/usr/share/doc/monotone/html/Key-and-Cert.html is in monotone-doc 1.0-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 | <html lang="en">
<head>
<title>Key and Cert - monotone documentation</title>
<meta http-equiv="Content-Type" content="text/html">
<meta name="description" content="monotone documentation">
<meta name="generator" content="makeinfo 4.13">
<link title="Top" rel="start" href="index.html#Top">
<link rel="up" href="Command-Reference.html#Command-Reference" title="Command Reference">
<link rel="prev" href="Variables.html#Variables" title="Variables">
<link rel="next" href="Packet-I_002fO.html#Packet-I_002fO" title="Packet I/O">
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage">
<meta http-equiv="Content-Style-Type" content="text/css">
<style type="text/css"><!--
pre.display { font-family:inherit }
pre.format { font-family:inherit }
pre.smalldisplay { font-family:inherit; font-size:smaller }
pre.smallformat { font-family:inherit; font-size:smaller }
pre.smallexample { font-size:smaller }
pre.smalllisp { font-size:smaller }
span.sc { font-variant:small-caps }
span.roman { font-family:serif; font-weight:normal; }
span.sansserif { font-family:sans-serif; font-weight:normal; }
--></style>
<link rel="stylesheet" type="text/css" href="texinfo.css">
</head>
<body>
<div class="node">
<a name="Key-and-Cert"></a>
<p>
Next: <a rel="next" accesskey="n" href="Packet-I_002fO.html#Packet-I_002fO">Packet I/O</a>,
Previous: <a rel="previous" accesskey="p" href="Variables.html#Variables">Variables</a>,
Up: <a rel="up" accesskey="u" href="Command-Reference.html#Command-Reference">Command Reference</a>
<hr>
</div>
<h3 class="section">4.8 Key and Cert</h3>
<dl>
<a name="mtn-cert"></a><dt><samp><span class="command">mtn cert </span><var>selector</var> <var>certname</var><span class="command"> [</span><var>certval</var><span class="command">]</span></samp><a name="index-mtn-cert-_0040var_007bselector_007d-_0040var_007bcertname_007d-_005b_0040var_007bcertval_007d_005d-167"></a><dd>
Create a new certificate with name <var>certname</var>, for all
revisions matching <var>selector</var>.
<p>If <var>certval</var> is provided, it is the value of the certificate.
Otherwise the certificate value is read from <code>stdin</code>.
<p><a name="mtn-dropkey"></a><br><dt><samp><span class="command">mtn dropkey </span><var>keyid</var></samp><a name="index-mtn-dropkey-_0040var_007bkeyid_007d-168"></a><dd>Drop the public and/or private key. This command should be used with
caution as changes are irreversible without a backup of the key(s)
that were dropped.
<br><dt><samp><span class="command">mtn genkey </span><var>keyid</var></samp><a name="index-mtn-genkey-_0040var_007bkeyid_007d-169"></a><dd>This command generates an <span class="sc">rsa</span> public/private key pair, using a
system random number generator, and stores it in your keystore under
the key name <var>keyid.keyhash</var>. The key's hash is printed out after
the key has been created.
<p>The private half of the key is stored in an encrypted form, so that
anyone who can read your keystore cannot extract your private key and
use it. You must provide a passphrase for your key when it is
generated, which is used to determine the encryption key. In the
future you will need to enter this passphrase again each time you sign
a certificate, which happens every time you <samp><span class="command">commit</span></samp> to your
database. You can tell monotone to automatically use a certain
passphrase for a given key using the
<code>get_passphrase(</code><var>key_identity</var><code>)</code> (see <a href="get_005fpassphrase.html#get_005fpassphrase">get_passphrase</a>),
but this significantly increases the risk of a key compromise on your
local computer. Be careful using this hook.
<p>Another way to avoid entering the private key passphrase each time it
is needed is to export it to ssh-agent; see <a href="mtn-ssh_005fagent_005fexport.html#mtn-ssh_005fagent_005fexport">mtn ssh_agent_export</a>, <a href="mtn-ssh_005fagent_005fadd.html#mtn-ssh_005fagent_005fadd">mtn ssh_agent_add</a>.
<p>The public key is stored in the database; the public and private keys
are stored in the keystore. This allows copying the database without
copying the private key.
<p>The location of the keystore is specified by <samp><span class="option">--keydir</span></samp>; it
defaults to the value stored in <samp><span class="file">_MTN/options</span></samp> for commands
executed in a workspace, or to the system default
(<samp><span class="file">$HOME/.monotone/keys</span></samp> on Unix and Cygwin,
<samp><span class="file">%APPDATA%/monotone/keys</span></samp> on native Win32).
