diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a933331..13277f6 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -21,6 +21,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Lint markdown - uses: ConsenSys/docs-gha/lint-markdown@mdlint + uses: ConsenSys/docs-gha/lint-markdown@main with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CONFIG_FILE: ".markdownlint.yaml" \ No newline at end of file diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 0000000..96b3426 --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,275 @@ +# Example markdownlint configuration with all properties set to their default value + +# Default state for all rules +default: true + +# Path to configuration file to extend +extends: null + +# MD001/heading-increment : Heading levels should only increment by one level at a time : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md001.md +MD001: false + +# MD003/heading-style : Heading style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md003.md +MD003: + # Heading style + style: "consistent" + +# MD004/ul-style : Unordered list style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md004.md +MD004: + # List style + style: "consistent" + +# MD005/list-indent : Inconsistent indentation for list items at the same level : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md005.md +MD005: true + +# MD007/ul-indent : Unordered list indentation : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md007.md +MD007: + # Spaces for indent + indent: 2 + # Whether to indent the first level of the list + start_indented: false + # Spaces for first level indent (when start_indented is set) + start_indent: 2 + +# MD009/no-trailing-spaces : Trailing spaces : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md009.md +MD009: + # Spaces for line break + br_spaces: 2 + # Allow spaces for empty lines in list items + list_item_empty_lines: false + # Include unnecessary breaks + strict: false + +# MD010/no-hard-tabs : Hard tabs : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md010.md +MD010: + # Include code blocks + code_blocks: true + # Fenced code languages to ignore + ignore_code_languages: [] + # Number of spaces for each hard tab + spaces_per_tab: 1 + +# MD011/no-reversed-links : Reversed link syntax : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md011.md +MD011: true + +# MD012/no-multiple-blanks : Multiple consecutive blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md012.md +MD012: + # Consecutive blank lines + maximum: 1 + +# MD013/line-length : Line length : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md013.md +MD013: + # Number of characters + line_length: 200 + # Number of characters for headings + heading_line_length: 100 + # Number of characters for code blocks + code_block_line_length: 200 + # Include code blocks + code_blocks: true + # Include tables + tables: true + # Include headings + headings: true + # Strict length checking + strict: false + # Stern length checking + stern: false + +# MD014/commands-show-output : Dollar signs used before commands without showing output : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md014.md +MD014: true + +# MD018/no-missing-space-atx : No space after hash on atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md018.md +MD018: true + +# MD019/no-multiple-space-atx : Multiple spaces after hash on atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md019.md +MD019: true + +# MD020/no-missing-space-closed-atx : No space inside hashes on closed atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md020.md +MD020: true + +# MD021/no-multiple-space-closed-atx : Multiple spaces inside hashes on closed atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md021.md +MD021: true + +# MD022/blanks-around-headings : Headings should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md022.md +MD022: + # Blank lines above heading + lines_above: 1 + # Blank lines below heading + lines_below: 1 + +# MD023/heading-start-left : Headings must start at the beginning of the line : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md023.md +MD023: true + +# MD024/no-duplicate-heading : Multiple headings with the same content : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md024.md +MD024: false + # Only check sibling headings + # siblings_only: false + +# MD025/single-title/single-h1 : Multiple top-level headings in the same document : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md025.md +MD025: false + # Heading level + # level: 3 + # # RegExp for matching title in front matter + # front_matter_title: "^\\s*title\\s*[:=]" + +# MD026/no-trailing-punctuation : Trailing punctuation in heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md026.md +MD026: + # Punctuation characters + punctuation: ".,;:!。,;:!" + +# MD027/no-multiple-space-blockquote : Multiple spaces after blockquote symbol : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md027.md +MD027: true + +# MD028/no-blanks-blockquote : Blank line inside blockquote : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md028.md +MD028: true + +# MD029/ol-prefix : Ordered list item prefix : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md029.md +MD029: + # List style + style: "one_or_ordered" + +# MD030/list-marker-space : Spaces after list markers : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md030.md +MD030: + # Spaces for single-line unordered list items + ul_single: 1 + # Spaces for single-line ordered list items + ol_single: 1 + # Spaces for multi-line unordered list items + ul_multi: 1 + # Spaces for multi-line ordered list items + ol_multi: 1 + +# MD031/blanks-around-fences : Fenced code blocks should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md031.md +MD031: + # Include list items + list_items: true + +# MD032/blanks-around-lists : Lists should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md032.md +MD032: true + +# MD033/no-inline-html : Inline HTML : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md033.md +MD033: false + # Allowed elements + # allowed_elements: [] + +# MD034/no-bare-urls : Bare URL used : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md034.md +MD034: true + +# MD035/hr-style : Horizontal rule style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md035.md +MD035: + # Horizontal rule style + style: "consistent" + +# MD036/no-emphasis-as-heading : Emphasis used instead of a heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md036.md +MD036: + # Punctuation characters + punctuation: ".,;:!?。,;:!?" + +# MD037/no-space-in-emphasis : Spaces inside emphasis markers : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md037.md +MD037: true + +# MD038/no-space-in-code : Spaces inside code span elements : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md038.md +MD038: true + +# MD039/no-space-in-links : Spaces inside link text : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md039.md +MD039: true + +# MD040/fenced-code-language : Fenced code blocks should have a language specified : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md040.md +MD040: + # List of languages + allowed_languages: [] + # Require language only + language_only: false + +# MD041/first-line-heading/first-line-h1 : First line in a file should be a top-level heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md041.md +MD041: false + # Heading level + # level: 2 + # RegExp for matching title in front matter + # front_matter_title: "^\\s*title\\s*[:=]" + +# MD042/no-empty-links : No empty links : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md042.md +MD042: true + +# MD043/required-headings : Required heading structure : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md043.md +MD043: false + # List of headings + # headings: [] + # Match case of headings + # match_case: false + +# MD044/proper-names : Proper names should have the correct capitalization : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md044.md +MD044: + # List of proper names + names: [] + # Include code blocks + code_blocks: true + # Include HTML elements + html_elements: true + +# MD045/no-alt-text : Images should have alternate text (alt text) : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md045.md +MD045: true + +# MD046/code-block-style : Code block style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md046.md +MD046: + # Block style + style: "consistent" + +# MD047/single-trailing-newline : Files should end with a single newline character : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md047.md +MD047: true + +# MD048/code-fence-style : Code fence