Skip to main content

Signatory Architecture

Signatory is an excellent solution for secure and reliable remote signing in Tezos Blockchain cases. With easy-to-use configuration options, users can set up vaults and policies to ensure that only authorized operations are signed. Signatory also supports a variety of hardware-based and cloud-based HSMs, such as AWS KMS and YubiHSM, to protect cryptographic keys.

Using Signatory, users can securely store their secret keys and control which operations can be signed, reducing the risk of losing or having their keys stolen. Signatory also allows users to sign transactions on hardware not connected to the internet, providing an additional layer of security.

1. Signatory System Context

The diagram demonstrated the overall high level Signatory system and includes the Signatory user, responsible for setting up the system's configuration, and the client software system, which submits requests to the Tezos API. The diagram also shows various vaults, such as AWS KMS and YubiHSM, which Signatory uses to store cryptographic keys, and the Prometheus service, which pulls and aggregates metrics data.

Defines Vault and Policy
Listens for operations
Remote Signer for
Exposes metric data to
Signatory User Setup
[CONFIG]
Bakers or Institutions looking
to enforce signing policies
Signatory
[Software System]
Provides signing options for
cloud-based or hardware-based HSMs
Client
[Software System]
submits requests to Tezos API
Vaults
[Software Systems]
AWS KMS, Azure Key Vault, GCP Key Management,
YubiHSM, local private key
Prometheus Service
[Software System]
Provides an API to store and track metrics

2. Signatory Container Model

The Signatory container diagram shows the different elements of the Signatory system, including Signatory as the central container, with various supporting software systems surrounding it. These supporting systems include client software for submitting requests to the Tezos API, the Prometheus service for storing metrics data, and various hardware-based and cloud-based HSMs for protecting cryptographic keys. The diagram also shows Signatory's different vaults to store cryptographic keys, such as AWS KMS and YubiHSM.

Cloud
Signatory
Get Post
[HTTP]
configures
[FILE]
Get Post
[HTTP]
Get
[HTTP]
exposes metrics to
[JSON]
governs
[CODE]
informs
[CODE]
sign
[USB]
sign
[JSON]
sign
[USB]
sign
[HTTP]
sign
[HTTP]
sign
[HTTP]
Cloud Service
[AWS]
blockchain infrastructure
Cloud Service
[GOOGLECLOUD]
blockchain infrastructure
Cloud Service
[AZURE]
blockchain infrastructure
HTTP Service
[METRICS LISTENER]
captures metric data
Service
[SIGNATORY SERVICE]
check policy and sign
Configuration File
[File]
select vault, keys and policy
HTTP Service
[SIGNING LISTENER]
captures operation signing requests
Signatory User
[Person]
Baker or Institution operation requests with key security
Client
[Software System]
submits requests to Tezos API
Software Application
[PROMETHEUS]
Record and store metrics data
Hardware Security Module
[YUBIHSM]
protect cryptographic keys
Hardware Wallet
[LEDGER]
stores user's private keys
File
[LOCAL-SECRET]
stores user's private keys on disk

3. Signatory Component Model

A sequence diagram is a way to express the behaviour of the underlying code in a software system. It shows the interactions between different system components over time, highlighting how the system behaves and responds to different inputs. Using a sequence diagram, developers can better understand the flow of data and control within the system and identify potential issues or areas for improvement.

The sequence diagram for the Signatory remote signer application shows the behaviour of the underlying code in the system. It highlights how the different components of the system interact with one another over time, showing the flow of data and control within the system. Using a sequence diagram, developers can better understand how the system behaves and identify potential issues or areas for improvement.

ClientSignatorySignature serviceMetrics serverVaultloopalt[If Found][Else]alt[If signing-key found in key-cache][Else]RootCmd1read config2Register Vaults (Yubikey/Azure/CloudKMS)3Initialize Vault (Yubikey/Azure/CloudKMS)4ServeCmd5Start service6Start service7GET /authorized_keys8Send Authorized keys (Authorised list of clients)9Check the list of configured keys10POST /keys/<account> (Signing key)11Digest string + payload12Show authorized key not found error13continue loop14Return key from cache15GET /public-key16Send public key (PEM format)17Encode secret key into PKH(Public Key Hash)18Request signing operation19Send Error or Signature20Send Error or Signature21ClientSignatorySignature serviceMetrics serverVault

4. Tezos Signing Component Model

Tezos uses elliptic curve cryptography to manage private/public key pairs, sign data, and check signatures. Signing a transaction involves prefixing it with a magic-byte, hashing the operation request, and then signing the resulting byte string with the user's secret key. The signature is then appended to the operation request to create a signed transaction, which can be broadcast to the network for confirmation.

No
operation.kind=transaction
Forge RPC
Yes
operation.kind=reveal
Forge RPC
Serialize
Add
Hash
Send operation.hex
from vault
Send alice_sk.hex
Hash
Injection RPC

../injection/operation?chain=main
--data $(cat operation.hex)$(cat signature.hex)
Transfer operation
[JSON]
Transaction from Alice to Bob
./octez-client -l transfer 1 from alice to bob
Tezos Node
[Infrastructure]
hosts RPC service
First
Transaction?
Reveal operation
[Bytes]
Declare Public Key
Transaction in Binary
[Bytes]
a transfer operation request
Magic Byte
[Bytes]
prefix the request with 0x03
Blake2b Hash
[Bytes]
hash the operation request
Ed25519 Sign
[Bytes]
sign the operation request
Secret Key
[Bytes]
alice_sk.hex
Signatory Signing Listener
[HTTP Service]
captures operation signing requests
Signed Transaction
[Bytes]
signed hashed prefixed operation
signature.hex

Diagram adapted from An Introduction to Tezos RPCs: Signing Operations

Simplified Signing Model

This Mermaid sequence diagram is a simplified depiction of signing a transaction on the Tezos blockchain.

  • The transaction is first forged using the Tezos RPC.
  • The resulting operation hexadecimal is then sent to a remote signer for signing.
  • The remote signer receives the operation and the secret key corresponding to the sender's address (in this case, Alice's).
  • The remote signer signs the transaction and returns the resulting signature hexadecimal.
  • The signed transaction is then sent back to the Tezos RPC for injection into the blockchain.
UserOctez ClientTezos RPCRemote SignerVaultoctez-client -l transfer 1 fromalice to bob0b6b28b6285d1a7146c17dd85fb54b7dc7f68bd7b9a49569ac8f9d6150baa2946c00172d6807f4977e1c67252bdfabbfb37875e31d4f009dbb0180bd3fe0d403c0843d00001be972fc31a358a26ce970e921e357d95d5abe2400030b6b28b6285d1a7146c17dd85fb54b7dc7f68bd7b9a49569ac8f9d6150baa2946c00172d6807f4977e1c67252bdfabbfb37875e31d4f009dbb0180bd3fe0d403c0843d00001be972fc31a358a26ce970e921e357d95d5abe2400bab4df908ea857e3abecc40a49e84b4fdc47121b73af461398fc133715199569b965f666f400c1889915a0c6f1a1092cd96c0814d1bbb765678fcf2c86c5079ae1f3735878f8717c23085985c7aa9536fcc9228f42c5d4b6160c2b52a010970b'http://127.0.0.1:8732/injection/operation?chain=main' --data '"'$(cat operation.hex)$(cat signature.hex)'"'SerializedAdd Magic ByteBlake58 Hashalice.hexsignature.hexoperation.hexSend to RPC for InjectionUserOctez ClientTezos RPCRemote SignerVault