From 17f0ec527d6e1c2c05a82e0a455cc0ca374d63ff Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Tue, 28 Oct 2025 02:48:49 -0400
Subject: [PATCH] cleanly phase in new TLS session ticket keys

This closes a small window where new workers could give keys not
accepted by the old workers before they're gracefully shut down. This
will also be needed when syncing keys across a cluster.
---
 create-session-ticket-keys | 6 +++---
 rotate-session-ticket-keys | 7 ++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/create-session-ticket-keys b/create-session-ticket-keys
index 25dbc49..2b936a0 100755
--- a/create-session-ticket-keys
+++ b/create-session-ticket-keys
@@ -4,8 +4,8 @@ set -o errexit -o nounset -o pipefail
 
 cd /etc/session-ticket-keys
 
-for i in {1..4}; do
-    head -c 80 </dev/random >$i.key
+for i in next.key {1..4}.key; do
+    head -c 80 </dev/random >$i
 done
 
-cat {1..4}.key > keys
+cat next.key {1..4}.key > keys
diff --git a/rotate-session-ticket-keys b/rotate-session-ticket-keys
index ea4df85..ad17703 100755
--- a/rotate-session-ticket-keys
+++ b/rotate-session-ticket-keys
@@ -7,10 +7,11 @@ cd /etc/session-ticket-keys
 rsync -tI 2.key 1.key
 rsync -tI 3.key 2.key
 rsync -tI 4.key 3.key
-head -c 80 </dev/random >new.key
-mv new.key 4.key
+rsync -tI next.key 4.key
+head -c 80 </dev/random >tmp.key
+mv tmp.key next.key
 
-cat {1..4}.key > keys.new
+cat next.key {1..4}.key > keys.new
 mv keys.new keys
 
 status=0