Reload keypins on SIGHUP? Or provide some other way to undo a single keypin?
Right now, there isn't a way to undo a buggy key-pin without stopping the authority, editing the keypin file, and restarting it. Not good: authority operators shouldn't have to reboot just because we had a bug.
We should fix this before we release 0.2.7.2-alpha.
I see two four six options here.
- Make it okay to edit the key-pinning journal on a running Tor. That's not so great; we need to be able to append to it, and editors may have swap-file races with it.
- Add a torrc option to unpin an existing key. This would only need to be stuck into the torrc once; it would remove the pin, and allow a new key pin to occur.
- No fix; hope that this situation never happens again; tell the authoritiy ops to edit the keypinning file when they upgrade, or give them a script to do it.
- One-off fix: undo the pin in software for the two specific keypairs affected, and hope this never happens again.
- As 3, but tell the ops to remove the file.
- As 5, but have Tor use a new file name, and remove the old one it exists, so that the ops don't have to do anything at all.