It makes automated testing painful. Instead, provide a configuration
parameter master-keygen-flags which defaults to -l but can be overridden
by people who know what they're doing.
The sequence number of the master authority's current signing key. No
default. Usually set up automatically.
.TP
The sequence number of the master authority's current signing key. No
default. Usually set up automatically.
.TP
+.I master-keygen-flags
+Additional options for generating master keys. Default is
+.RB ` -l '.
+.TP
.I hk-master
The fingerprint of the current master signing key. No default. Usually
set up automatically.
.I hk-master
The fingerprint of the current master signing key. No default. Usually
set up automatically.
('kx-expire', 'now + 1 year'),
('cipher', 'blowfish-cbc'),
('hash', 'sha256'),
('kx-expire', 'now + 1 year'),
('cipher', 'blowfish-cbc'),
('hash', 'sha256'),
+ ('master-keygen-flags', '-l'),
('mgf', '${hash}-mgf'),
('mac', lambda: '%s-hmac/%d' %
(conf['hash'],
('mgf', '${hash}-mgf'),
('mac', lambda: '%s-hmac/%d' %
(conf['hash'],
seq = max_master_sequence() + 1
run('''key -kmaster add
-a${sig-genalg} !${sig-param}
seq = max_master_sequence() + 1
run('''key -kmaster add
-a${sig-genalg} !${sig-param}
- -e${sig-expire} -l -tmaster-%d tripe-keys-master
+ -e${sig-expire} !${master-keygen-flags} -tmaster-%d tripe-keys-master
sig=${sig} hash=${sig-hash}''' % seq)
run('key -kmaster extract -f-secret repos/master.pub')
sig=${sig} hash=${sig-hash}''' % seq)
run('key -kmaster extract -f-secret repos/master.pub')