Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Latest commit 361f15b May 5, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Update tezos-signer.service Apr 22, 2019 Update Feb 13, 2019 Update May 5, 2019
requirements.txt Update requirements.txt Apr 8, 2019 Update Apr 22, 2019

Tezos Remote Signer

This is a Python app that receives remote-signer protocol formatted messages from the Tezos baking client and passes them on to an MS Azure CloudHSM to be signed. This script will autodetect all signing keys in your keyvault's HSM and will allow for signing from clients by all keys.

Azure Elements

  • Ubuntu 18.04 VM (python3 v 3.6.7) running the tezos code, configured with a system-managed identity
  • Keyvault with HSM-backed P256 key(s)
  • Configure access policies for key to be able to be accessed by the VM's system-managed identity.
  • Configure firewalls for key/secret to only be accessed by the VM's IP.
  • Only EC signing keys should be present in this particular vault, any other keys will cause failures.

Security Notes

This returns the signature for valid payloads, after performing some checks:

  • Is the message a valid payload?
  • Is the message within a certain threshold of the head of the chain? Ensures you are signing valid blocks.
  • Remote hosts can only sign blocks/endorsements. Localhost ( can sign anything.


virtualenv venv
source venv/bin/activate
cd venv
git clone
pip install -r requirements.txt

Configure settings in the script

Python dict called 'config' at top of - set the short hostname of your keyvault here (not full FQDN)


FLASK_APP=signer flask run


nohup python3 -u &

Look in the remote-signer.log file and you will see all the pkhashes of all the keys that were detected from the keyvault. Use tezos-client to import those keys from the python signer.

You can’t perform that action at this time.