/usr/share/doc/monotone/html/Key-and-Cert.html is in monotone-doc 1.1-9.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>monotone documentation: Key and Cert</title>
<meta name="description" content="monotone documentation: Key and Cert">
<meta name="keywords" content="monotone documentation: Key and Cert">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="General-Index.html#General-Index" rel="index" title="General Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Command-Reference.html#Command-Reference" rel="up" title="Command Reference">
<link href="Packet-I_002fO.html#Packet-I_002fO" rel="next" title="Packet I/O">
<link href="Variables.html#Variables" rel="prev" title="Variables">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>
<link rel="stylesheet" type="text/css" href="texinfo.css">
</head>
<body lang="en">
<a name="Key-and-Cert"></a>
<div class="header">
<p>
Next: <a href="Packet-I_002fO.html#Packet-I_002fO" accesskey="n" rel="next">Packet I/O</a>, Previous: <a href="Variables.html#Variables" accesskey="p" rel="prev">Variables</a>, Up: <a href="Command-Reference.html#Command-Reference" accesskey="u" rel="up">Command Reference</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="General-Index.html#General-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Key-and-Cert-1"></a>
<h3 class="section">4.8 Key and Cert</h3>
<dl compact="compact">
<dd><a name="mtn-cert"></a></dd>
<dt><code>mtn cert <var>selector</var> <var>certname</var> [<var>certval</var>]</code>
<a name="index-mtn-cert-selector-certname-_005bcertval_005d"></a>
</dt>
<dd>
<p>Create a new certificate with name <var>certname</var>, for all
revisions matching <var>selector</var> (see <a href="Selectors.html#Selectors">Selectors</a>).
</p>
<p>If <var>certval</var> is provided, it is the value of the certificate.
Otherwise the certificate value is read from <code>stdin</code>.
</p>
<a name="mtn-dropkey"></a></dd>
<dt><code>mtn dropkey <var>keyid</var></code>
<a name="index-mtn-dropkey-keyid"></a>
</dt>
<dd><p>Drop the public and/or private key. This command should be used with
caution as changes are irreversible without a backup of the key(s)
that were dropped.
</p>
</dd>
<dt><code>mtn genkey <var>keyid</var></code>
<a name="index-mtn-genkey-keyid"></a>
</dt>
<dd><p>This command generates an <small>RSA</small> public/private key pair, using a
system random number generator, and stores it in your keystore under
the key name <var>keyid.keyhash</var>. The key’s hash is printed out after
the key has been created.
</p>
<p>The private half of the key is stored in an encrypted form, so that
anyone who can read your keystore cannot extract your private key and
use it. You must provide a passphrase for your key when it is
generated, which is used to determine the encryption key. In the
future you will need to enter this passphrase again each time you sign
a certificate, which happens every time you <code>commit</code> to your
database. You can tell monotone to automatically use a certain
passphrase for a given key using the
<code>get_passphrase(<var>key_identity</var>)</code> (see <a href="User-Defaults.html#get_005fpassphrase">get_passphrase</a>),
but this significantly increases the risk of a key compromise on your
local computer. Be careful using this hook.
</p>
<p>Another way to avoid entering the private key passphrase each time it
is needed is to export it to ssh-agent; see <a href="#mtn-ssh_005fagent_005fexport">mtn ssh_agent_export</a>, <a href="#mtn-ssh_005fagent_005fadd">mtn ssh_agent_add</a>.
</p>
<p>The public key is stored in the database; the public and private keys
are stored in the keystore. This allows copying the database without
copying the private key.
</p>
<p>The location of the keystore is specified by <samp>--keydir</samp>; it
defaults to the value stored in <samp>_MTN/options</samp> for commands
executed in a workspace, or to the system default
(<samp>$HOME/.monotone/keys</samp> on Unix and Cygwin,
<samp>%APPDATA%/monotone/keys</samp> on native Win32).
</p>
</dd>
<dt><code>mtn passphrase <var>keyid</var></code>
<a name="index-mtn-passphrase-keyid"></a>
</dt>
<dd><p>This command lets you change the passphrase of the private half of the
key <var>id</var>.
</p>
<a name="mtn-ssh_005fagent_005fadd"></a></dd>
<dt><code>mtn ssh_agent_add</code>
<a name="index-mtn-ssh_005fagent_005fadd"></a>
</dt>
<dd><p>This command will add your monotone keys to your current ssh-agent session.
