Expand description
mkit keygen — generate a fresh signing key for one of the three
attestation algorithms.
mkit keygen [--algorithm ed25519|secp256k1|p256] [--force] [--print-pubkey]Behaviour:
--algorithmdefaults toed25519(backward-compat with the original single-algorithm command).ed25519writes to.mkit/keys/default.key;secp256k1/p256write to the path configured viaattest.<algo>_key_path(default.mkit/keys/<algo>.key).--forceoverwrites an existing key file; without it, refuse with a clear error.--print-pubkeyemits the canonical keyid on stdout so downstream tooling can populate trust-roots entries without needing to parse key files:ed25519:<64-hex>secp256k1:<66-hex>(33-byte compressed SEC1)p256:<66-hex>(33-byte compressed SEC1)
Key-file layout mirrors what the repo-key signer factory loads:
a raw 32-byte secret, mode 0600 on Unix (set on the open file
handle to avoid a TOCTOU rename(2) window; see finding H3).