Next: , Previous: Informative, Up: Command Reference


5.5 Key and Cert Trust

mtn genkey keyid
This command generates an rsa public/private key pair, using a system random number generator, and stores it in your keystore under the key name keyid.

The private half of the key is stored in an encrypted form, so that anyone who can read your keystore cannot extract your private key and use it. You must provide a passphrase for your key when it is generated, which is used to determine the encryption key. In the future you will need to enter this passphrase again each time you sign a certificate, which happens every time you commit to your database. You can tell monotone to automatically use a certain passphrase for a given key using the get_passphrase(keypair_id), but this significantly increases the risk of a key compromise on your local computer. Be careful using this hook.

mtn dropkey keyid
This command drops the public and/or private key. If both exist, both are dropped, if only one exists, it is dropped. This command should be used with caution as changes are irreversible without a backup of the key(s) that were dropped.
mtn passphrase id
This command lets you change the passphrase of the private half of the key id.
mtn trusted id certname certval signers
This command lets you test your revision trust hook get_revision_cert_trust (see Hook Reference). You pass it a revision ID, a certificate name, a certificate value, and one or more key IDs, and it will tell you whether, under your current settings, Monotone would trust a cert on that revision with that value signed by those keys.
mtn ssh_agent_export filename
This command will export your private key in a format that ssh-agent can read (PKCS8, PEM). You will be asked for your current key's password and a new password to encrypt the key with. The key will be printed to stdout. Once you have put this key in a file simply add it to ssh-agent and you will only have to enter your key password once as ssh-agent will cache the key for you.
          $ mtn ssh_agent_export ~/.ssh/id_monotone
          enter passphrase for key ID [user@example.com]:
          enter new passphrase for key ID [user@example.com]:
          confirm passphrase for key ID [user@example.com]:
          $ chmod 600 ~/.ssh/id_monotone
          $ ssh-agent /bin/bash
          $ ssh-add ~/.ssh/id_monotone
          Enter passphrase for /home/user/.ssh/id_monotone:
          Identity added: /home/user/.ssh/id_monotone (/home/user/.ssh/id_monotone)
          $ mtn ci -m"Changed foo to bar"
          $ mtn push
     

You can also use the --ssh-sign option to control whether ssh-agent will be used for signing. If set to yes, ssh-agent will be used to sign. If your key has not been added to ssh-agent monotone will fall back to its internal signing code and ask you for your password. If set to only, monotone will sign only with ssh-agent. If set to no, monotone will always use its internal signing code even if ssh-agent is running and has your monotone key loaded. If set to check, monotone will sign with both ssh-agent (if your key is loaded into it) and monotone's internal signing code, then compare the results. check will be removed at some future time as it is meant only for testing and will not work with all signing algorithms.