style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md048.md +MD048: + # Code fence style + style: "consistent" + +# MD049/emphasis-style : Emphasis style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md049.md +MD049: + # Emphasis style + style: "consistent" + +# MD050/strong-style : Strong style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md050.md +MD050: + # Strong style + style: "consistent" + +# MD051/link-fragments : Link fragments should be valid : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md051.md +MD051: false + +# MD052/reference-links-images : Reference links and images should use a label that is defined : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md052.md +MD052: + # Include shortcut syntax + shortcut_syntax: false + +# MD053/link-image-reference-definitions : Link and image reference definitions should be needed : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md053.md +MD053: + # Ignored definitions + ignored_definitions: + - "//" + +# MD054/link-image-style : Link and image style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md054.md +MD054: + # Allow autolinks + autolink: true + # Allow inline links and images + inline: true + # Allow full reference links and images + full: true + # Allow collapsed reference links and images + collapsed: true + # Allow shortcut reference links and images + shortcut: true + # Allow URLs as inline links + url_inline: true + +# MD055/table-pipe-style : Table pipe style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md055.md +MD055: + # Table pipe style + style: "consistent" + +# MD056/table-column-count : Table column count : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md056.md +MD056: true + +# MD058/blanks-around-tables : Tables should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md058.md +MD058: true \ No newline at end of file diff --git a/docs/concepts/architecture.md b/docs/concepts/architecture.md index efd5000..ed66311 100644 --- a/docs/concepts/architecture.md +++ b/docs/concepts/architecture.md @@ -3,25 +3,26 @@ description: Learn more about Web3Signer's architecture. sidebar_position: 1 --- -# Architecture +# Architecture Web3Signer is a remote signing client comprised of three main components: - Remote signer - Slashing database -- APIs +- APIs ## The remote signer -The remote signer [loads private keys](../how-to/load-keys.md) into memory and responds to signature requests. -If you are using an [HSM](../how-to/store-keys/hsm/_category_.json) or a [vault](../how-to/store-keys/vaults/_category_.json) for execution layer signing, the keys stay at rest. +The remote signer [loads private keys](../how-to/load-keys.md) into memory and responds to signature requests. +If you are using an [HSM](../how-to/store-keys/hsm/_category_.json) or a [vault](../how-to/store-keys/vaults/_category_.json) for execution layer signing, the keys stay at rest. This component communicates with the slashing database, the APIs, and the keystore (if used), to coordinate remote signing. ## The slashing database -The [slashing database](./slashing-protection.md) is a Postgres database that tracks which keys have signed messages. +The [slashing database](./slashing-protection.md) is a Postgres database that tracks which keys have signed messages. Database locking ensures that when multiple Web3Signer instances load the same keys, only one instance is permitted to sign. ## The APIs -Web3Signer supports REST and [JSON-RPC APIs](../reference/api/_category_.json) to sign consensus layer and execution layer payloads respectively. These connections should be carefully secured. Web3Signer offers [TLS communication](../how-to/configure-tls.md). +Web3Signer supports REST and [JSON-RPC APIs](../reference/api/_category_.json) to sign consensus layer and execution layer payloads +respectively. These connections should be carefully secured. Web3Signer offers [TLS communication](../how-to/configure-tls.md). diff --git a/docs/get-started/install-binaries.md b/docs/get-started/install-binaries.md index 1abfb65..d3e32dd 100644 --- a/docs/get-started/install-binaries.md +++ b/docs/get-started/install-binaries.md @@ -4,11 +4,11 @@ description: Install Web3Signer from a binary distribution. sidebar_position: 1 --- +# Install binary distribution + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Install binary distribution - ## Prerequisites - [Java JDK](https://jdk.java.net/) diff --git a/docs/get-started/key-best-practices.md b/docs/get-started/key-best-practices.md index f710160..7975ac8 100644 --- a/docs/get-started/key-best-practices.md +++ b/docs/get-started/key-best-practices.md @@ -5,8 +5,8 @@ sidebar_position: 5 # Private key management best practices -Web3Signer manages validator keys for Ethereum 2.0 staking. -This document outlines best practices for key generation, storage, access control, and system security when using Web3Signer. +Web3Signer manages validator keys for Ethereum 2.0 staking. +This document outlines best practices for key generation, storage, access control, and system security when using Web3Signer. The following guidelines help protect your staked assets and supports Ethereum network integrity. ## Generate secure BLS keys diff --git a/docs/get-started/start-web3signer.md b/docs/get-started/start-web3signer.md index 4bba6f7..26a5453 100644 --- a/docs/get-started/start-web3signer.md +++ b/docs/get-started/start-web3signer.md @@ -4,11 +4,11 @@ description: Start Web3Signer. sidebar_position: 4 --- +# Start Web3Signer + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Start Web3Signer - :::note This documentation has been updated in line with the name changes [recommended by the Ethereum Foundation](https://blog.ethereum.org/2022/01/24/the-great-eth2-renaming/). @@ -114,4 +114,4 @@ Web3Signer by default also performs a health check on the [subcommand]: ../reference/cli/subcommands.md [bulk load signing keys]: ../how-to/load-keys.md#bulk-load-keys [slashing protection]: ../concepts/slashing-protection.md -[slashing protection database]: ../how-to/configure-slashing-protection.md \ No newline at end of file +[slashing protection database]: ../how-to/configure-slashing-protection.md diff --git a/docs/how-to/configure-slashing-protection.md b/docs/how-to/configure-slashing-protection.md index 83d99a6..1be12a1 100644 --- a/docs/how-to/configure-slashing-protection.md +++ b/docs/how-to/configure-slashing-protection.md @@ -4,11 +4,11 @@ description: Configure consensus layer slashing protection. sidebar_position: 6 --- +# Configure consensus layer slashing protection + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Configure consensus layer slashing protection - Configure [slashing protection] to prevent consensus layer validators from being penalized for signing conflicting blocks or attestations. @@ -74,14 +74,18 @@ Use the [Flyway] migration tool to automatically load them in order. ```bash -flyway migrate -url="jdbc:postgresql://localhost/web3signer" -locations="filesystem:/Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql" +flyway migrate -url="jdbc:postgresql://localhost/web3signer" \ +-locations="filesystem:/Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql" ``` + ```bash -psql --echo-all --host=localhost --port=5432 --dbname=web3signer --username=postgres -f /Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql/postgresql/V1__initial.sql +psql --echo-all --host=localhost --port=5432 --dbname=web3signer --username=postgres \ +-f /Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql/postgresql/V1__initial.sql ``` + @@ -95,7 +99,9 @@ If using the PostgreSQL command line inside a docker container, ensure you mount Start Web3Signer and specify the PostgreSQL connection options. ```bash -web3signer --key-store-path=/Users/me/keys eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password --slashing-protection-pruning-enabled=true +web3signer --key-store-path=/Users/me/keys eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres --slashing-protection-db-password=password \ +--slashing-protection-pruning-enabled=true ``` :::note @@ -121,13 +127,17 @@ Use the [`eth2 import`](../reference/cli/subcommands.md#eth2-import) and To import a slashing protection database file into the Postgres database, run: ```bash -web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password import --from=/Users/me/my_node/interchange.json +web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres \ +--slashing-protection-db-password=password import --from=/Users/me/my_node/interchange.json ``` To export the Postgres database to a file run: ```bash -web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password