Fix BP doc and add a CLI command to generate encrypted key

.github/workflows/doc-commands.yml

@@ -32,7 +32,8 @@ jobs:
       - name: Setup Rust
         uses: ./.github/actions/setup-rust
         with:
-          toolchain: nightly
+          components: rustfmt
+          toolchain: 1.84
           cache-prefix: test-doc-commands-v0
 
       - name: Download circuits files
@@ -71,7 +72,7 @@ jobs:
           echo "Testing that generated key can be used by run-block-producer target..."
           # Run with --help to avoid actually starting the producer but verify
           # key validation passes
-          timeout 30s make run-block-producer-devnet COINBASE_RECEIVER="test" || {
+          timeout 30s make run-block-producer NETWORK=devnet COINBASE_RECEIVER=$(cat ./openmina-workdir/producer-key.pub) || {
             EXIT_CODE=$?
             if [ $EXIT_CODE -eq 124 ]; then
               echo "✅ Command started successfully (timed out as expected)"
@@ -83,6 +84,61 @@ jobs:
             fi
           }
 
+      - name: Test generate-block-producer-key with custom filename
+        run: |
+          echo "Testing generate-block-producer-key with custom PRODUCER_KEY_FILENAME..."
+          make generate-block-producer-key PRODUCER_KEY_FILENAME=./openmina-workdir/custom-producer-key
+
+          # Verify custom private key file exists
+          if [ ! -f "./openmina-workdir/custom-producer-key" ]; then
+            echo "❌ Custom producer key file was not generated"
+            exit 1
+          fi
+
+          # Verify custom public key file exists
+          if [ ! -f "./openmina-workdir/custom-producer-key.pub" ]; then
+            echo "❌ Custom producer public key file was not generated"
+            exit 1
+          fi
+
+          # Check file permissions (should be 600 for private key)
+          PERMS=$(stat -c "%a" "./openmina-workdir/custom-producer-key")
+          if [ "$PERMS" != "600" ]; then
+            echo "❌ Custom producer key file has incorrect permissions: $PERMS (expected: 600)"
+            exit 1
+          fi
+
+          # Check both files are not empty
+          if [ ! -s "./openmina-workdir/custom-producer-key" ]; then
+            echo "❌ Custom producer key file is empty"
+            exit 1
+          fi
+
+          if [ ! -s "./openmina-workdir/custom-producer-key.pub" ]; then
+            echo "❌ Custom producer public key file is empty"
+            exit 1
+          fi
+
+          echo "✅ Custom producer key pair generated successfully"
+
+      - name: Test generate-block-producer-key failure when keys exist
+        run: |
+          echo "Testing that generate-block-producer-key fails when keys already exist..."
+
+          # Try to generate keys again with default filename (should fail)
+          if make generate-block-producer-key 2>/dev/null; then
+            echo "❌ Command should have failed when keys already exist"
+            exit 1
+          fi
+
+          # Try to generate keys again with custom filename (should fail)
+          if make generate-block-producer-key PRODUCER_KEY_FILENAME=./openmina-workdir/custom-producer-key 2>/dev/null; then
+            echo "❌ Command should have failed when custom keys already exist"
+            exit 1
+          fi
+
+          echo "✅ Command correctly fails when keys already exist"
+
       - name: Test other documented make targets exist
         run: |
           echo "Testing that documented make targets exist..."

CHANGELOG.md

@@ -47,6 +47,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   ([#1221](https://github.com/o1-labs/openmina/pull/1221)).
 - **Documentation**: add section regarding peers setup and seeds
   ([#1295](https://github.com/o1-labs/openmina/pull/1295))
+- **Node**: add `openmina misc mina-encrypted-key` to generate a new encrypted
+  key with password, as the OCaml node provides
+  ([#1284](https://github.com/o1-labs/openmina/pull/1284/)).
 
 ### Changed
 

Makefile

@@ -15,7 +15,7 @@ PG_HOST	?= localhost
 PG_PORT	?= 5432
 
 # Block producer configuration
-PRODUCER_KEY ?= ./openmina-workdir/producer-key
+PRODUCER_KEY_FILENAME ?= ./openmina-workdir/producer-key
 COINBASE_RECEIVER ?=
 OPENMINA_LIBP2P_EXTERNAL_IP ?=
 OPENMINA_LIBP2P_PORT ?= 8302
@@ -313,44 +313,45 @@ run-archive: build-release ## Run an archive node with local storage
 
