Re: [Monotone-devel] Dealing with lost key

[Timothy Brownawell]

On Thu, 2009-01-15 at 14:19 -0800, dlakelan wrote:
> I've lost a key which has been used to certify a variety of things in 
> one project. I've generated a new key, and now I'd like to replace all 
> the old certificates with new certificates from the new key, and have my 
> collaborators do the same... so we don't get a lot of warnings about 
> incorrect certs. How can I do this?

There's no simple way to replace certs like that, the easiest solution
is to just keep them and make sure the new key has a different name.

I don't think we have a command that can delete particular certs (except
branch certs, and that isn't by key), and I also don't think we have a
command to get all certs from a particular key.

If you really do need to delete the old certs and generate new ones,
something along these lines would probably work (not tested, may ruin
your db)...


# in case this breaks things horribly
cp your_db your_db_backup

# get a list of old certs
mtn -d your_db db execute "select hex(id), name,
replace(value,x'0A','NEWLINE') from revision_certs where keypair =
'your_keypair_id'" >old_certs

# delete old certs
mtn -d your_db db execute "delete from revision_certs where keypair =
'your_keypair_id'"

# create new certs to replace them
IFS='|'
while read revid cert_name cert_value
do
        mtn -d your_db -k your_new_keypair_id cert $revid $cert_name "$(echo
$cert_value | sed 's/NEWLINE/\n/g')"
done


Collaborators would have to either (1) delete/rename their databases and
pull a fresh db from you (this includes any dedicated server databases,
those would also have to be deleted/replaced) or (2) run the backup and
delete-old-certs steps and re-pull (again including any dedicated
servers).