export --to=/Users/me/my_node/interchange.json +web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres \ +--slashing-protection-db-password=password export --to=/Users/me/my_node/interchange.json ``` You must supply the Postgres database connection details when importing or exporting the slashing @@ -150,7 +160,10 @@ You can include additional optional pruning configuration options. For example, run: ```bash -web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password --slashing-protection-pruning-enabled=true --slashing-protection-pruning-at-boot-enabled=true --slashing-protection-pruning-epochs-to-keep=5000 --slashing-protection-pruning-interval=18 +web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres --slashing-protection-db-password=password \ +--slashing-protection-pruning-enabled=true --slashing-protection-pruning-at-boot-enabled=true \ +--slashing-protection-pruning-epochs-to-keep=5000 --slashing-protection-pruning-interval=18 ``` :::caution Warning diff --git a/docs/how-to/configure-tls.md b/docs/how-to/configure-tls.md index b97509b..f1729ff 100644 --- a/docs/how-to/configure-tls.md +++ b/docs/how-to/configure-tls.md @@ -45,7 +45,7 @@ The file contents use the format ` ` where: - `` is the Common Name used for the client's keystore - `` is the SHA-256 fingerprint of the client's keystore. -``` +```bash curl_client DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50 ``` @@ -54,7 +54,7 @@ You can use [OpenSSL](https://www.openssl.org/) or client's Common Name and fingerprint. For example: -``` +```bash keytool -list -v -keystore -storetype PKCS12 -storepass ``` @@ -110,7 +110,7 @@ The file contents use the format `: ` where: - `` is the port used for communication - `` is the SHA-256 fingerprint of the server's certificate. -``` +```bash localhost:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB 127.0.0.1:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB ``` @@ -122,7 +122,10 @@ Specify both hostname and IP address in the file if unsure which is used in requ ### Start Web3Signer ```bash -web3signer eth1 --downstream-http-tls-enabled --downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx --downstream-http-tls-keystore-password-file=/Users/me/my_node/keyPassword --downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers +web3signer eth1 --downstream-http-tls-enabled \ +--downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx \ +--downstream-http-tls-keystore-password-file=/Users/me/my_node/keyPassword \ +--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers ``` The command line: diff --git a/docs/how-to/load-keys.md b/docs/how-to/load-keys.md index 6d7ace9..82f7f63 100644 --- a/docs/how-to/load-keys.md +++ b/docs/how-to/load-keys.md @@ -3,24 +3,25 @@ title: Load signing keys description: Load BLS12-381 and secp256k1 signing keys. sidebar_position: 3 --- -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; # Load signing keys -Load signing keys using a [key configuration file], or bulk load using the [`eth1` and `eth2` subcommands]. -Web3Signer supports loading keys with the following methods: +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +Load signing keys using a [key configuration file], or bulk load using the [`eth1` and `eth2` subcommands]. +Web3Signer supports loading keys with the following methods: -| Key storage | Key configuration file | Bulk load with `eth1` | Bulk load with `eth2` | +| Key storage | Key configuration file | Bulk load with `eth1` | Bulk load with `eth2` | |--------------------------------------|:----------------------:|:---------------------:|:---------------------:| -| [Keystore files] | x | x | x | -| **Vaults** | -| [Hashicorp Vault] | x | | | -| [Azure Key Vault] | x | x | x | -| [AWS Secrets Manager] | x | | x | -| [AWS KMS] | x | x | | -| [GCP Secret Manager] | | | x | -| **Hardware Security Modules (HSMs)** | +| [Keystore files] | x | x | x | +| **Vaults** | | | | +| [Hashicorp Vault] | x | | | +| [Azure Key Vault] | x | x | x | +| [AWS Secrets Manager] | x | | x | +| [AWS KMS] | x | x | | +| [GCP Secret Manager] | | | x | +| **Hardware Security Modules (HSMs)** | | | | | [USB Armory Mk II] | x | | | | [YubiHSM 2] | x | | | @@ -53,10 +54,12 @@ You can bulk load keys that are stored in Azure Key Vault using the Web3Signer [`eth2` subcommand options](../reference/cli/subcommands.md#eth2). For `eth1` bulk loading, Web3Signer creates Azure keys connections in bulk mode. The Azure keys -connections are used to perform remote signing using SECP keys. Web3Signer does not download the private keys for `eth1` bulk loading with Azure. +connections are used to perform remote signing using SECP keys. Web3Signer does not download the private keys +for `eth1` bulk loading with Azure. For `eth2` bulk loading, Web3Signer bulk loads the BLS keys from Azure Secrets. The bulk loading -mode supports loading multiple consensus layer keys from the same Azure secret, if keys are stored with a line terminating character such as `\n`. +mode supports loading multiple consensus layer keys from the same Azure secret, if keys are stored with a line +terminating character such as `\n`. This saves cost when dealing with a large number of keys. Up to 200 keys can be stored under a secret name. @@ -105,7 +108,7 @@ web3signer eth2 --aws-secrets-enabled=true --aws-secrets-access-key-id=AKIA...EX You can bulk load execution layer keys that are stored in the AWS Key Management Service (KMS) using the Web3Signer [`eth1` subcommand options](../reference/cli/subcommands.md#eth1). -```bash +```bash web3signer eth1 --aws-kms-enabled=true --aws-kms-access-key-id=AKIA...EXAMPLE \ --aws-kms-secret-access-key=sk...EXAMPLE \ --aws-secrets-region=us-east-2 @@ -113,10 +116,10 @@ web3signer eth1 --aws-kms-enabled=true --aws-kms-access-key-id=AKIA...EXAMPLE \ ### GCP Secret Manager -You can bulk load consensus layer keys that are stored in the GCP Secret Manager using -the Web3Signer [`eth2` subcommand options](../reference/cli/subcommands.md#eth2). +You can bulk load consensus layer keys that are stored in the GCP Secret Manager using +the Web3Signer [`eth2` subcommand options](../reference/cli/subcommands.md#eth2). -```bash +```bash web3signer eth2 --gcp-secrets-enabled=true --gcp-project-id=AKIA...EXAMPLE ``` @@ -152,14 +155,12 @@ keystore passwords. [key configuration file]: ../reference/key-config-file-params.md -[Creating a key configuration file]: #use-key-configuration-files [`eth1` and `eth2` subcommands]: ../reference/cli/subcommands.md [Azure Key Vault]: #azure-key-vault [AWS Secrets Manager]: #aws-secrets-manager [keystore files]: #keystore-files [AWS KMS]: #aws-key-management-service [GCP Secret Manager]: #gcp-secret-manager -[keystore files]: #keystore-files [Hashicorp Vault]: #use-key-configuration-files [USB Armory Mk II]: #use-key-configuration-files -[YubiHSM 2]: #use-key-configuration-files \ No newline at end of file +[YubiHSM 2]: #use-key-configuration-files diff --git a/docs/how-to/manage-keys.md b/docs/how-to/manage-keys.md index 52dd76a..b66e8f8 100644 --- a/docs/how-to/manage-keys.md +++ b/docs/how-to/manage-keys.md @@ -3,11 +3,12 @@ title: Manage consensus layer signing keys description: Manage consensus layer signing keys. sidebar_position: 4 --- -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; ## Reload new keys +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + If you add new keys to an existing set of validators, or modify the key configuration files, reload the keys to ensure Web3Signer registers the new or modified keys. Use the [`reload`](https://consensys.github.io/web3signer/web3signer-eth2.html#tag/Reload-Signer-Keys) @@ -139,4 +140,4 @@ curl -X DELETE http://localhost:9000/eth/v1/keystores --data '{"pubkeys": ["0x93 ``` - \ No newline at end of file + diff --git a/docs/how-to/monitor/metrics.md b/docs/how-to/monitor/metrics.md index dadabd6..d46f527 100644 --- a/docs/how-to/monitor/metrics.md +++ b/docs/how-to/monitor/metrics.md @@ -64,11 +64,16 @@ To configure Prometheus and run with Web3Signer: ## Run Prometheus with Web3Signer in push mode -The [`--metrics-enabled`](../../reference/cli/options.md#metrics-enabled) option enables Prometheus polling of Besu, but sometimes metrics are hard to poll (for example, when running inside Docker containers with varying IP addresses). To enable Besu to push metrics to a [Prometheus push gateway](https://github.com/prometheus/pushgateway), use the [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) option. +The [`--metrics-enabled`](../../reference/cli/options.md#metrics-enabled) option enables Prometheus +polling of Besu, but sometimes metrics are hard to poll (for