Skip to content
Python software that receives Tezos baking and endorsement payloads and passes them on to a supported HSM to be signed
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.idea Debug flask app Jun 13, 2018
src Added support for new testnet chain high watermarks. Feb 17, 2019
test Add attribution to source files Jul 9, 2018
.gitignore Added mutex locking before updating high watermark. Oct 6, 2018
Dockerfile Modified Dockerfile Jun 15, 2018 Updating copyright year. Jan 28, 2019 Documentation. Jul 7, 2018
requirements.txt Fixing the urllib3 vulnerability. May 5, 2019

Tezos Remote Signer

This is a Python Flask app that receives messages from the Tezos baking client and passes them on to a remote HSM to be signed. This software uses the py-hsm module to support PKCS#11 signing operations, which means it should support the following HSMs:

  • Gemalto SafeNet Luna SA-4
  • Gemalto SafeNet Luna SA-5
  • Gemalto SafeNet Luna PCIe K5/K6
  • Gemalto SafeNet Luna CA-4
  • SafeNet ProtectServer PCIe
  • FutureX Vectera Series
  • Cavium LiquidSecurity FIPS PCIe Card
  • Utimaco Security Server Simulator (SMOS Ver.
  • OpenDNSSEC SoftHSM 2.2.0 (softhsm2)

Note that we have only tested it on AWS CloudHSM, which is based on the Cavium LiquidSecurity FIPS PCIe Card.

Security Notes

Please note that this software does not provide any authentication or authorization. You will need to take care of that yourself. It simply returns the signature for valid payloads, after performing some checks:

  • Is the message a valid payload?
  • Does the message begin with a 0x01 or 0x02? Indicating it is a baking or endorsement, rather than a 0x03 transfer.
  • Is the message within a certain threshold of the head of the chain? Ensures you are signing valid blocks.
  • For baking signatures, is the block height of the payload greater than the current block height? This prevents double baking.


Please note that you will need to install and compile your vendor's PKCS#11 C library before the py-hsm module will work.

virtualenv venv
source venv/bin/activate
pip install -r requirements.txt


export HSM_PASSWORD=blah
FLASK_APP=signer flask run

Running the tests

export HSM_PASSWORD=blah
python -m unittest test/


If you would like assistance implementing this in a production/secure environment, with high availability, authentication, and authorization, please contact us at contact -at-

You can’t perform that action at this time.