 .PHONY: run-block-producer
 run-block-producer: build-release ## Run a block producer node on $(NETWORK) network
-	@if [ ! -f "$(PRODUCER_KEY)" ]; then \
-		echo "Error: Producer key not found at $(PRODUCER_KEY)"; \
-		echo "Please place your producer private key at $(PRODUCER_KEY)"; \
+	@if [ ! -f "$(PRODUCER_KEY_FILENAME)" ]; then \
+		echo "Error: Producer key not found at $(PRODUCER_KEY_FILENAME)"; \
+		echo "Please place your producer private key at $(PRODUCER_KEY_FILENAME)"; \
 		exit 1; \
 	fi
-	MINA_PRIVKEY_PASS="$(MINA_PRIVKEY_PASS)" \
-		cargo run --bin openmina \
+	cargo run \
+		--bin openmina \
+		--package=cli \
 		--release -- \
 		node \
-		--producer-key $(PRODUCER_KEY) \
+		--producer-key $(PRODUCER_KEY_FILENAME) \
 		$(if $(COINBASE_RECEIVER),--coinbase-receiver $(COINBASE_RECEIVER)) \
 		$(if $(OPENMINA_LIBP2P_EXTERNAL_IP),--libp2p-external-ip $(OPENMINA_LIBP2P_EXTERNAL_IP)) \
 		$(if $(OPENMINA_LIBP2P_PORT),--libp2p-port $(OPENMINA_LIBP2P_PORT)) \
 		--network $(NETWORK)
 
-.PHONY: run-block-producer-devnet
-run-block-producer-devnet: ## Run a block producer node on devnet
-	$(MAKE) run-block-producer NETWORK=devnet
-
-.PHONY: run-block-producer-mainnet
-run-block-producer-mainnet: ## Run a block producer node on mainnet
-	$(MAKE) run-block-producer NETWORK=mainnet
 
 .PHONY: generate-block-producer-key
-generate-block-producer-key: build-release ## Generate a new block producer key pair
+generate-block-producer-key: build-release ## Generate a new block producer key pair (fails if keys exist, use PRODUCER_KEY_FILENAME to customize, MINA_PRIVKEY_PASS for password)
+	@if [ -f "$(PRODUCER_KEY_FILENAME)" ] || [ -f "$(PRODUCER_KEY_FILENAME).pub" ]; then \
+		echo "Error: Producer key already exists at $(PRODUCER_KEY_FILENAME) or public key exists at $(PRODUCER_KEY_FILENAME).pub"; \
+		echo ""; \
+		echo "To generate a key with a different filename, set PRODUCER_KEY_FILENAME:"; \
+		echo "  make generate-block-producer-key PRODUCER_KEY_FILENAME=./path/to/new-key"; \
+		echo ""; \
+		echo "Or remove the existing key first to regenerate it."; \
+		exit 1; \
+	fi
 	@mkdir -p openmina-workdir
-	@echo "Generating new block producer key pair..."
-	@OUTPUT=$$(cargo run --release --package=cli --bin openmina -- misc mina-key-pair); \
-	SECRET_KEY=$$(echo "$$OUTPUT" | grep "secret key:" | cut -d' ' -f3); \
+	@echo "Generating new encrypted block producer key..."
+	@OUTPUT=$$($(if $(MINA_PRIVKEY_PASS),MINA_PRIVKEY_PASS="$(MINA_PRIVKEY_PASS)") cargo run --release --package=cli --bin openmina -- misc mina-encrypted-key --file $(PRODUCER_KEY_FILENAME)); \
 	PUBLIC_KEY=$$(echo "$$OUTPUT" | grep "public key:" | cut -d' ' -f3); \
-	echo "$$SECRET_KEY" > $(PRODUCER_KEY); \
-	chmod 600 $(PRODUCER_KEY); \
+	chmod 600 $(PRODUCER_KEY_FILENAME); \
 	echo ""; \
-	echo "✓ Generated new producer key pair:"; \
-	echo "  Secret key saved to: $(PRODUCER_KEY)"; \
-	echo "  Public key: $$PUBLIC_KEY"; \
+	echo "✓ Generated new encrypted producer key:"; \
+	echo "  Encrypted key saved to: $(PRODUCER_KEY_FILENAME)"; \
+	echo "  Public key: $$PUBLIC_KEY, saved to $(PRODUCER_KEY_FILENAME).pub"; \
 	echo ""; \
-	echo "⚠️  IMPORTANT: Keep your secret key secure and backed up!"
+	echo "⚠️  IMPORTANT: Keep your encrypted key file and password secure and backed up!"
 
 .PHONY: postgres-clean
 postgres-clean: