View on GitHub

Tezio Signer

Tezio Signer is a Python Flask application for relaying Tezos signing requests from Octez to a Tezio HSM. Signing requests are validated against a security and signing policy then forwarded to a Tezio HSM connected via USB using the Tezio HSM API.

Introduction

Tezio Signer is located in the signer directory of the repository. The directory contains the app, tezio_signer.py, and a Python class to handle communication with the Tezio HSM, tezio.ph. The security and signing policies for the various keys provisioned on the Tezio HSM are declared in the config.yaml file.

Security and Signing Policy

The security policy defined in config.yaml

enables incoming requests to be validated (remote_ip_check) against a list of allowed IP address (allowed_ips).
declares if incoming requests must be signed (auth_check) using a dedicated authentication key (auth_key). The signature requirement can be overriden for individual signing keys (auth_req).
specifies if incoming requests are allowed based on the Tezos operation type (signing_policy_check). Allowed operations are ennumerated for each signing key (allowed_ops).
configures if the level and round of baking operations should be checked (high_water_mark_check) against high water marks (high_water_marks) to prevent accidental double attestation or baking.

Running Tezio Signer Using Gunicorn

Flask’s built in WSGI server is only meant for testing. Therefore, it is advisable to run Tezio Signer using a production-ready WSGI server like Gunicorn.

Install Gunicorn

sudo apt-get update
sudo apt-get install gunicorn

Run the App

cd [PATH_TO_TEZIO_REPO]/signer
chmod u+x tezio_signer.py
gunicorn --bind 127:0.0.1:[PORT] tezio_signer:app

Running Tezio Signer as a Persistent Daemon

There are several options to accomplish this. One possibility is to run as a background process using Supervisor.

Install Supervisor

sudo apt-get update
sudo apt-get install supervisor

Check Supervisor Status

sudo systemctl status supervisor

Create a Configuration File for Tezio Signer

cd /etc/supervisor/conf.d
sudo nano tezio-signer.conf

Compose the Configuration File’s Content

[program:tezio_signer_flask_app_via_gunicorn]
user=[USER_NAME]
directory=[PATH_TO_TEZIO_REPO]/signer
command=gunicorn --bind 127.0.0.1:[PORT] tezio_signer:app
autostart=true
autorestart=true
stdout_logfile=[PATH_TO_TEZIO_REPO]/signer/tezio_signer_out.log
stderr_logfile=[PATH_TO_TEZIO_REPO]/tezio_signer.log

Update Supervisor

sudo supervisorctl reread
sudo supervisorctl update

Check Daemon Status

sudo supvervisorctl status

Requirements

pip install flask, base58, pyserial