Generate a key pair
Every signer needs their own key pair. This guide walks you through creating one.
Prerequisites
- The
clientbinary is installed and in yourPATH.
Steps
1. Choose a directory
Pick a directory to store your keys. A common convention is ~/.asfaload/:
mkdir -p ~/.asfaload
2. Generate the key pair
client new-keys --name mykey --output-dir ~/.asfaload
You’ll be prompted for a password to protect the secret key. Pick a strong one — this password is required every time you sign.
This creates two files:
| File | Purpose |
|---|---|
~/.asfaload/mykey | Secret key (keep this safe) |
~/.asfaload/mykey.pub | Public key (share with your team) |
3. Verify the output
ls ~/.asfaload/mykey*
You should see both mykey and mykey.pub.
Choosing an algorithm
The default algorithm is minisign. If your project requires Ed25519 keys:
client new-keys --name mykey --output-dir ~/.asfaload --algorithm ed25519
All signers in the same signers file must use the same algorithm.
Non-interactive usage
For CI or scripting, pass the password directly:
client new-keys --name ci-key --output-dir ./keys --password "$KEY_PASSWORD"
Or via environment variable:
export ASFALOAD_NEW_KEYS_PASSWORD="$KEY_PASSWORD"
client new-keys --name ci-key --output-dir ./keys
Next step
Share your .pub file with whoever maintains the signers file. They’ll include it when creating the signers file.