Skip to content

refactor: rename key aliases #115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bordumb merged 1 commit into from
Mar 27, 2026
Merged

refactor: rename key aliases #115

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ jobs:
fi

auths artifact sign ${{ matrix.asset_name }}${{ matrix.ext }} \
--device-key-alias ci-release-device \
--device-key ci-release-device \
--note "GitHub Actions release — ${{ github.ref_name }}" \
--repo /tmp/auths-identity

Expand Down
38 changes: 18 additions & 20 deletions crates/auths-cli/src/commands/artifact/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,19 +34,17 @@ pub enum ArtifactSubcommand {
/// Local alias of the identity key (used for signing). Omit for CI device-only signing.
#[arg(
long,
visible_alias = "ika",
help = "Local alias of the identity key. Omit for device-only CI signing."
)]
identity_key_alias: Option<String>,
key: Option<String>,

/// Local alias of the device key (used for dual-signing).
/// Auto-detected when only one key exists for the identity.
#[arg(
long,
visible_alias = "dka",
help = "Local alias of the device key. Auto-detected when only one key exists."
)]
device_key_alias: Option<String>,
device_key: Option<String>,

/// Duration in seconds until expiration (per RFC 6749).
#[arg(long = "expires-in", value_name = "N")]
Expand Down Expand Up @@ -78,12 +76,12 @@ pub enum ArtifactSubcommand {
registry: String,

/// Local alias of the identity key. Omit for device-only CI signing.
#[arg(long, visible_alias = "ika")]
identity_key_alias: Option<String>,
#[arg(long)]
key: Option<String>,

/// Local alias of the device key. Auto-detected when only one key exists.
#[arg(long, visible_alias = "dka")]
device_key_alias: Option<String>,
#[arg(long)]
device_key: Option<String>,

/// Duration in seconds until expiration.
#[arg(long = "expires-in", value_name = "N")]
Expand Down Expand Up @@ -133,12 +131,12 @@ pub fn handle_artifact(
ArtifactSubcommand::Sign {
file,
sig_output,
identity_key_alias,
device_key_alias,
key,
device_key,
expires_in,
note,
} => {
let resolved_alias = match device_key_alias {
let resolved_alias = match device_key {
Some(alias) => alias,
None => crate::commands::key_detect::auto_detect_device_key(
repo_opt.as_deref(),
Expand All @@ -148,7 +146,7 @@ pub fn handle_artifact(
sign::handle_sign(
&file,
sig_output,
identity_key_alias.as_deref(),
key.as_deref(),
&resolved_alias,
expires_in,
note,
Expand All @@ -162,8 +160,8 @@ pub fn handle_artifact(
signature,
package,
registry,
identity_key_alias,
device_key_alias,
key,
device_key,
expires_in,
note,
} => {
Expand All @@ -174,7 +172,7 @@ pub fn handle_artifact(
if default_sig.exists() {
default_sig
} else {
let resolved_alias = match device_key_alias {
let resolved_alias = match device_key {
Some(alias) => alias,
None => crate::commands::key_detect::auto_detect_device_key(
repo_opt.as_deref(),
Expand All @@ -184,7 +182,7 @@ pub fn handle_artifact(
sign::handle_sign(
artifact,
None,
identity_key_alias.as_deref(),
key.as_deref(),
&resolved_alias,
expires_in,
note,
Expand Down Expand Up @@ -348,14 +346,14 @@ mod tests {
.unwrap();
match cli.command {
ArtifactSubcommand::Publish {
identity_key_alias,
device_key_alias,
key,
device_key,
expires_in,
note,
..
} => {
assert_eq!(identity_key_alias.as_deref(), Some("main"));
assert_eq!(device_key_alias.as_deref(), Some("device-1"));
assert_eq!(key.as_deref(), Some("main"));
assert_eq!(device_key.as_deref(), Some("device-1"));
assert_eq!(expires_in, Some(3600));
assert_eq!(note.as_deref(), Some("release build"));
}
Expand Down
9 changes: 4 additions & 5 deletions crates/auths-cli/src/commands/artifact/sign.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ use crate::factories::storage::build_auths_context;
pub fn handle_sign(
file: &Path,
output: Option<PathBuf>,
identity_key_alias: Option<&str>,
device_key_alias: &str,
key: Option<&str>,
device_key: &str,
expires_in: Option<u64>,
note: Option<String>,
repo_opt: Option<PathBuf>,
Expand All @@ -29,9 +29,8 @@ pub fn handle_sign(

