Skip to content

[s 2] Learn how to use the tezos signer program with a tcp port or a unix socket

Jump to bottom
maxtez-raspbaker edited this page May 30, 2019 · 11 revisions

The keys of the various account are stored by default in 3 files: public_keys, public_key_hashs and secret_keys located in the folder ./.tezos-client. The tezos-signer daemon allows for remote access of these files. In this way they do not need to be kept in the default location.

For example if the keys are stored on a different machine with no internet access, using the _tezos-signer the keys can be retrieved after opening a tcp port and establishing a connection between the isolated machine storing the keys and the machine running the tezos node. The keys never leave the isolated machine.

With the unix socket the keys are stored in a different folder on the machine running the node. This folder and the files can be protected in various ways, as it will be shown later.

It is strongly recommended to try experimenting first on the zeronet network (virtual xtz) before making real changes on the mainnet (real xtz)

tezos-signer with a tcp port

The easiest way to understand how it works is with examples.
In the first example the public key of a user called "tzuser1" is imported from a remote host with a certain IP address. In this test case the remote host is actually the local machine, in this way the localhost IP address 127.0.0.1 can be used to make the tcp connection on port 22000 (arbitrary number). The public_key file is removed from the default location ./.tezos-client and a copy of the file is put in the folder ./tezos-signer on the "remote machine".
On a text shell type:
./tezos-signer launch socket signer -a 127.0.0.1 -p 22000
and on a different text shell
./tezos-client import public key tzuser1 tcp://127.0.0.1:22000/tz1---pkh--- -f

the flag "-f" at the end, is used to force the import command and replace any existing key data The above command will create a new public_keys file in /home/tzuser/.tezos-client with the following content:

[ { "name": "tzuser1",
"value":
{ "locator":
"tcp://127.0.0.1:22000/tz1----pkh----",
"key": "edpk---public-key---" } } ]

Every time the public key is needed, it will be retrieved from the remote location using the tcp connection with IP 127.0.0.1 and port 22000.

In the second example the secret key of "tzuser1" is imported from the same "remote machine" and the programs tezos-baker-xxx and tezos-endorser-xxx are launched accessing the keys through the tcp port connection. Note that in the new version of tezos the baker and endorser programs assume differet names on the zeronet and mainnet. On the zeronet they are called tezos-baker-alpha and tezos-endorser-alpha, on the mainnet they are called tezos-baker-004-Pt24m4xi and tezos-endorser-004-Pt24m4xi.
As it was done before with the public_keys file, now the secret_keys file is copied on the "remote machine" in the folder ./.tezos-signer and it is removed from the local machine folder ./.tezos-client. The tezos-signer daemon is launched:
./tezos-signer launch socket signer -a 127.0.0.1 -p 22000
If the secret key is password protected (encrypted), tezos-signer will ask to provide the password. In a different text shell inport the secret key of "tzuser1" by typing:
./tezos-client import secret key tzuser1 tcp://127.0.0.1:22000/tz1-----pkh----- -f

This command will create a secret_keys file in /.tezos-client with the following content:

[ { "name": "tzuser1",
"value": "tcp://127.0.0.1:22000/tz1-----pkh-----" } ]

Note that the secret_keys file does not contain the data of the secret key just the information to connect to the remote location. The public_keys in /home/tzuser/.tezos-client will look like this:

[ { "name": "max00",
"value":
{ "locator":
"tcp://127.0.0.1:22000/tz1-----pkh-----",
"key": "edpk---public-key---" } } ]

Now with ./tezos-signer running (and the tezos-node running), in a new text shell launch the baking manager program:
./tezos-baker-xxx -R tcp://127.0.0.1:22000/tz1----pkh---- run with local node /home/tzuser/.tezos-node tzuser1
and the endorsing manager:
./tezos-endorser-xxx -R tcp://127.0.0.1:22000/tz1-----pkh---- run tzuser1

