Documentation how fill old_signing_keys after changing homeserver.signing.key

[MurzNN]

Please add documentation with examples how to fill old_signing_keys values, when we have new homeserver.signing.key and old one.

In homeserver.yaml file there are description:

# The keys that the server used to sign messages with but won't use
# to sign new messages. E.g. it has lost its private key
#
#old_signing_keys:
#  "ed25519:auto":
#    # Base64 encoded public key
#    key: "The public part of your old signing key."
#    # Millisecond POSIX timestamp when the key expired.
#    expired_ts: 123456789123

So users must place in this file only public part of your old signing key, but there are no description how to generate public part, having full old key file? Can you please describe how to do this in description text?

[MurzNN]

As workaround I have found the way to get key via pgsql query:

select encode(verify_key, 'base64') from server_signature_keys where server_name='example.com';

But how to get this string from homeserver.signing.key file is still the question.

[richvdh]

Interesting. I guess getting it from the database (or the REST api) is the easiest way. There should really be a script to do it though.

[JochenFriedrich]

It's really important for an instance to keep track of all old keys. In particular if an instance don't trust any notary servers.