You will be asked for the passphrase for each of your monotone private keys
and they will be added to the ssh-agent. Once this is done you should be able
to type <em>ssh-add -l</em> and see your monotone key listed. When you
subsequently use these keys through monotone it will use ssh-agent for signing
without asking your for your passphrase.
</p>
<p>On Windows native, monotone only supports the PuTTY ssh-agent
implementation. On Windows Cygwin and Unix, any standard ssh-agent
implementation can be used.
</p>
<p>This command is mainly for use in a session script as monotone will automatically
add your keys to ssh-agent on first use if it is available. For example the
following two examples are equivalent:
</p>
<div class="smallexample">
<pre class="smallexample">$ mtn ssh_agent_add
enter passphrase for key ID [user@example.com]:
$ mtn ci -m"Changed foo to bar"
$ mtn push -k user@example.com
</pre></div>
<div class="smallexample">
<pre class="smallexample">$ mtn ci -m"Changed foo to bar"
enter passphrase for key ID [user@example.com]:
$ mtn push -k user@example.com
</pre></div>
<p>In the second example, monotone automatically added the key to ssh-agent, making
entering the passphrase not needed during the push.
</p>
<a name="mtn-ssh_005fagent_005fexport"></a></dd>
<dt><code>mtn ssh_agent_export [<var>filename</var>]</code>
<a name="index-mtn-ssh_005fagent_005fexport-_005bfilename_005d"></a>
</dt>
<dd>
<p>This command will export your private key in a format that ssh-agent
can read (PKCS8, PEM), to <var>filename</var> (defaults to standard
output). You will be asked for your current key’s monotone password
and a new password to encrypt the key with (the ssh passphrase). The
key will be printed to stdout. Once you have put this key in a file
simply add it to ssh-agent and you will only have to enter your key
password once as ssh-agent will cache the key for you.
</p>
<div class="smallexample">
<pre class="smallexample">$ mtn ssh_agent_export ~/.ssh/id_monotone
enter passphrase for key ID [user@example.com] (1234abcd...):
enter new passphrase for key ID [user@example.com] (1234abcd...):
confirm passphrase for key ID [user@example.com] (1234abcd...):
$ chmod 600 ~/.ssh/id_monotone
$ ssh-agent /bin/bash
$ ssh-add ~/.ssh/id_monotone
Enter passphrase for /home/user/.ssh/id_monotone:
Identity added: /home/user/.ssh/id_monotone (/home/user/.ssh/id_monotone)
$ mtn ci -m"Changed foo to bar"
$ mtn push -k user@example.com
</pre></div>
<p>You can also use the <samp>--ssh-sign</samp> option to control whether ssh-agent will
be used for signing. If set to <em>yes</em>, ssh-agent will be used to sign. If your
key has not been added to ssh-agent monotone will fall back to its internal signing
code and ask you for your password. If set to <em>only</em>, monotone will sign only
with ssh-agent. If set to <em>no</em>, monotone will always use its internal signing
code even if ssh-agent is running and has your monotone key loaded. If set to
<em>check</em>, monotone will sign with both ssh-agent (if your key is loaded into
it) and monotone’s internal signing code, then compare the results. <em>check</em>
will be removed at some future time as it is meant only for testing and will not
work with all signing algorithms.
</p>
</dd>
<dt><code>mtn trusted <var>id</var> <var>certname</var> <var>certval</var> <var>signers</var></code>
<a name="index-mtn-trusted-id-certname-certval-signers"></a>
</dt>
<dd><p>This command lets you test your revision trust hook
<a href="Trust-Evaluation-Hooks.html#get_005frevision_005fcert_005ftrust">get_revision_cert_trust</a>. You pass it a revision ID (see
<a href="Selectors.html#Selectors">Selectors</a>), a certificate name, a certificate value, and one or
more key IDs or key names, and it will tell you whether, under your
current settings, Monotone would trust a cert on that revision with
that value signed by those keys.
</p>
<p>The specified keys must exist either in your keystore or in the database.
</p>
</dd>
</dl>
<hr>
<div class="header">
<p>
Next: <a href="Packet-I_002fO.html#Packet-I_002fO" accesskey="n" rel="next">Packet I/O</a>, Previous: <a href="Variables.html#Variables" accesskey="p" rel="prev">Variables</a>, Up: <a href="Command-Reference.html#Command-Reference" accesskey="u" rel="up">Command Reference</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="General-Index.html#General-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|