master identity key is set. You will need to
> use 'tor --keygen' make a new signing key and certificate.
> 
> Now, that's great and all, so I tossed my master_id_public_key and
> the master_id_secret_key_encrypted into the folder they were
> originally generated in, which is:
> /home/[user]/.tor/keys/ed25519.... Turned off Tor, ran "tor
> --keygen" Gave my password. It generates a new signing_cert and
> signing_secret_key in the same directory. And now, no matter what I
> do, Tor keeps giving the same notice over and over again that the
> keys are expiring.
> 
> The documentation for this feature is slightly lacking. So, if
> anyone knows what I'm doing wrong, that'd be very helpful.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJWit+iAAoJEIN/pSyBJlsR7d0IAICb4VKb3nlTJF1ZTekfgvy9
dP10RvZ6sLMgdvdPg3flN+f2ApUgMmxDj+CpK06GUEHdVM9w0fPQiP5I8ECcCw/Z
bRYaEq5hZ82DUzf8ISMSBKD7uD6cwJ1ja8R29+hGYFpnsK2Cxb9Dz+Rp+4VjGpfp
fTWD/MfVdOMU9SVvG4G2JH62pATx8DyUNiGjmJ3VRlJ3E//r6hgd1dKNtIk5p7BF
f+RpdkPXnA6fOqHIjUJYztC5QX/q4BwzhAUp3Jvs+pK42q18+pdGL8wPnmi0/NWb
ZbiSKUDtCeZBEDOR6D9pfMIqJMdCQd8SEN1barq0135fb6SVevxN+gSJYrHwgcs=
=ZMga
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays