Add config option for keys to use to sign keys

This allows servers to separate keys that are used to sign remote keys when acting as a notary server.
author: Erik Johnston <erik@matrix.org> 2019-08-20 15:27:08 +0100
committer: Erik Johnston <erik@matrix.org> 2019-08-21 10:44:58 +0100
commit: 5906be858900e134d99dd94f0ca9e8bd1db14c05 (patch)
tree: 06e0b9df39e70d44d9734465dccf48f74d03a69d /synapse/crypto
parent: Refactor the Appservice scheduler code (#5886) (diff)
download: synapse-5906be858900e134d99dd94f0ca9e8bd1db14c05.tar.xz
1 files changed, 7 insertions, 5 deletions
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
index 6c3e885e72..a3b55e349e 100644
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@@ -540,11 +540,13 @@ class BaseV2KeyFetcher(object):
                     verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
                 )
 
-        # re-sign the json with our own key, so that it is ready if we are asked to
-        # give it out as a notary server
-        signed_key_json = sign_json(
-            response_json, self.config.server_name, self.config.signing_key[0]
-        )
+        # re-sign the json with our own keys, so that it is ready if we are
+        # asked to give it out as a notary server
+        signed_key_json = response_json
+        for signing_key in self.config.key_server_signing_keys:
+            signed_key_json = sign_json(
+                signed_key_json, self.config.server_name, signing_key
+            )
 
         signed_key_json_bytes = encode_canonical_json(signed_key_json)
author	Erik Johnston <erik@matrix.org>	2019-08-20 15:27:08 +0100
committer	Erik Johnston <erik@matrix.org>	2019-08-21 10:44:58 +0100
commit	5906be858900e134d99dd94f0ca9e8bd1db14c05 (patch)
tree	06e0b9df39e70d44d9734465dccf48f74d03a69d /synapse/crypto
parent	Refactor the Appservice scheduler code (#5886) (diff)
download	synapse-5906be858900e134d99dd94f0ca9e8bd1db14c05.tar.xz