Skip to content

ivanzzeth/remote-signer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

117 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
deploy
deploy
 
 
docs
docs
 
 
e2e
e2e
 
 
examples
examples
 
 
internal
internal
 
 
pkg
pkg
 
 
rules
rules
 
 
scripts
scripts
 
 
tui
tui
 
 
.dockerignore
.dockerignore
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
.gitleaks.toml
.gitleaks.toml
 
 
.go-version
.go-version
 
 
.mcp.json.example
.mcp.json.example
 
 
.secrets.baseline
.secrets.baseline
 
 
Dockerfile
Dockerfile
 
 
INTEGRATION.md
INTEGRATION.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README.zh.md
README.zh.md
 
 
SECURITY_AUDIT.md
SECURITY_AUDIT.md
 
 
config.e2e.yaml
config.e2e.yaml
 
 
config.example.yaml
config.example.yaml
 
 
config.mcp-dev.yaml
config.mcp-dev.yaml
 
 
config.tui_e2e.yaml
config.tui_e2e.yaml
 
 
docker-compose.yml
docker-compose.yml
 
 
e2e_test_config.yaml
e2e_test_config.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

中文 | English

Remote Signer

A secure, policy-driven signing service for EVM chains. Controls what gets signed through a rule engine, not just who can sign.

Features

  • Policy-Driven Signing -- Whitelist/blocklist rules with Solidity expressions, JS rules, address lists, value limits
  • Multi-Chain Extensible -- EVM today, Solana/Cosmos/Bitcoin ready architecture
  • Manual Approval Workflow -- Slack, Pushover, and webhook notifications for pending approvals
  • Ed25519 API Authentication -- Secure request signing with nonce + timestamp replay protection
  • Dynamic Signer Management -- Create keystores and HD wallets (mnemonic wallets) at runtime via API or TUI
  • Terminal UI (TUI) -- Manage rules, approve requests, create signers from the terminal

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                         API Layer                                │
│  /api/v1/evm/sign    /api/v1/solana/sign    /api/v1/.../sign   │
└───────────────────────────┬─────────────────────────────────────┘
                            │
┌───────────────────────────▼─────────────────────────────────────┐
│                       Core Layer                                 │
│   SignService  │  RuleEngine  │  StateMachine  │  AuditLogger   │
└───────────────────────────┬─────────────────────────────────────┘
                            │
┌───────────────────────────▼─────────────────────────────────────┐
│                     Chain Adapter Layer                           │
│      EVM Adapter (ethsig)  │  Solana / Cosmos / ... (future)    │
└───────────────────────────┬─────────────────────────────────────┘
                            │
┌───────────────────────────▼─────────────────────────────────────┐
│                      Storage Layer                               │
│              GORM + PostgreSQL / SQLite                           │
└─────────────────────────────────────────────────────────────────┘

Quick Start

One-Line Install (recommended)

bash <(curl -fsSL https://raw.githubusercontent.com/ivanzzeth/remote-signer/main/scripts/setup.sh)

This auto-clones the repo (if needed), installs dependencies, and runs the guided setup.

Or Manual Clone

git clone https://github.com/ivanzzeth/remote-signer.git
cd remote-signer
./scripts/setup.sh

Prerequisites

  • openssl
  • Docker (recommended) or Go 1.24+ (for local mode)

What the Setup Wizard Does

The interactive setup walks through 5 steps:

  1. Deployment mode -- Docker + PostgreSQL (recommended) or Local + SQLite (dev only)
  2. API keys -- Generates admin and dev Ed25519 key pairs
  3. TLS -- HTTP, TLS, or mTLS (Docker defaults to mTLS)
  4. Configuration -- Writes a ready-to-run config file with auto-generated secrets
  5. Next steps -- Start command, health check, how to add signers

After setup:

# Start (Docker mode, recommended)
./scripts/deploy.sh run

# Or start (Local mode)
./scripts/deploy.sh local-run

# Health check (HTTP)
curl http://localhost:8548/health

# Health check (mTLS)
curl --cacert certs/ca.crt --cert certs/client.crt --key certs/client.key https://localhost:8548/health

The server starts with no signers. To add your first signer (import a private key or HD wallet / mnemonic wallet), use the TUI: build it, connect with the admin key, then open the Signers tab to create a keystore or HD wallet. See Adding Signers below.

Manual Setup

If you prefer manual control, see docs/CONFIGURATION.md for the full config reference and use config.example.yaml as a starting point.

Adding Signers

The server starts without signers. Add them after startup:

  • TUI (recommended): Use -api-key-file data/admin_private.pem so you don't need to paste the key. Example (plain HTTP): ./remote-signer-tui -api-key-id admin -api-key-file data/admin_private.pem -url http://localhost:8548. If you enabled TLS during setup, use https:// and pass CA (and for mTLS, client cert/key), e.g. -url https://localhost:8548 -tls-ca ./certs/ca.crt or with mTLS: -tls-ca ./certs/ca.crt -tls-cert ./certs/client.crt -tls-key ./certs/client.key. See docs/TUI.md. After setup (Docker), you can choose "Open TUI to add signers now?" to launch it. In the Signers tab create a keystore (import private key) or create/import an HD wallet. Password requirements (enforced): at least 16 characters, and must include uppercase + lowercase + digit + symbol. 24+ characters recommended.
  • API: POST /api/v1/evm/signers (admin only). See docs/API.md.
  • Config: Edit chains.evm.signers.private_keys in your config file. See docs/CONFIGURATION.md.

Supported Sign Types

Type Description
hash Sign pre-hashed data (32 bytes)
raw_message Sign raw bytes
eip191 Sign EIP-191 formatted message
personal Sign personal message (\x19Ethereum Signed Message:\n)
typed_data Sign EIP-712 typed data
transaction Sign transaction (Legacy/EIP-2930/EIP-1559)

Documentation

Getting Started

Document Description
Use Cases Treasury, bot, DeFi scenarios
Architecture System design, layers, adapters

Configure

Document Description
Configuration Reference Full config.yaml reference
Rules, Templates & Presets Concepts: rule templates, instances, presets, and examples
Rule Syntax Reference All rule types: address list, value limit, Solidity, JS, message pattern
JS Rules (evm_js) In-process JavaScript rules via Sobek
config.example.yaml Annotated configuration template

Integrate

Document Description
API Reference Complete endpoint docs: authentication, signing, rules, audit
Integration Guide JS/TS client library, MetaMask Snap

Deploy & Operate

Document Description
Deployment Guide Docker, Kubernetes, HA, monitoring, backup
TLS / mTLS Guide Certificate trust model, generation, production best practices
TUI Guide Terminal UI: build, run, key bindings

Security

Document Description
Security Overview Defense-in-depth: 8 layers from network to application
Security Review Findings, priorities, implementation status

Development

Document Description
Components Core interfaces, data types, services
Request Flow 8-step signing flow with state machine
Testing Guide Unit tests, E2E, rule validation, coverage

Versioning — The version shown in the TUI and /health follows the repository tag (e.g. tag v0.1.1 → version 0.1.1). When you change code under tui/, bump the version in cmd/remote-signer/main.go; the pre-commit hook enforces this.

Roadmap

  • EIP-712 Typed Data Validation
  • Terminal UI (TUI)
  • Go Client SDK
  • JS/TS Client SDK
  • Solidity Rule Coverage Enforcement
  • Solana Chain Support
  • Cosmos Chain Support
  • Bitcoin Chain Support
  • Web UI Dashboard
  • Audit Log Export (S3, Elasticsearch)

License

MIT License

About

Remote signing service written in Go

Topics

ethereum keystore signer eth evm security-tools ai-tools

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 10

v0.1.12 Latest
Mar 4, 2026
+ 9 releases

Packages

 
 
 

Contributors

Languages