Every time the baker is selected for endorsing/baking the signature operation is handled by the tezos-signer daemon and the secret key is accessed remotely using the tcp port.

tezos-signer with a unix socket

The second example described above here is tuned to make use of the unix socket. In this case there is no remote machine, but the key data are stored locally in a different folder (same as before ./.tezos-signer but locally). As it will be shown in a different wiki page, additional security can be applied on this folder. First copy the secret_keys file in ./.tezos-signer and remove it from ./.tezos-client. Then launch the tezos-signer program using a socket connection:
./tezos-signer launch local signer -s /home/tzuser/.tezos-signer/socket

As in the tcp example, if the secret key is encrypted, the program will ask to provide the password. Then to import the secret key of "tzuser1", type:
./tezos-client import secret key tzuser1 unix:/home/tzuser/.tezos-signer/socket?pkh=tz1-----pkh----- -f

The secret_keys file in /home/tzuser/.tezos-client now looks like this:

[{ "name": "tzuser1",
"value":
"unix:/home/tzuser/.tezos-signer/socket?pkh=tz1-----pkh----" }]

Note that the secret key is not stored in this file, just the unix socket address. The public_keys file in /home/tzuser/.tezos-client will look like this:

[{ "name": "tzuser1",
"value":
{ "locator":
"unix:/home/tzuser/.tezos-signer/socket?pkh=tz1-----pkh----",
"key": "edpk---public-key---" } }]

Now the bake and endorser managers can be launched using the unix socket:
./tezos-baker-xxx -R unix:/home/tzuser/.tezos-signer/socket?pkh=tz1----pkh---- run with local node /home/tzuser/.tezos-node tzuser1

and in another text shell:
./tezos-endorser-xxx -R unix:/home/tzuser/.tezos-signer/socket?pkh=tz1-----pkh---- run tzuser1

If the endorsement program fails with Error: wrong predecessor, it helps to add the flag --endorsement-delay 5 at the end of the tezos endorser command, e.g. ./tezos-endorser-xxx -R unix:/home/tzuser/.tezos-signer/socket?pkh=tz1-----pkh---- run tzuser1 --endorsement-delay 5. The number can be further reduced (I think the default is 10 seconds)

Final remark, every time the tezos-signer program is launched with the unix socket, a socket file is created in the folder ./.tezos-signer. If the program is stopped, the socket file remains and it needs to be deleted before restarting the program.

This wiki site has been developed by people not affiliated to the Tezos Blockchain Development Team or the Tezos Foundation or the Fedora Project or the Raspberry Pi Foundation

NEWS

(archived NEWS on page [j])

  • 02/17/20 This is the end of the road for the tezos-rpi3 wiki, see the announcement in the UPDATES page [i]
  • 10/18/19 A new Tezos protocol has been activated (005). Some essential info in the UPDATES page [i]
  • 09/06/19 Next page [h] on forging and signing operations offline using Tezos
  • 09/02/19 New page [g] on using the Nitrokey HSM 2 with the Tezos-hsm-signer from Polychain Labs
  • 07/01/19(revised 07/04/19) New info on how to poke a node remotely on a local network (page [b] F-24), how to use the Tezos remote-signer locally and remotely (page [b] F-25), and how to restart automatically the Tezos programs using a crontab script (page [b] F-26 and page [d])
  • 06/06/19 Make permanent changes to the scheduler for the external hard drive (page [f])
  • 05/30/19 New protocol (004-Pt24m4xi) activated on May-30th-2019.
    Some changes on page [b] section F-18) about zram and page [f] about SSD and swap file.
  • 05/10/19 Kernel 5.x.x, new scheduler options. And also SSD, is it worth it? page [f]
  • 03/27/19 RPI3 back on the baking track after some tuning of the HDD I/O. See page [f]. These changes are essential.
  • 01/04/19 In the [g] Updates page few hints to keep the RPI3 node in sync while running the baking/endorsing daemons (revised 01/27/19)

Clone this wiki locally