dokugent keygen¶
Generates a new Ed25519 keypair for signing agent specs. Keys are stored securely and include a fingerprint metadata file.
What It Does¶
- Prompts for an agent or key name
- Generates a keypair using Ed25519 algorithm
- Saves
.pemfiles andowner.jsonin.dokugent/keys/owners/<name>/latest/ - Prevents overwrite if key with same name exists
Behavior Overview¶
Prompt¶
If left blank, defaults to "<ownerName>".
Key Files Generated¶
Each key is saved under:
.dokugent/keys/owners/<name>/
βββ latest β <timestamped-folder>/
βββ <name>.private.pem # Private signing key
βββ <name>.public.pem # Public verification key
βββ owner.json # Metadata describing the *signing identity* (see note below)
Multiple keys can exist side-by-side:
.dokugent/keys/owners/
βββ alice/
β βββ latest β alice@2025-05-28_14-02-00/
β βββ alice@2025-05-28_14-02-00/
β βββ alice.private.pem
β βββ alice.public.pem
β βββ owner.json
βββ bob/
β βββ latest β bob@2025-05-27_10-45-12/
β βββ bob@2025-05-27_10-45-12/
β βββ bob.private.pem
β βββ bob.public.pem
β βββ owner.json
owner.json Example¶
{
"signerName": "alice",
"email": "alice@example.com",
"organization": "dokugent",
"trustLevel": "admin",
"createdAt": "2025-05-28T14:02:00.000Z",
"publicKey": "-----BEGIN PUBLIC KEY-----\\n...\\n-----END PUBLIC KEY-----",
"fingerprint": "3038aeab97e9c07020f856d607276cfc124b38c9f6ad52c712320e6d51c8bd8f"
}
β οΈ Note: The keygen metadata file (owner.json) refers to the signing identity (signer), not the content owner. Ownership is declared separately in the Owner block.
Prevents Overwrites¶
If a key with the given name already exists, the command aborts:
Cross-Platform Notes¶
Dokugent keygen works across macOS, Linux, and Windows. No setup rituals. No fuss. It just worksβlike it should.