From ec99f038fa6dd5207bc277d9efc815c8d29de52d Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 31 Jul 2017 20:40:23 -0400
Subject: [PATCH 1/2] Improve the keypin failure message

Closes the human-factors part of ticket 22348.
---
 changes/ticket22348 | 5 +++++
 src/or/dirserv.c    | 5 ++++-
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changes/ticket22348

diff --git a/changes/ticket22348 b/changes/ticket22348
new file mode 100644
index 000000000..49ae94cdf
--- /dev/null
+++ b/changes/ticket22348
@@ -0,0 +1,5 @@
+  o Minor features (directory authority):
+    - Improve the message that authorities report to relays when
+      the RSA/Ed25519 key pair they present conflicts with a previously
+      pinned key. Closes ticket 22348.
+
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index 468fdbd48..4c5309b3b 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -720,7 +720,10 @@ dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
     log_info(LD_DIRSERV, "Dropping descriptor from %s (source: %s) because "
              "its key did not match an older RSA/Ed25519 keypair",
              router_describe(ri), source);
-    *msg = "Looks like your keypair does not match its older value.";
+    *msg = "Looks like your keypair has changed? This authority previously "
+      "recorded a different RSA identity for this Ed25519 identity (or vice "
+      "versa.) Did you replace or copy some of your key files, but not "
+      "the others?";
     r = ROUTER_AUTHDIR_REJECTS;
     goto fail;
   }

From ab166fe68faa87237c767a38682271b22ce8c029 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 28 Aug 2017 11:35:30 -0400
Subject: [PATCH 2/2] Try to improve the keypinning-failure message even more

---
 src/or/dirserv.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index 4c5309b3b..acd00322a 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -723,7 +723,9 @@ dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
     *msg = "Looks like your keypair has changed? This authority previously "
       "recorded a different RSA identity for this Ed25519 identity (or vice "
       "versa.) Did you replace or copy some of your key files, but not "
-      "the others?";
+      "the others? You should either restore the expected keypair, or "
+      "delete your keys and restart Tor to start your relay with a new "
+      "identity.";
     r = ROUTER_AUTHDIR_REJECTS;
     goto fail;
   }