An RPC signer proxy server that listens for the eth_signTransaction requests and performs transaction signing using the YubiHSM2 hardware or AWS KMS signer.
cargo install --path . --no-default-featuressigner-proxy -hCurrently, the signer-proxy supports two signers: YubiHSM2 and AWS KMS.
signer-proxy yubihsm -h
signer-proxy aws-kms -hNote
You can connect to YubiHSM2 using two methods: usb or http via -m, --mode option.
-a, --auth-key <auth-key-id> YubiHSM auth key ID [env: YUBIHSM_AUTH_KEY_ID=]
-d, --device-serial <device-serial-id> YubiHSM device serial ID (for USB mode) [env: YUBIHSM_DEVICE_SERIAL_ID=]
--addr <http-address> YubiHSM HTTP address (for HTTP mode) [env: YUBIHSM_HTTP_ADDRESS=]
--port <http-port> YubiHSM HTTP port (for HTTP mode) [env: YUBIHSM_HTTP_PORT=]
-m, --mode <mode> Connection mode (usb or http) [env: YUBIHSM_MODE=] [default: usb] [possible values: usb, http]
-p, --pass <password> YubiHSM auth key password [env: YUBIHSM_PASSWORD]Generates a valid secp256k1 key for signing eth transactions with capability SIGN_ECDSA and EXPORTABLE_UNDER_WRAP (if flag -e, --exportable). See docs about Capability here.
signer-proxy yubihsm -d <device-serial-id> -a <auth-key-id> -p <password> generate-key -l <label> -esigner-proxy yubihsm generate-key -h-e, --exportable The key will be exportable or not
-l, --label <label> Key label [default: ]Starts a YubiHSM-based proxy server that listens for eth_signTransaction requests.
signer-proxy yubihsm -d <device-serial-id> -a <auth-key-id> -p <password> serveNo additional options and flags for serve subcommand.
Starts an AWS KMS-based proxy server that listens for eth_signTransaction requests.
signer-proxy aws-kms serveConfiguration is managed through shared .aws/config and .aws/credentials files or environment variables:
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_REGION=Start anvil and the proxy server, and then:
cd test
node .