(thread split from [1])
s7r wrote:
- when you run tor --orport [...] just to generate the keys in a
non-interactive way, include a PublishServerDescriptor 0 in the command as well, send the log to /dev/null and terminate the process immediately. The descriptor will have to be published by the Tor process actually running the relay. If the master id private key is not encrypted, --keygen should be able to renew the medium term signing key in a non-interactive way. But it's not a big deal if you decide to do it with tor --orport [...] if it's easier for you this way.
Turns out my workaround to generate keys without a passphrase non-interactively is not working entirely in every case since tor apparently ignores --SigningKeyLifetime (when used without --keygen) when keys exist: Signing keys are not (re)generated according to the (new) SigningKeyLifetime parameter (signing key/cert remains unchanged).
reproducer: mkdir tdata tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata --list-fingerprint --quiet
(new signing key with default expiry created)
attempt to change (reduce) expiry: tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata --SigningKeyLifetime "1 week" --list-fingerprint --quiet
expected result: key lifetime is reduced to 7 days actual result: key lifetime is not changed (remains at 1 month)
(invoking tor with --keygen causes the expected lifetime but can not be run non-interactively if keys do not exist)
So I reopened [2].
[1] https://lists.torproject.org/pipermail/tor-dev/2015-November/009959.html [2] https://trac.torproject.org/projects/tor/ticket/17127