example, when running inside Docker +containers with varying IP addresses). To enable Besu to push metrics to a +[Prometheus push gateway](https://github.com/prometheus/pushgateway), use +the [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) option. To configure Prometheus and run with Web3Signer pushing to a push gateway: -1. Configure Prometheus to read from a push gateway. For example, add the following YAML fragment to the `scrape_configs` block of the `prometheus.yml` file: +1. Configure Prometheus to read from a push gateway. For example, add the following YAML fragment to +the `scrape_configs` block of the `prometheus.yml` file: ```yml - job_name: push-gateway @@ -79,25 +84,25 @@ To configure Prometheus and run with Web3Signer pushing to a push gateway: - localhost:9091 ``` -1. Start the push gateway. You can deploy the push gateway using the Docker image: +1. Start the push gateway. You can deploy the push gateway using the Docker image: ```bash docker pull prom/pushgateway docker run -d -p 9091:9091 prom/pushgateway ``` -1. Start Web3Signer specifying options: - * [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) +1. Start Web3Signer specifying options: + * [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) * [`--metrics-push-port`](../../reference/cli/options.md#metrics-push-enabled) * [`--metrics-push-host`](../../reference/cli/options.md#metrics-push-host) -1. In another terminal, run Prometheus specifying the `prometheus.yml` file: +1. In another terminal, run Prometheus specifying the `prometheus.yml` file: ```bash prometheus --config.file=prometheus.yml ``` -1. View the [Prometheus graphical interface](#view-prometheus-graphical-interface). +1. View the [Prometheus graphical interface](#view-prometheus-graphical-interface). ## View Prometheus graphical interface diff --git a/docs/how-to/run-at-scale.md b/docs/how-to/run-at-scale.md index 417f97f..efce476 100644 --- a/docs/how-to/run-at-scale.md +++ b/docs/how-to/run-at-scale.md @@ -4,34 +4,43 @@ description: Configure your instance for better performance at scale. sidebar_position: 8 --- +# Run Web3Signer at scale + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Run Web3Signer at scale - -When running Web3Signer at scale with hundreds or thousands of keys, several factors affect attestation performance on validators. -Horizontal scaling reduces request latency on Web3Signer. To maintain low signing latency and high safety, connect multiple Web3Signer instances to the same slashing database. +When running Web3Signer at scale with hundreds or thousands of keys, several factors affect attestation +performance on validators. Horizontal scaling reduces request latency on Web3Signer. To maintain low +signing latency and high safety, connect multiple Web3Signer instances to the same slashing database. -The primary performance cost occurs during startup. More keys increase Web3Signer's startup time, representing a one-time cost per restart. +The primary performance cost occurs during startup. More keys increase Web3Signer's startup time, representing +a one-time cost per restart. -When configuring your environment, consider the startup delay, the number of keys managed, and available system resources. +When configuring your environment, consider the startup delay, the number of keys managed, and available system +resources. -Balancing these factors optimizes system performance and responsiveness. Regular monitoring and tuning are necessary as the number of managed keys grows or network conditions change. +Balancing these factors optimizes system performance and responsiveness. Regular monitoring and tuning +are necessary as the number of managed keys grows or network conditions change. ## Database proximity -The [slashing database](./configure-slashing-protection.md) ensures the safe management of multiple validators. Optimizing the slashing database reduces latency and overhead, improving overall system performance. +The [slashing database](./configure-slashing-protection.md) ensures the safe management of multiple +validators. Optimizing the slashing database reduces latency and overhead, improving overall system performance. - **Reduced geographic latency**: Strategically place Web3Signer instances to ensure minimal distance to the slashing protection database. - **Performance tuning**: Optimize database configurations for rapid access, considering factors such as indexing and connection pooling. ## Threading model optimization -Web3Signer uses [Vertx](https://vertx.io/docs/vertx-core/java/) as its threading framework. While powerful, Vertx requires proper configuration for optimal performance in different environments. If you encounter request latency or blocked threads, adjust the [worker pool size](../reference/cli/options.md#vertx-worker-pool-size). +Web3Signer uses [Vertx](https://vertx.io/docs/vertx-core/java/) as its threading framework. While powerful, +Vertx requires proper configuration for optimal performance in different environments. If you encounter +request latency or blocked threads, adjust the [worker pool size](../reference/cli/options.md#vertx-worker-pool-size). -To manage concurrency, tailor Web3Signer's thread pool size to your expected load. Increase the pool size if you observe decreased attestation performance during peak signing loads. +To manage concurrency, tailor Web3Signer's thread pool size to your expected load. Increase the pool +size if you observe decreased attestation performance during peak signing loads. -You can implement monitoring tools for dynamic thread adjustments based on current demand and workload. Measure spikes and adjust the pool accordingly. +You can implement monitoring tools for dynamic thread adjustments based on current demand and workload. +Measure spikes and adjust the pool accordingly. You can use the following [metrics](./monitor/metrics.md): @@ -40,20 +49,25 @@ You can use the following [metrics](./monitor/metrics.md): ## Load balancing -At scale, deploy multiple Web3Signer instances behind a load balancer. This setup ensures balanced request distribution. -Use an ingress load balancer to spread requests evenly across instances. This prevents overloading of single instances. -Connect all Web3Signer instances to the same slashing database. This allows parallel signing without slashing risk. +At scale, deploy multiple Web3Signer instances behind a load balancer. This setup ensures balanced +request distribution. Use an ingress load balancer to spread requests evenly across instances. This +prevents overloading of single instances. Connect all Web3Signer instances to the same slashing database. +This allows parallel signing without slashing risk. -For more information, see the [Kiln article](https://www.kiln.fi/post/learnings-from-running-web3signer-at-scale-on-holesky) on running Web3Signer at scale. +For more information, see +the [Kiln article](https://www.kiln.fi/post/learnings-from-running-web3signer-at-scale-on-holesky) on +running Web3Signer at scale. ## Hardware recommendations -The Web3Signer team runs nodes managing 10,000 keys on various testnets. For example, a single Azure Standard D8as v5 VM (8 vCPUs, 32 GiB memory) can host Besu, Teku, and Web3Signer simultaneously. +The Web3Signer team runs nodes managing 10,000 keys on various testnets. For example, a single Azure +Standard D8as v5 VM (8 vCPUs, 32 GiB memory) can host Besu, Teku, and Web3Signer simultaneously. Your specific use case might require less powerful hardware. ![Dashboard for Web3Signer](../../static/img/dashboard_hw.png) Web3Signer consumes less than 2 GB of JVM heap while managing 10,000 keys in this setup. -The test configuration connects one validator client to Web3Signer. Using multiple validator clients might change resource requirements. -Distributing the same 10,000 keys across multiple clients maintains the total number of requests to Web3Signer. +The test configuration connects one validator client to Web3Signer. Using multiple validator +clients might change resource requirements. Distributing the same 10,000 keys across multiple clients +maintains the total number of requests to Web3Signer. diff --git a/docs/how-to/store-keys/hsm/usb-armory.md b/docs/how-to/store-keys/hsm/usb-armory.md index 27c0b4e..2e57d4f 100644 --- a/docs/how-to/store-keys/hsm/usb-armory.md +++ b/docs/how-to/store-keys/hsm/usb-armory.md @@ -49,7 +49,9 @@ Alternatively you can manually create the file and add the certificate details i ```bash 10.0.0.1:443 DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50 ``` -After storing keys, [load keys into Web3Signer using a key configuration