I think [2] is the wrong link? There's nothing about this in there.
thanks for pointing that out, correct URL: https://trac.torproject.org/projects/tor/ticket/17603
I think this is expected and correct behavior.
If medium term signing key exists, and is sufficiently valid in the future for Tor, it won't try to automatically renew them. It will use the new SigningKeyLifetime value for the NEW keys, once the ones it already has are _about_ to expire and Tor _wants_ to generate new medium term signing key.
The important info for me here is: How is "about to expire" defined? x days before expiry or 80% of its lifetime is over? Can it be configured?
If you already have medium term signing key valid 30 days in the future you can't replace it using the automated key generator in Tor (no manual --keygen).
I think it should stay like this. If you want to change the lifetime of the medium term signing key with --orport, do a rm -rf ed25519_signing_* before that command.
P.S. also if they master id key is not encrypted you can use --keygen in a non-interactive way afaik.
yes that is correct. So for the workaround of the workaround I will simply invoke tor twice. First time without --keygen for key generation, then with --keygen for signing key renewal.
thanks for the quick reply.