npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

forgebox-cli

v1.2.0

Published

CLI tool for ForgeBox

Readme

ForgeBox CLI

ForgeBox CLI is a developer tool for managing ForgeBox devices, generating signing keys, registering device public keys, and producing signed OTA packages.

Features

  • list-devices: Show all connected USB devices.
  • status: Display detailed device information such as firmware version and serial number.
  • keygen: Generate a secp256k1 key pair in PEM format.
  • register: Register a public key on a ForgeBox device with on-device confirmation.
  • sign: Package firmware into a signed OTA image.
  • interactive (alias i): Launch an interactive menu for common workflows.

Installation

Install from npm

# Install globally
npm install -g forgebox-cli

# Verify installation
forgebox --version
forgebox --help

You can also run it without global installation:

npx forgebox-cli --help

Local development

# Install dependencies
npm install

# Compile and register global command locally
npm run dev

After npm run dev, the CLI is linked into your local PATH so you can run forgebox directly during development.

Usage

1. List connected devices

List all currently connected USB devices.

forgebox list-devices

Example output:

Found 1 device(s):

Product                        Manufacturer         Serial               VID     PID     
--------------------------------------------------------------------------------------
ForgeBox                 Keystone             M-KYTJ69ND           0x1209  0x3001  

2. View device status

Display detailed information about the connected device, including the model, serial number, and firmware version.

forgebox status

Example output:

✓ Device Information:
  Model: ForgeBox
  Firmware Version: 12.2.10
  Hardware Version: v2.0
  Serial Number: M-KYTJ69ND

  Protocol Status: Connected

3. Generate a key pair

Generate a secp256k1 public/private key pair.

forgebox keygen

By default, keys are written to ~/.forgebox/keys/:

  • ~/.forgebox/keys/private.pem (mode 0600)
  • ~/.forgebox/keys/pubkey.pem (mode 0644)

The containing directory is created with mode 0700.

Options:

  • -o, --out <directory>: override the output directory.
  • -f, --force: allow writing keys into a git working tree (not recommended — see below).

Examples:

# Default: ~/.forgebox/keys
forgebox keygen

# Custom location outside any repo
forgebox keygen --out ~/secure-storage

Safety:

  • keygen refuses to write into a git working tree. A committed private key is equivalent to publishing it. Pass --force only if you understand the risk, and make sure *.pem is in your .gitignore.
  • Back up both private.pem and pubkey.pem to offline storage before running forgebox register. The device accepts one public-key registration per lifetime — losing the private key means you cannot sign firmware for that device again.
  • Never paste the private key on the command line or into chat tools.

4. Register a public key

Register a public key on the ForgeBox device. For security, the CLI uses the matching private key to generate a proof-of-possession signature.

Option 1: Pass a key directory

The CLI reads pubkey.pem and private.pem from the given directory.

forgebox register ~/.forgebox/keys

Option 2: Pass the key files explicitly

forgebox register --pubkey ~/.forgebox/keys/pubkey.pem --key ~/.forgebox/keys/private.pem

Registration flow:

  1. The CLI verifies that the key pair matches and generates a proof-of-possession signature.
  2. It discovers and connects to the ForgeBox device over USB.
  3. It prints the public key hex in the same display format as the device.
  4. Compare that public key hex with the one shown on the device.
  5. If they match, confirm on the device by swiping.
  6. The device validates the signature and stores the public key.

5. Sign firmware

Convert a firmware binary into a signed OTA package ready for upgrade.

forgebox sign --s <source_firmware_file> --d <signed_file> --key <private_key_pem_file>

Parameters:

  • --s: Path to the source firmware file, such as mh1903_full.bin
  • --d: Path to the output OTA package
  • --key: Path to a private key file in PEM format (required)

Example:

forgebox sign --s ./my-firmware/mh1903_full.bin \
              --d ./my-firmware/forgebox.bin \
              --key ~/.forgebox/keys/private.pem

For security, sign only accepts a PEM private key file path.

What the command does:

  1. Compresses and chunks the firmware according to the OTA format.
  2. Calculates SHA-256 hashes for the compressed data and the original firmware.
  3. Signs the required hash with the private key and writes the signature into the OTA header.
  4. Writes an OTA package that can be used directly for device upgrades.

6. Interactive mode

Launch an interactive menu for the most common operations.

forgebox i
# or
forgebox interactive

Available actions:

  • List Devices: Show connected devices.
  • Get Device Status: Show detailed device information.
  • Generate Key Pair: Generate a key pair interactively.
  • Register Public Key: Register a public key from PEM files.