file](../../load-keys.md#use-key-configuration-files). + +After storing keys, +[load keys into Web3Signer using a key configuration file](../../load-keys.md#use-key-configuration-files). diff --git a/docs/how-to/store-keys/hsm/yubihsm2.md b/docs/how-to/store-keys/hsm/yubihsm2.md index 375d3c2..40576ca 100644 --- a/docs/how-to/store-keys/hsm/yubihsm2.md +++ b/docs/how-to/store-keys/hsm/yubihsm2.md @@ -4,24 +4,24 @@ description: Configure Web3Signer to use a YubiHSM 2 device. sidebar_position: 1 --- +# Use Web3Signer with YubiHSM 2 + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Use Web3Signer with YubiHSM 2 - -Web3Signer can sign payloads using private keys stored in the [YubiHSM 2 hardware security module]. Web3Signer -supports using the device as a secure key storage only. +Web3Signer can sign payloads using private keys stored in the [YubiHSM 2 hardware security module]. +Web3Signer supports using the device as a secure key storage only. ## Prerequisites Install the [YubiHSM 2 SDK] on the Web3Signer machine. -## Store private keys in YubiHSM 2 +## Store private keys in YubiHSM 2 [Store private keys in the device] using the `opaque-data` algorithm in `hex` format. All private keys on the device must be accessible using the same authentication key ID and password. -The following steps show an example of storing a key in YubiHSM: +The following steps show an example of storing a key in YubiHSM: 1. Store a private key in YubiHSM with `object-id=3` and `new-password=password3`, using the YubiHSM default credentials of `authkey=1` and `password=password`: @@ -44,20 +44,20 @@ The following steps show an example of storing a key in YubiHSM: - + ```bash Created session 0 Stored Authentication key 0x0003 ``` - + -2. Put the opaque data using `authkey=3` with the opaque `object-ID=15`: +2. Put the opaque data using `authkey=3` with the opaque `object-ID=15`: - + ```bash yubihsm-shell \ --connector=yhusb:// \ @@ -71,20 +71,20 @@ The following steps show an example of storing a key in YubiHSM: --capabilities=none \ --informat=hex --in=5e8d5667ce78982a07242739ab03dc63c91e830c80a5b6adca777e3f216a405d ``` - + - + ```bash Session keepalive set up to run every 15 seconds Created session 0 Stored 32 bytes to Opaque object 0x000f ``` - + -3. Use `authkey=1` to view the inserted data: +3. Use `authkey=1` to view the inserted data: @@ -113,37 +113,39 @@ The following steps show an example of storing a key in YubiHSM: 4. Identify the location of the `yubihsm_pkcs11` dynamic library. For example, on Mac, it is installed at `/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib` using the - latest YubiHSM release. + latest YubiHSM release. - :::info Note for Mac only + :::info Note for Mac only Due to a bug in how the YubiHSM libraries are generated, copy the file to the parent directory (`/usr/local/lib`): - ```bash + ```bash sudo cp /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib /usr/local/lib/ ``` - Create a soft link in the directory from where Web3Signer is running: + Create a soft link in the directory from where Web3Signer is running: + ```bash ln -s /usr/local/lib/libyubihsm_usb.2.dylib ./libyubihsm_usb.2.dylib ``` + ::: 5. Create a [key configuration file for YubiHSM](../../../reference/key-config-file-params.md#yubihsm-2) - in the `keys` subdirectory. + in the `keys` subdirectory. ```bash - type: yubihsm - connectorUrl: yhusb:// - authId: 3 - password: password3 - opaqueDataId: 15 + type: yubihsm + connectorUrl: yhusb:// + authId: 3 + password: password3 + opaqueDataId: 15 pkcs11ModulePath: /usr/local/lib/yubihsm_pkcs11.dylib additionalInitConfig: debug libdebug timeout=5 ``` -6. Specify the `key-store-path` as the `keys` subdirectory when starting Web3Signer. +6. Specify the `key-store-path` as the `keys` subdirectory when starting Web3Signer. - The output displayed indicates one key has been loaded: + The output displayed indicates one key has been loaded: ```bash 2023-10-04 15:30:27.761+10:00 | pool-2-thread-1 | INFO | SignerLoader | Converting signing metadata to Artifact Signer using parallel streams ... @@ -156,7 +158,7 @@ The following steps show an example of storing a key in YubiHSM: 2023-10-04 15:30:28.176+10:00 | pool-2-thread-1 | INFO | DefaultArtifactSignerProvider | Total signers (keys) currently loaded in memory: 1 ``` -## PKCS#11 driver +## PKCS#11 driver To communicate with the YubiHSM 2 device, Web3Signer uses the PKCS#11 driver to load the [PKCS#11 module] in the SDK. @@ -177,8 +179,5 @@ password must be specified in the [key configuration files] for a given device. [YubiHSM 2 hardware security module]: https://developers.yubico.com/YubiHSM2/ [Store private keys in the device]: https://developers.yubico.com/YubiHSM2/Commands/Put_Opaque.html [YubiHSM 2 SDK]: https://developers.yubico.com/YubiHSM2/Releases/ -[Opaque Data algorithm]: https://developers.yubico.com/YubiHSM2/Concepts/Algorithms.html -[Configure a signing key configuration file]: ../../load-keys.md#use-key-configuration-files -[YubiHSM connector]: https://developers.yubico.com/yubihsm-connector/ [PKCS#11 module]: https://developers.yubico.com/YubiHSM2/Component_Reference/PKCS_11/ [key configuration files]: ../../../reference/key-config-file-params.md#yubihsm-2 diff --git a/docs/how-to/store-keys/index.md b/docs/how-to/store-keys/index.md index f71ed61..bb02a53 100644 --- a/docs/how-to/store-keys/index.md +++ b/docs/how-to/store-keys/index.md @@ -4,28 +4,29 @@ description: Store BLS12-381 and secp256k1 signing keys in Web3Signer. sidebar_position: 2 keywords: [Hashicorp Vault, Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, YubiHSM, USB Armory Mk II] --- -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; # Store signing keys +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + Web3Signer supports BLS12-381 (`Eth2`) or secp256k1 (`Eth1`) signing keys stored in the following ways: | Key storage | SECP256K1 | BLS | |--------------------------------------|:---------:|:---:| | Raw files | x | x | -| [Keystore files] | x | x | -| **Vaults** | -| [Hashicorp Vault] | x | x | -| [Azure Key Vault] | x | x | -| [AWS Secrets Manager] | | x | -| [AWS KMS] | x | | +| [Keystore files] | x | x | +| **Vaults** | | | +| [Hashicorp Vault] | x | x | +| [Azure Key Vault] | x | x | +| [AWS Secrets Manager] | | x | +| [AWS KMS] | x | | | [GCP Secret Manager] | | x | | **Hardware Security Modules (HSMs)** | | | | [YubiHSM 2] | x | x | | [USB Armory Mk II] | x | x | -Web3Signer supports `Eth1` signing from HSMs and vaults, but must load private keys into memory for `Eth2` signing. +Web3Signer supports `Eth1` signing from HSMs and vaults, but must load private keys into memory for `Eth2` signing. Follow [best practices](../../get-started/key-best-practices.md) when storing private keys. After storing keys, [load keys into Web3Signer](../load-keys.md). diff --git a/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md b/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md index cf1bfd5..a160019 100644 --- a/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md +++ b/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md @@ -6,17 +6,17 @@ sidebar_position: 2 # Use Web3Signer with AWS Key Management Service -Web3Signer supports execution layer signing with secp256k1 keys stored in +Web3Signer supports execution layer signing with secp256k1 keys stored in [AWS Key Management Service (KMS)](https://aws.amazon.com/kms/). The [AWS KMS documentation](https://aws.amazon.com/kms/getting-started/) provides the information you need to get started. -## Load keys from AWS KMS +## Load keys from AWS KMS -Keys stored in AWS KMS can be loaded into Web3Signer by: +Keys stored in AWS KMS can be loaded into Web3Signer by: -* Using a [key configuration file](../../../load-keys.md#use-key-configuration-files). +* Using a [key configuration file](../../../load-keys.md#use-key-configuration-files). * Bulk loading using the [`eth1` subcommand](../../../load-keys.md#aws-key-management-service). ## Cache AWS KMS when loading multiple keys @@ -27,4 +27,4 @@ uses the same access key ID and region. Set the [`eth1 --aws-connection-cache-size`](../../../../reference/cli/subcommands.md#aws-connection-cache-size-1) option to the maximum number of AWS KMS connections to cache. -The default is `1`. \ No newline at end of file +The default is `1`. diff --git a/docs/how-to/store-keys/vaults/aws/secrets-manager-consensus-layer.md b/docs/how-to/store-keys/vaults/aws/secrets-manager-consensus-layer.md index f840715..a438385 100644 --- a/docs/how-to/store-keys/vaults/aws/secrets-manager-consensus-layer.md +++ b/docs/how-to/store-keys/vaults/aws/secrets-manager-consensus-layer.md @@ -78,4 +78,4 @@ Set the [`eth2 --aws-connection-cache-size`](../../../../reference/cli/subcomman option to the maximum number of AWS Secrets Manager connections to cache. The default is `1`. -After storing keys, [load keys into Web3Signer using a key configuration file, or bulk loading keys](../../../load-keys.md). \ No newline at end of file +After storing keys, [load keys into Web3Signer using a key configuration file, or bulk loading keys](../../../load-keys.md). diff --git a/docs/how-to/store-keys/vaults/gcp.md b/docs/how-to/store-keys/vaults/gcp.md index 4805e51..f3d8a6a 100644 --- a/docs/how-to/store-keys/vaults/gcp.md +++ b/docs/how-to/store-keys/vaults/gcp.md @@ -12,7 +12,7 @@ Web3Signer supports consensus layer signing with BLS keys stored in The [GCP Secret Manager documentation](https://cloud.google.com/secret-manager/docs) provides the information you need to get started. -## Authentication +## Authentication Web3Signer uses [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication#adc) to authenticate with GCP Secret Manager. ADC automatically finds credentials and manages token retrieval, enabling @@ -21,4 +21,4 @@ the authentication code to operate across various deployment options without mod ## Load keys from GCP Secret Manager Load keys stored in GCP Secret Manager into Web3Signer using the [`eth2` subcommand](../../load-keys.md#gcp-secret-manager) -to bulk load keys. \ No newline at end of file +to bulk load keys. diff --git a/docs/how-to/store-keys/vaults/hashicorp.md b/docs/how-to/store-keys/vaults/hashicorp.md index 90eba77..705b6b0 100644 --- a/docs/how-to/store-keys/vaults/hashicorp.md +++ b/docs/how-to/store-keys/vaults/hashicorp.md @@ -4,11 +4,11 @@ description: Store keys in HashiCorp Vault. sidebar_position: 1 --- +# Use Web3Signer with HashiCorp Vault + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Use Web3Signer with HashiCorp Vault - Web3Signer supports storing the signing key in [HashiCorp Vault](https://www.hashicorp.com/products/vault/). ## Store a private key in HashiCorp Vault @@ -16,6 +16,8 @@ Web3Signer supports storing the signing key in [HashiCorp Vault](https://www.has After installing [HashiCorp Vault](https://learn.hashicorp.com/vault/getting-started/install) and [starting the server](https://learn.hashicorp.com/vault/getting-started/dev-server): + + 1. Set the `VAULT_ADDR` environment variable using the command displayed after starting the server: ```bash @@ -59,6 +61,7 @@ After installing [HashiCorp Vault](https://learn.hashicorp.com/vault/getting-sta --- ----- value 17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf ``` + @@ -118,5 +121,6 @@ localhost:8200 7C:B3:3E:F9:98:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD [signing key configuration file]: ../../load-keys.md#use-key-configuration-files -[Start Teku]: https://docs.teku.consensys.net/get-started/start-teku [Start Web3Signer and specify the location of the signing key configuration file]: ../../../get-started/start-web3signer.md + + diff --git a/docs/index.md b/docs/index.md index 23ef25c..a999851 100644 --- a/docs/index.md +++ b/docs/index.md @@ -25,7 +25,7 @@ Web3Signer can sign on multiple platforms using private keys stored in an extern Web3Signer can sign payloads using secp256k1 and BLS12-381 signing keys, and supports the following platforms: - Execution layer (formerly called Ethereum 1.0) -- Consensus layer (formerly called Ethereum 2.0). +- Consensus layer (formerly called Ethereum 2.0). ## New to Web3Signer? diff --git a/docs/reference/api/json-rpc.md b/docs/reference/api/json-rpc.md index 32ec25b..7b3786d 100644 --- a/docs/reference/api/json-rpc.md +++ b/docs/reference/api/json-rpc.md @@ -3,10 +3,12 @@ description: Use for signing execution layer payloads sidebar_position: 1 --- +# Web3Signer JSON-RPC API + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Web3Signer JSON-RPC API + :::note - All JSON-RPC HTTP examples use the default host and port endpoint `http://127.0.0.1:8545`. @@ -116,6 +118,8 @@ Transaction object: `result` : `data` - The signed transaction object. + + @@ -140,7 +144,8 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTransaction","params":[{ ## `eth_signTypedData` -`eth_signTypedData` is the same as [`eth_sign`](#ethsign) except a typed data structure is specified as the object to be signed instead of a data string. +`eth_signTypedData` is the same as `ethsign` except a typed data structure is specified +as the object to be signed instead of a data string. Calculates an Ethereum specific signature using `sign(keccak256("\x19Ethereum Signed Message:\n" + len(message) + message)))."` @@ -150,7 +155,7 @@ specific signature. This prevents malicious dapps from signing arbitrary data (for example, a transaction) and using the signature to impersonate the victim. -The JSON schema for the typed data structure to sign is: +The JSON schema for the typed data structure to sign is: ```json { @@ -192,15 +197,18 @@ The JSON schema for the typed data structure to sign is: `DATA` - Signature - + + + -# curl HTTP request + ```bash curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTypedData","params":["0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826", {"types":{"EIP712Domain":[{"name":"name","type":"string"},{"name":"version","type":"string"},{"name":"chainId","type":"uint256"},{"name":"verifyingContract","type":"address"}],"Person":[{"name":"name","type":"string"},{"name":"wallet","type":"address"}],"Mail":[{"name":"from","type":"Person"},{"name":"to","type":"Person"},{"name":"contents","type":"string"}]},"primaryType":"Mail","domain":{"name":"Ether Mail","version":"1","chainId":1,"verifyingContract":"0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC"},"message":{"from":{"name":"Cow","wallet":"0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826"},"to":{"name":"Bob","wallet":"0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB"},"contents":"Hello, Bob!"}}],"id":1}' ``` -# JSON result + + ```json { @@ -210,13 +218,15 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTypedData","params":["0x } ``` - + + ## `eth_sendTransaction` Creates and signs a transaction using the signing key. -Web3Signer submits the signed transaction to Besu using [`eth_sendRawTransaction`](https://besu.hyperledger.org/stable/public-networks/reference/api#eth_sendrawtransaction). +Web3Signer submits the signed transaction to Besu using +[`eth_sendRawTransaction`](https://besu.hyperledger.org/stable/public-networks/reference/api#eth_sendrawtransaction). ### Parameters @@ -268,4 +278,4 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_sendTransaction","params":[{ -[EIP-1559]: https://eips.ethereum.org/EIPS/eip-1559 \ No newline at end of file +[EIP-1559]: https://eips.ethereum.org/EIPS/eip-1559 diff --git a/docs/reference/api/rest.md b/docs/reference/api/rest.md index ec0213d..a8e6731 100644 --- a/docs/reference/api/rest.md +++ b/docs/reference/api/rest.md @@ -5,11 +5,11 @@ sidebar_position: 2 # Web3Signer REST API -The Web3Signer REST API contains an ETH2 (that is, consensus layer) API, and an ETH1 (that is, execution layer) API. -Use the ETH2 API for signing consensus layer payloads. +The Web3Signer REST API contains an ETH2 (that is, consensus layer) API, and an ETH1 (that is, execution layer) API. +Use the ETH2 API for signing consensus layer payloads. -We recommend using the [Web3Signer JSON-RPC API](json-rpc.md) for signing execution layer payloads. The ETH1 REST API contains a basic signing method but does not implement transaction encoding -or create an an Ethereum signature. +We recommend using the [Web3Signer JSON-RPC API](json-rpc.md) for signing execution layer payloads. The ETH1 REST API +contains a basic signing method but does not implement transaction encoding or create an an Ethereum signature. ## View the REST API documentation diff --git a/docs/reference/cli/options.md b/docs/reference/cli/options.md index fc5e2ad..7794cb8 100644 --- a/docs/reference/cli/options.md +++ b/docs/reference/cli/options.md @@ -4,11 +4,11 @@ description: Web3Signer command line options reference sidebar_position: 1 --- +# Web3Signer command line options + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Web3Signer command line options - This reference describes the syntax of the Web3Signer Command Line Interface (CLI) options. ## Specify options @@ -86,6 +86,7 @@ WEB3SIGNER_DATA_PATH=/Users/me/my_node/data ```bash data-path: "/Users/me/my_node/data" ``` + @@ -162,7 +163,7 @@ key-store-config-file-max-size: 158000000 The maximum signing key configuration file size in bytes. -This is useful when you're loading a large number of +This is useful when you're loading a large