let params = ArtifactSigningParams {
artifact: Arc::new(FileArtifact::new(file)),
identity_key: identity_key_alias
.map(|a| SigningKeyMaterial::Alias(KeyAlias::new_unchecked(a))),
device_key: SigningKeyMaterial::Alias(KeyAlias::new_unchecked(device_key_alias)),
identity_key: key.map(|a| SigningKeyMaterial::Alias(KeyAlias::new_unchecked(a))),
device_key: SigningKeyMaterial::Alias(KeyAlias::new_unchecked(device_key)),
expires_in,
note,
};
Expand Down
55 changes: 24 additions & 31 deletions crates/auths-cli/src/commands/device/authorization.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,24 +62,19 @@ pub enum DeviceSubcommand {
/// Authorize a new device to act on behalf of the identity.
#[command(visible_alias = "add")]
Link {
#[arg(
long,
visible_alias = "ika",
help = "Local alias of the *identity's* key (used for signing)."
)]
identity_key_alias: String,
#[arg(long, help = "Local alias of the *identity's* key (used for signing).")]
key: String,

#[arg(
long,
visible_alias = "dka",
help = "Local alias of the *new device's* key (must be imported first)."
)]
device_key_alias: String,
device_key: String,

#[arg(
long,
visible_alias = "device",
help = "Identity ID of the new device being authorized (must match device-key-alias)."
help = "Identity ID of the new device being authorized (must match --device-key)."
)]
device_did: String,

Expand Down Expand Up @@ -132,7 +127,7 @@ pub enum DeviceSubcommand {
long,
help = "Local alias of the *identity's* key (required to authorize revocation)."
)]
identity_key_alias: String,
key: String,

#[arg(long, help = "Optional note explaining the revocation.")]
note: Option<String>,
Expand Down Expand Up @@ -176,18 +171,16 @@ pub enum DeviceSubcommand {
expires_in: u64,

#[arg(
long = "identity-key-alias",
visible_alias = "ika",
long,
help = "Local alias of the *identity's* key (required for re-signing)."
)]
identity_key_alias: String,
key: String,

#[arg(
long = "device-key-alias",
visible_alias = "dka",
long,
help = "Local alias of the *device's* key (required for re-signing)."
)]
device_key_alias: String,
device_key: String,
},
}

Expand Down Expand Up @@ -231,8 +224,8 @@ pub fn handle_device(
rt.block_on(super::verify_attestation::handle_verify(verify_cmd))
}
DeviceSubcommand::Link {
identity_key_alias,
device_key_alias,
key,
device_key,
device_did,
payload: payload_path_opt,
schema: schema_path_opt,
Expand All @@ -250,8 +243,8 @@ pub fn handle_device(
.collect();

let link_config = auths_sdk::types::DeviceLinkConfig {
identity_key_alias: KeyAlias::new_unchecked(identity_key_alias),
device_key_alias: Some(KeyAlias::new_unchecked(device_key_alias)),
identity_key_alias: KeyAlias::new_unchecked(key),
device_key_alias: Some(KeyAlias::new_unchecked(device_key)),
device_did: Some(device_did.clone()),
capabilities: caps,
expires_in,
Expand Down Expand Up @@ -279,12 +272,12 @@ pub fn handle_device(

