search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.82k stars 2.13k forks source link

Documentation how fill old_signing_keys after changing homeserver.signing.key #5958

Open MurzNN opened 5 years ago

MurzNN commented 5 years ago

Please add documentation with examples how to fill old_signing_keys values, when we have new homeserver.signing.key and old one.

In homeserver.yaml file there are description:

# The keys that the server used to sign messages with but won't use
# to sign new messages. E.g. it has lost its private key
#
#old_signing_keys:
#  "ed25519:auto":
#    # Base64 encoded public key
#    key: "The public part of your old signing key."
#    # Millisecond POSIX timestamp when the key expired.
#    expired_ts: 123456789123

So users must place in this file only public part of your old signing key, but there are no description how to generate public part, having full old key file? Can you please describe how to do this in description text?

MurzNN commented 5 years ago

As workaround I have found the way to get key via pgsql query:

select encode(verify_key, 'base64') from server_signature_keys where server_name='example.com';

But how to get this string from homeserver.signing.key file is still the question.

richvdh commented 5 years ago

Interesting. I guess getting it from the database (or the REST api) is the easiest way. There should really be a script to do it though.

JochenFriedrich commented 5 years ago

It's really important for an instance to keep track of all old keys. In particular if an instance don't trust any notary servers.