number of [signing key configurations from a single file](../key-config-file-params.md) The default size is 104857600 bytes (100 MB). @@ -977,7 +978,7 @@ tls-known-clients-file: "/Users/me/my_node/knownClients.txt" -File containing the Common Names and SHA-256 fingerprints of +File containing the Common Names and SHA-256 fingerprints of [authorized clients](../../how-to/configure-tls.md#create-the-known-clients-file). ### `tls-allow-ca-clients` diff --git a/docs/reference/cli/subcommands.md b/docs/reference/cli/subcommands.md index fe80901..652f1e1 100644 --- a/docs/reference/cli/subcommands.md +++ b/docs/reference/cli/subcommands.md @@ -4,11 +4,11 @@ description: Web3Signer subcommands reference sidebar_position: 2 --- +# Subcommands + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Subcommands - :::caution Filecoin deprecation notice Web3Signer has deprecated Filecoin and will remove it in a future release. If you still require this feature, we encourage @@ -248,7 +248,7 @@ eth1.aws-kms-client-cache-size: "5" -AWS KMS client cache size. Set to the total number of credentials +AWS KMS client cache size. Set to the total number of credentials used to access the service plus the number of regions the service is accessed from. The default is `1`. #### `aws-kms-enabled` @@ -285,7 +285,7 @@ eth1.aws-kms-enabled: "true" -Set to `true` to enable bulk loading from the AWS KMS. The default is `false`. +Set to `true` to enable bulk loading from the AWS KMS. The default is `false`. #### `aws-kms-region` @@ -582,7 +582,8 @@ eth1.azure-response-timeout: "40" -The response timeout used by the HTTP client (in seconds). The default is 60. You can also set the timeout using the `timeout` field in the Azure metadata file. +The response timeout used by the HTTP client (in seconds). The default is 60. You can also set the timeout using +the `timeout` field in the Azure metadata file. #### `azure-tags` @@ -767,7 +768,8 @@ eth1.chain-id: "2017" -ID of the chain to receive the signed transactions. The Besu documentation lists [chain IDs for public networks](https://besu.hyperledger.org/development/public-networks/concepts/network-and-chain-id). +ID of the chain to receive the signed transactions. The Besu documentation +lists [chain IDs for public networks](https://besu.hyperledger.org/development/public-networks/concepts/network-and-chain-id). #### `downstream-http-host` @@ -2061,7 +2063,7 @@ eth2.gcp-secrets-enabled: true -Set to `true` to enable bulk loading from the GCP Secrets Manager service. The default is `false`. +Set to `true` to enable bulk loading from the GCP Secrets Manager service. The default is `false`. #### `gcp-secrets-filter` diff --git a/docs/reference/key-config-file-params.md b/docs/reference/key-config-file-params.md index 1e797c8..3927ea0 100644 --- a/docs/reference/key-config-file-params.md +++ b/docs/reference/key-config-file-params.md @@ -4,11 +4,11 @@ description: Signing key configuration file parameters sidebar_position: 3 --- +# Signing key configuration file parameters + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Signing key configuration file parameters - A [signing key configuration file] is a YAML file that defines the parameters to access one or more signing keys. @@ -112,7 +112,7 @@ secretName: "SecretName" -``` +```yml type: "azure-key" clientId: "***" clientSecret: "***" @@ -120,9 +120,12 @@ tenantId: "***" vaultName: "AzureKeyVault" keyName: "KeyName" ``` + + + | Key | Description | | --- | --- | | **type** | Type of configuration file. Use `azure-secret` or `azure-key`. | @@ -135,10 +138,12 @@ keyName: "KeyName" | **secretName** | Name of the key stored in the Azure Key Vault under Secrets settings. Required when using the `azure-secret` type. | | **keyName** | Name of the key stored in the Azure Key Vault under Keys settings. Required when using the `azure-key` type. | + + ## AWS Secrets Manager Use the private key stored in [AWS Secrets Manager](../how-to/store-keys/vaults/aws/secrets-manager-consensus-layer.md). -Supports BLS keys for consensus layer signing. +Supports BLS keys for consensus layer signing. ```bash type: "aws-secret" @@ -162,8 +167,8 @@ region: "us-west-2" ## AWS Key Management Service -Use the private key stored in [AWS Key Management Service (KMS)](../how-to/store-keys/vaults/aws/kms-execution-layer.md). -Supports SECP256K1 keys for execution layer signing. +Use the private key stored in [AWS Key Management Service (KMS)](../how-to/store-keys/vaults/aws/kms-execution-layer.md). +Supports SECP256K1 keys for execution layer signing. ```bash type: "aws-kms" @@ -176,6 +181,8 @@ region: "us-east-2" endpointOverride: "http://localhost:4566" ``` + + | Key | Description | |------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **type** | Type of configuration file. Use `aws-kms`. | @@ -186,6 +193,7 @@ endpointOverride: "http://localhost:4566" | **kmsKeyId** | AWS Access Key ID to authenticate AWS KMS. | | **region** | Region to connect to. | | **endpointOverride** | Endpoint override for AWS KMS. Useful for local testing against LocalStack. | + ## YubiHSM 2 @@ -202,6 +210,8 @@ pkcs11ModulePath: /usr/bin/yubihsm-sdk/lib/pkcs11/yubihsm_pkcs11.so additionalInitConfig: debug libdebug timeout=5 ``` + + | Key | Description | |--------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **type** | Type of configuration file. Use `yubihsm2`. | @@ -213,6 +223,8 @@ additionalInitConfig: debug libdebug timeout=5 | **pkcs11ModulePath** | Path the [PKCS#11 module]. | | **additionalInitConfig** | Optional. Configuration options for the [PKCS#11 module]. | + + ## USB Armory Mk II Use the private key stored in the [USB Armory Mk II hardware security module](../how-to/store-keys/hsm/usb-armory.md). @@ -228,6 +240,8 @@ password: usbarmory keyPath: /key1.txt ``` + + | Key | Description | | --- | --- | | **type** | Type of configuration file. Use `interlock`. | @@ -238,6 +252,8 @@ keyPath: /key1.txt | **password** | Password used to access the Interlock volume. | | **keyPath** | Path to the text file containing the BLS or SECP private key (as a HEX encoded string) on the Interlock file manager. These files can be created directly using Interlock from a browser. | + + [signing key configuration file]: ../how-to/load-keys.md#use-key-configuration-files diff --git a/docs/reference/security-disclosure.md b/docs/reference/security-disclosure.md index c1b3e32..e90b807 100644 --- a/docs/reference/security-disclosure.md +++ b/docs/reference/security-disclosure.md @@ -5,7 +5,9 @@ sidebar_position: 4 # Security disclosure policy -At Consensys, security is a priority. But regardless of how much effort we put into system security, there may still be vulnerabilities present. If you discover a vulnerability, we want to know about it so we can take steps to address it as quickly as possible. You can help us better protect our clients and our systems. +At Consensys, security is a priority. But regardless of how much effort we put into system security, there may still be vulnerabilities present. +If you discover a vulnerability, we want to know about it so we can take steps to address it as quickly as possible. +You can help us better protect our clients and our systems. Please do the following: diff --git a/versioned_docs/version-24.6.0/get-started/install-binaries.md b/versioned_docs/version-24.6.0/get-started/install-binaries.md index e892cc0..8b92194 100644 --- a/versioned_docs/version-24.6.0/get-started/install-binaries.md +++ b/versioned_docs/version-24.6.0/get-started/install-binaries.md @@ -4,11 +4,11 @@ description: Install Web3Signer from a binary distribution. sidebar_position: 1 --- +# Install binary distribution + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Install binary distribution - ## Prerequisites - [Java JDK](https://www.oracle.com/java/technologies/javase-downloads.html) diff --git a/versioned_docs/version-24.6.0/get-started/start-web3signer.md b/versioned_docs/version-24.6.0/get-started/start-web3signer.md index 4bba6f7..6775fab 100644 --- a/versioned_docs/version-24.6.0/get-started/start-web3signer.md +++ b/versioned_docs/version-24.6.0/get-started/start-web3signer.md @@ -4,11 +4,11 @@ description: Start Web3Signer. sidebar_position: 4 --- +# Start Web3Signer + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Start Web3Signer - :::note This documentation has been updated in line with the name changes [recommended by the Ethereum Foundation](https://blog.ethereum.org/2022/01/24/the-great-eth2-renaming/). diff --git a/versioned_docs/version-24.6.0/how-to/configure-slashing-protection.md b/versioned_docs/version-24.6.0/how-to/configure-slashing-protection.md index 