DeviceSubcommand::Revoke {
device_did,
identity_key_alias,
key,
note,
dry_run,
} => {
if dry_run {
return display_dry_run_revoke(&device_did, &identity_key_alias);
return display_dry_run_revoke(&device_did, &key);
}

let ctx = build_auths_context(
Expand All @@ -293,7 +286,7 @@ pub fn handle_device(
Some(Arc::clone(&passphrase_provider)),
)?;

let identity_key_alias = KeyAlias::new_unchecked(identity_key_alias);
let identity_key_alias = KeyAlias::new_unchecked(key);
auths_sdk::device::revoke_device(
&device_did,
&identity_key_alias,
Expand All @@ -309,15 +302,15 @@ pub fn handle_device(
DeviceSubcommand::Extend {
device_did,
expires_in,
identity_key_alias,
device_key_alias,
key,
device_key,
} => handle_extend(
&repo_path,
&config,
&device_did,
expires_in,
&identity_key_alias,
&device_key_alias,
&key,
&device_key,
passphrase_provider,
env_config,
),
Expand Down Expand Up @@ -428,8 +421,8 @@ fn handle_extend(
_config: &StorageLayoutConfig,
device_did: &str,
expires_in: u64,
identity_key_alias: &str,
device_key_alias: &str,
key: &str,
device_key: &str,
passphrase_provider: Arc<dyn PassphraseProvider + Send + Sync>,
env_config: &EnvironmentConfig,
) -> Result<()> {
Expand All @@ -438,8 +431,8 @@ fn handle_extend(
#[allow(clippy::disallowed_methods)] // INVARIANT: device_did from CLI arg validated upstream
device_did: auths_verifier::types::DeviceDID::new_unchecked(device_did),
expires_in,
identity_key_alias: KeyAlias::new_unchecked(identity_key_alias),
device_key_alias: Some(KeyAlias::new_unchecked(device_key_alias)),
identity_key_alias: KeyAlias::new_unchecked(key),
device_key_alias: Some(KeyAlias::new_unchecked(device_key)),
};
let ctx = build_auths_context(repo_path, env_config, Some(passphrase_provider))?;

Expand Down
10 changes: 4 additions & 6 deletions crates/auths-cli/src/commands/emergency.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ pub struct RevokeDeviceCommand {

/// Local alias of the identity's key (used for signing the revocation).
#[arg(long)]
pub identity_key_alias: Option<String>,
pub key: Option<String>,

/// Optional note explaining the revocation.
#[arg(long)]
Expand Down Expand Up @@ -229,7 +229,7 @@ fn handle_interactive_flow(ctx: &crate::config::CliConfig) -> Result<()> {
handle_revoke_device(
RevokeDeviceCommand {
device: None,
identity_key_alias: None,
key: None,
note: None,
yes: false,
dry_run: false,
Expand Down Expand Up @@ -321,16 +321,14 @@ fn handle_revoke_device(
};

// Get identity key alias
let identity_key_alias = if let Some(alias) = cmd.identity_key_alias {
let identity_key_alias = if let Some(alias) = cmd.key {
alias
} else if std::io::stdin().is_terminal() {
Input::new()
.with_prompt("Enter identity key alias")
.interact_text()?
} else {
return Err(anyhow!(
"--identity-key-alias is required in non-interactive mode"
));
return Err(anyhow!("--key is required in non-interactive mode"));
};

out.println(&format!("Device to revoke: {}", out.info(&device_did)));
Expand Down
2 changes: 1 addition & 1 deletion crates/auths-cli/src/commands/key_detect.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ pub fn auto_detect_device_key(
} else {
let alias_list: Vec<&str> = signing_aliases.iter().map(|a| a.as_str()).collect();
Err(anyhow!(
"Multiple device keys found. Specify with --device-key-alias.\n\n\
"Multiple device keys found. Specify with --device-key.\n\n\
Available aliases: {}",
alias_list.join(", ")
))
Expand Down
Loading
Loading