Skip to content

Arti uses old blinded signing keys after removing the old identity key and generating a new one

Summary

If the long-term identity key is removed from the keystore and a new ID is generated, the old blinded signing keys will not be automatically removed, and new blinded signing keys won't be generated. This makes the hidden service unreachable.

Steps to reproduce:

# Run hidden service
arti proxy -c /path/to/config
# Obtain onion address
arti -c /path/to/config hss --nickname allium-cepa onion-address
# The service is reachable

# Remove identity key
rm ~/.local/share/arti/keystore/hss/allium-cepa/ks_hs_id.ed25519_expanded_private

# Run hidden service, generate a new identity key
arti proxy -c /path/to/config
# `ks_hs_blind_id*` are unchanged
# Obtain new onion address
arti -c /path/to/config hss --nickname allium-cepa onion-address
# The service is now unreachable using the new onion address

NOTE: the service is unreachable using either the new or the old onion addresses.

Logs

Logs encountered while trying to access the service using Arti:

using the old address 
2025-07-08T15:56:00Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <OLD>.onion from ???: error: problem with descriptor: Decryption failure on onion service descriptor: could not decrypt
2025-07-08T15:56:00Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <OLD>.onion from ???: error: problem with descriptor: Decryption failure on onion service descriptor: could not decrypt
2025-07-08T15:56:01Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <OLD>.onion from ???: error: problem with descriptor: Decryption failure on onion service descriptor: could not decrypt
2025-07-08T15:56:02Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <OLD>.onion from ???: error: problem with descriptor: Decryption failure on onion service descriptor: could not decrypt
2025-07-08T15:56:03Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <OLD>.onion from ???: error: problem with descriptor: Decryption failure on onion service descriptor: could not decrypt
2025-07-08T15:56:04Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <OLD>.onion from ???: error: problem with descriptor: Decryption failure on onion service descriptor: could not decrypt
2025-07-08T15:56:04Z DEBUG tor_hsclient::state: HS connection failure for [scrubbed]: error: Unable to download hidden service descriptor
2025-07-08T15:56:04Z  WARN arti::socks: connection exited with error: error: Onion Service protocol failed (apparently due to service behaviour)
using the new address: 
2025-07-08T15:57:22Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <NEW>.onion from ???: error: directory error: HTTP status code 404: "Not found"
2025-07-08T15:57:22Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <NEW>.onion from ???: error: directory error: HTTP status code 404: "Not found"
2025-07-08T15:57:22Z DEBUG tor_circmgr::hspool: launching 2 NAIVE  and 1 GUARDED circuits
2025-07-08T15:57:22Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <NEW>.onion from ???: error: directory error: HTTP status code 404: "Not found"
2025-07-08T15:57:23Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <NEW>.onion from ???: error: directory error: HTTP status code 404: "Not found"
2025-07-08T15:57:23Z DEBUG tor_circmgr::hspool: launching 2 NAIVE  and 0 GUARDED circuits
2025-07-08T15:57:23Z DEBUG tor_circmgr: Launching a circuit to test build times.
2025-07-08T15:57:24Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <NEW>.onion from ???: error: directory error: HTTP status code 404: "Not found"
2025-07-08T15:57:24Z DEBUG tor_hsclient::connect: failed hsdir desc fetch for <NEW>.onion from ???: error: directory error: HTTP status code 404: "Not found"
2025-07-08T15:57:24Z DEBUG tor_hsclient::state: HS connection failure for [scrubbed]: error: Unable to download hidden service descriptor
2025-07-08T15:57:24Z  WARN arti::socks: connection exited with error: error: Onion Service not found

Possible fixes:

  • The process of generating the identity key could remove the old keys, and generate new ones.
  • The keys could use nickname-based filenames/identifiers.
Edited by hjrgrn