Skip to main content

Subcommands

EthSigner signs transaction with a key stored in an encrypted file or an external vault. The EthSigner subcommands are used to specify the keys used to sign transactions:

  • ethsigner [Options] file-based-signer [File Options]
  • ethsigner [Options] hashicorp-signer [Hashicorp Options]
  • ethsigner [Options] azure-signer [Azure Options]
  • ethsigner [Options] multikey-signer [Multikey Options]

The file-based-signer, hashicorp-signer, and azure-signer subcommands are used for single keys only, and the multikey-signer subcommand is used for one or more keys.

caution

Only one signing key subcommand can be used.

Specifying subcommand options

The subcommand to use must be specified on the command line, but the subcommand options can be specified:

For example, you can set the options for the azure-signer subcommand in environment variables or a configuration file, but the subcommand must be specified in the command line

info
ethsigner --config-file=./config.toml azure-signer

If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.

Environment variables

For each subcommand option, the equivalent environment variable is:

  • Upper-case
  • _ replaces -
  • Has an ETHSIGNER_ + <SIGNING_OPTION>_ prefix. For example set azure-signer --client-id using the ETHSIGNER_AZURE_SIGNER_CLIENT_ID environment variable.
note

Only subcommand options can be set in environment variables. The actual subcommand must be specified in the command line.

View help

To view the command line help for the subcommands:

Options

file-based-signer

key-file

File containing key with which transactions are signed.

-k, --key-file=<keyFile>

password-file

File containing password for the key with which transactions are signed.

-p, --password-file=<passwordFile>

hashicorp-signer

auth-file

File containing authentication data for HashiCorp Vault. The authentication data is the root token displayed by the HashiCorp Vault server.

--auth-file=<authFile>

host

Host of the HashiCorp Vault server. Default is localhost.

--host=<serverHost>

port

Port of the HashiCorp Vault server. Default is 8200.

--port=<serverPort>

signing-key-path

Path to secret in the HashiCorp Vault containing the private key for signing transactions. Default is /secret/data/ethsignerSigningKey.

--signing-key-path=<signingKeyPath>

timeout

Timeout in milliseconds for requests to the HashiCorp Vault server. Default is 10000.

--timeout=<timeout>

tls-enabled

Connect to HashiCorp Vault server using TLS. Default is true.

--tls-enabled[=<true|false>]

tls-known-server-file

File containing the hostname, port, and SHA256 certificate fingerprint of the HashiCorp Vault server.

--tls-known-server-file=<hashicorpServerFile>

azure-signer

client-id

ID used to authenticate with Azure Key Vault.

--client-id=<clientID>

client-secret-path

Path to file containing secret used to access the vault.

--client-secret-path=<clientSecretPath>

key-name

Name of key to be used.

--key-name=<keyName>

key-version

Version of the specified key to use.

--key-version=<keyVersion>

keyvault-name, key-vault-name

Name of the vault to access. Sub-domain of vault.azure.net.

--keyvault-name=<keyVaultName>

tenant-id

The tenant ID of the Azure Portal instance being used.

--tenant-id=<STRING>

multikey-signer

directory

Path to the directory containing the TOML files required to access keys.

--directory=<directoryPath>