<br><dt><samp><span class="command">mtn passphrase </span><var>keyid</var></samp><a name="index-mtn-passphrase-_0040var_007bkeyid_007d-170"></a><dd>This command lets you change the passphrase of the private half of the
key <var>id</var>.
<p><a name="mtn-ssh_005fagent_005fadd"></a><br><dt><samp><span class="command">mtn ssh_agent_add</span></samp><a name="index-mtn-ssh_005fagent_005fadd-171"></a><dd>This command will add your monotone keys to your current ssh-agent session.
You will be asked for the passphrase for each of your monotone private keys
and they will be added to the ssh-agent. Once this is done you should be able
to type <em>ssh-add -l</em> and see your monotone key listed. When you
subsequently use these keys through monotone it will use ssh-agent for signing
without asking your for your passphrase.
<p>On Windows native, monotone only supports the PuTTY ssh-agent
implementation. On Windows Cygwin and Unix, any standard ssh-agent
implementation can be used.
<p>This command is mainly for use in a session script as monotone will automatically
add your keys to ssh-agent on first use if it is available. For example the
following two examples are equivalent:
<pre class="smallexample"> $ mtn ssh_agent_add
enter passphrase for key ID [user@example.com]:
$ mtn ci -m"Changed foo to bar"
$ mtn push -k user@example.com
</pre>
<pre class="smallexample"> $ mtn ci -m"Changed foo to bar"
enter passphrase for key ID [user@example.com]:
$ mtn push -k user@example.com
</pre>
<p>In the second example, monotone automatically added the key to ssh-agent, making
entering the passphrase not needed during the push.
<p><a name="mtn-ssh_005fagent_005fexport"></a><br><dt><samp><span class="command">mtn ssh_agent_export [</span><var>filename</var><span class="command">]</span></samp><a name="index-mtn-ssh_005fagent_005fexport-_005b_0040var_007bfilename_007d_005d-172"></a><dd>
This command will export your private key in a format that ssh-agent
can read (PKCS8, PEM), to <var>filename</var> (defaults to standard
output). You will be asked for your current key's monotone password
and a new password to encrypt the key with (the ssh passphrase). The
key will be printed to stdout. Once you have put this key in a file
simply add it to ssh-agent and you will only have to enter your key
password once as ssh-agent will cache the key for you.
<pre class="smallexample"> $ mtn ssh_agent_export ~/.ssh/id_monotone
enter passphrase for key ID [user@example.com] (1234abcd...):
enter new passphrase for key ID [user@example.com] (1234abcd...):
confirm passphrase for key ID [user@example.com] (1234abcd...):
$ chmod 600 ~/.ssh/id_monotone
$ ssh-agent /bin/bash
$ ssh-add ~/.ssh/id_monotone
Enter passphrase for /home/user/.ssh/id_monotone:
Identity added: /home/user/.ssh/id_monotone (/home/user/.ssh/id_monotone)
$ mtn ci -m"Changed foo to bar"
$ mtn push -k user@example.com
</pre>
<p>You can also use the <samp><span class="option">--ssh-sign</span></samp> option to control whether ssh-agent will
be used for signing. If set to <em>yes</em>, ssh-agent will be used to sign. If your
key has not been added to ssh-agent monotone will fall back to its internal signing
code and ask you for your password. If set to <em>only</em>, monotone will sign only
with ssh-agent. If set to <em>no</em>, monotone will always use its internal signing
code even if ssh-agent is running and has your monotone key loaded. If set to
<em>check</em>, monotone will sign with both ssh-agent (if your key is loaded into
it) and monotone's internal signing code, then compare the results. <em>check</em>
will be removed at some future time as it is meant only for testing and will not
work with all signing algorithms.
<br><dt><samp><span class="command">mtn trusted </span><var>id</var> <var>certname</var> <var>certval</var> <var>signers</var></samp><a name="index-mtn-trusted-_0040var_007bid_007d-_0040var_007bcertname_007d-_0040var_007bcertval_007d-_0040var_007bsigners_007d-173"></a><dd>This command lets you test your revision trust hook
<a href="get_005frevision_005fcert_005ftrust.html#get_005frevision_005fcert_005ftrust">get_revision_cert_trust</a>. You pass it a revision ID, a
certificate name, a certificate value, and one or more key IDs or key
names, and it will tell you whether, under your current settings,
Monotone would trust a cert on that revision with that value signed by
those keys.
<p>The specified keys must exist either in your keystore or in the database.
</dl>
</body></html>
|