Manages firmware signing keys

Firmware signing keys consist of public and private keys. The mix nerves_hub.key task manages both pieces for you. Private signing keys are password-protected and are NEVER sent to NervesHub or any other server. Public keys, however, are registered with NervesHub and embedded in your firmware.

Signing keys are stored in ~/.nerves-hub/keys. Keys may be shared between developers by copying the files in this folder.

NervesHub can manage more than one key so that you can have different development and production keys in use. For example, production devices deployed with only the production public key will not accept firmware signed by development keys.

To ensure that firmware includes keys registered with NervesHub, add the following entry in your project's config.exs:

# List the public firmware signing keys to include on the device
config :nerves_hub,
  public_keys: [:my_dev_key, :my_prod_key]

list

List the keys known to NervesHub

mix nerves_hub.key list

Command-line options

• --local - (Optional) Do not request key information from NervesHub

create

Create a new firmware signing key pair with the specified name and register the public key with NervesHub

mix nerves_hub.key create NAME

Command-line options

• --local - (Optional) Do not register the public key with NervesHub

delete

Delete a signing key locally and on NervesHub

mix nerves_hub.key delete NAME

Command-line options

• --local - (Optional) Perform the operation only locally defaults to false which will perform both local and remote operations

import

Import an existing key locally and on NervesHub

mix nerves_hub.key import NAME PUBLIC_KEY_FILE PRIVATE_KEY_FILE

Command-line options

• --local - (Optional) Do not register the public key with NervesHub

export

Export a signing key to a tar.gz archive.

mix nerves_hub.key export NAME

Command-line options

• --path - (Optional) A local location for exporting keys.