83d99a6..739af86 100644 --- a/versioned_docs/version-24.6.0/how-to/configure-slashing-protection.md +++ b/versioned_docs/version-24.6.0/how-to/configure-slashing-protection.md @@ -4,11 +4,11 @@ description: Configure consensus layer slashing protection. sidebar_position: 6 --- +# Configure consensus layer slashing protection + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Configure consensus layer slashing protection - Configure [slashing protection] to prevent consensus layer validators from being penalized for signing conflicting blocks or attestations. diff --git a/versioned_docs/version-24.6.0/how-to/load-keys.md b/versioned_docs/version-24.6.0/how-to/load-keys.md index 6d7ace9..96b9a43 100644 --- a/versioned_docs/version-24.6.0/how-to/load-keys.md +++ b/versioned_docs/version-24.6.0/how-to/load-keys.md @@ -3,11 +3,12 @@ title: Load signing keys description: Load BLS12-381 and secp256k1 signing keys. sidebar_position: 3 --- -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; # Load signing keys +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + Load signing keys using a [key configuration file], or bulk load using the [`eth1` and `eth2` subcommands]. Web3Signer supports loading keys with the following methods: diff --git a/versioned_docs/version-24.6.0/how-to/manage-keys.md b/versioned_docs/version-24.6.0/how-to/manage-keys.md index 52dd76a..35dca1b 100644 --- a/versioned_docs/version-24.6.0/how-to/manage-keys.md +++ b/versioned_docs/version-24.6.0/how-to/manage-keys.md @@ -3,11 +3,12 @@ title: Manage consensus layer signing keys description: Manage consensus layer signing keys. sidebar_position: 4 --- -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; ## Reload new keys +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + If you add new keys to an existing set of validators, or modify the key configuration files, reload the keys to ensure Web3Signer registers the new or modified keys. Use the [`reload`](https://consensys.github.io/web3signer/web3signer-eth2.html#tag/Reload-Signer-Keys) diff --git a/versioned_docs/version-24.6.0/how-to/store-keys/hsm/yubihsm2.md b/versioned_docs/version-24.6.0/how-to/store-keys/hsm/yubihsm2.md index 375d3c2..a9ee5b2 100644 --- a/versioned_docs/version-24.6.0/how-to/store-keys/hsm/yubihsm2.md +++ b/versioned_docs/version-24.6.0/how-to/store-keys/hsm/yubihsm2.md @@ -4,11 +4,11 @@ description: Configure Web3Signer to use a YubiHSM 2 device. sidebar_position: 1 --- +# Use Web3Signer with YubiHSM 2 + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Use Web3Signer with YubiHSM 2 - Web3Signer can sign payloads using private keys stored in the [YubiHSM 2 hardware security module]. Web3Signer supports using the device as a secure key storage only. diff --git a/versioned_docs/version-24.6.0/how-to/store-keys/index.md b/versioned_docs/version-24.6.0/how-to/store-keys/index.md index 80fce95..d3f1631 100644 --- a/versioned_docs/version-24.6.0/how-to/store-keys/index.md +++ b/versioned_docs/version-24.6.0/how-to/store-keys/index.md @@ -4,11 +4,12 @@ description: Store BLS12-381 and secp256k1 signing keys in Web3Signer. sidebar_position: 2 keywords: [Hashicorp Vault, Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, YubiHSM, USB Armory Mk II] --- -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; # Store signing keys +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + Web3Signer supports BLS12-381 or secp256k1 signing keys stored in the following ways: | Key storage | SECP256K1 | BLS | diff --git a/versioned_docs/version-24.6.0/how-to/store-keys/vaults/hashicorp.md b/versioned_docs/version-24.6.0/how-to/store-keys/vaults/hashicorp.md index 90eba77..b8c46df 100644 --- a/versioned_docs/version-24.6.0/how-to/store-keys/vaults/hashicorp.md +++ b/versioned_docs/version-24.6.0/how-to/store-keys/vaults/hashicorp.md @@ -4,11 +4,11 @@ description: Store keys in HashiCorp Vault. sidebar_position: 1 --- +# Use Web3Signer with HashiCorp Vault + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Use Web3Signer with HashiCorp Vault - Web3Signer supports storing the signing key in [HashiCorp Vault](https://www.hashicorp.com/products/vault/). ## Store a private key in HashiCorp Vault diff --git a/versioned_docs/version-24.6.0/reference/api/json-rpc.md b/versioned_docs/version-24.6.0/reference/api/json-rpc.md index 32ec25b..4685e4c 100644 --- a/versioned_docs/version-24.6.0/reference/api/json-rpc.md +++ b/versioned_docs/version-24.6.0/reference/api/json-rpc.md @@ -3,10 +3,12 @@ description: Use for signing execution layer payloads sidebar_position: 1 --- +# Web3Signer JSON-RPC API + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Web3Signer JSON-RPC API + :::note - All JSON-RPC HTTP examples use the default host and port endpoint `http://127.0.0.1:8545`. @@ -140,7 +142,7 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTransaction","params":[{ ## `eth_signTypedData` -`eth_signTypedData` is the same as [`eth_sign`](#ethsign) except a typed data structure is specified as the object to be signed instead of a data string. +`eth_signTypedData` is the same as `eth_sign` except a typed data structure is specified as the object to be signed instead of a data string. Calculates an Ethereum specific signature using `sign(keccak256("\x19Ethereum Signed Message:\n" + len(message) + message)))."` @@ -192,9 +194,12 @@ The JSON schema for the typed data structure to sign is: `DATA` - Signature - + -# curl HTTP request + + + + ```bash curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTypedData","params":["0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826", {"types":{"EIP712Domain":[{"name":"name","type":"string"},{"name":"version","type":"string"},{"name":"chainId","type":"uint256"},{"name":"verifyingContract","type":"address"}],"Person":[{"name":"name","type":"string"},{"name":"wallet","type":"address"}],"Mail":[{"name":"from","type":"Person"},{"name":"to","type":"Person"},{"name":"contents","type":"string"}]},"primaryType":"Mail","domain":{"name":"Ether Mail","version":"1","chainId":1,"verifyingContract":"0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC"},"message":{"from":{"name":"Cow","wallet":"0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826"},"to":{"name":"Bob","wallet":"0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB"},"contents":"Hello, Bob!"}}],"id":1}' @@ -210,7 +215,8 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTypedData","params":["0x } ``` - + + ## `eth_sendTransaction` @@ -268,4 +274,6 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_sendTransaction","params":[{ -[EIP-1559]: https://eips.ethereum.org/EIPS/eip-1559 \ No newline at end of file +[EIP-1559]: https://eips.ethereum.org/EIPS/eip-1559 + + \ No newline at end of file diff --git a/versioned_docs/version-24.6.0/reference/cli/options.md b/versioned_docs/version-24.6.0/reference/cli/options.md index fc5e2ad..6b1125d 100644 --- a/versioned_docs/version-24.6.0/reference/cli/options.md +++ b/versioned_docs/version-24.6.0/reference/cli/options.md @@ -4,11 +4,11 @@ description: Web3Signer command line options reference sidebar_position: 1 --- +# Web3Signer command line options + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Web3Signer command line options - This reference describes the syntax of the Web3Signer Command Line Interface (CLI) options. ## Specify options diff --git a/versioned_docs/version-24.6.0/reference/cli/subcommands.md b/versioned_docs/version-24.6.0/reference/cli/subcommands.md index f708179..6b6be55 100644 --- a/versioned_docs/version-24.6.0/reference/cli/subcommands.md +++ b/versioned_docs/version-24.6.0/reference/cli/subcommands.md @@ -4,11 +4,11 @@ description: Web3Signer subcommands reference sidebar_position: 2 --- +# Subcommands + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Subcommands - :::caution Filecoin deprecation notice Web3Signer has deprecated Filecoin and will remove it in a future release. If you still require this feature, we encourage diff --git a/versioned_docs/version-24.6.0/reference/key-config-file-params.md b/versioned_docs/version-24.6.0/reference/key-config-file-params.md index 1e797c8..bb7f846 100644 --- a/versioned_docs/version-24.6.0/reference/key-config-file-params.md +++ b/versioned_docs/version-24.6.0/reference/key-config-file-params.md @@ -4,11 +4,11 @@ description: Signing key configuration file parameters sidebar_position: 3 --- +# Signing key configuration file parameters + import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Signing key configuration file parameters - A [signing key configuration file] is a YAML file that defines the parameters to access one or more signing keys.