README
¶
中文 | English
Remote Signer
A secure, policy-driven signing service for EVM chains. Controls what gets signed through a rule engine, not just who can sign.
Features
- Policy-Driven Signing -- Whitelist/blocklist rules with Solidity expressions, JS rules, address lists, value limits
- Multi-Chain Extensible -- EVM today, Solana/Cosmos/Bitcoin ready architecture
- Manual Approval Workflow -- Slack, Pushover, and webhook notifications for pending approvals
- Ed25519 API Authentication -- Secure request signing with nonce + timestamp replay protection
- Dynamic Signer Management -- Create keystores and HD wallets (mnemonic wallets) at runtime via API or TUI
- Terminal UI (TUI) -- Manage rules, approve requests, create signers from the terminal
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ API Layer │
│ /api/v1/evm/sign /api/v1/solana/sign /api/v1/.../sign │
└───────────────────────────┬─────────────────────────────────────┘
│
┌───────────────────────────▼─────────────────────────────────────┐
│ Core Layer │
│ SignService │ RuleEngine │ StateMachine │ AuditLogger │
└───────────────────────────┬─────────────────────────────────────┘
│
┌───────────────────────────▼─────────────────────────────────────┐
│ Chain Adapter Layer │
│ EVM Adapter (ethsig) │ Solana / Cosmos / ... (future) │
└───────────────────────────┬─────────────────────────────────────┘
│
┌───────────────────────────▼─────────────────────────────────────┐
│ Storage Layer │
│ GORM + PostgreSQL / SQLite │
└─────────────────────────────────────────────────────────────────┘
Quick Start
One-Line Install (recommended)
bash <(curl -fsSL https://raw.githubusercontent.com/ivanzzeth/remote-signer/main/scripts/setup.sh)
This auto-clones the repo (if needed), installs dependencies, and runs the guided setup.
Or Manual Clone
git clone https://github.com/ivanzzeth/remote-signer.git
cd remote-signer
./scripts/setup.sh
Prerequisites
- openssl
- Docker (recommended) or Go 1.24+ (for local mode)
What the Setup Wizard Does
The interactive setup walks through 5 steps:
- Deployment mode -- Docker + PostgreSQL (recommended) or Local + SQLite (dev only)
- API keys -- Generates
adminanddevEd25519 key pairs - TLS -- HTTP, TLS, or mTLS (Docker defaults to mTLS)
- Configuration -- Writes a ready-to-run config file with auto-generated secrets
- Next steps -- Start command, health check, how to add signers
After setup:
# Start (Docker mode, recommended)
./scripts/deploy.sh run
# Or start (Local mode)
./scripts/deploy.sh local-run
# Health check (HTTP)
curl http://localhost:8548/health
# Health check (mTLS)
curl --cacert certs/ca.crt --cert certs/client.crt --key certs/client.key https://localhost:8548/health
The server starts with no signers. To add your first signer (import a private key or HD wallet / mnemonic wallet), use the TUI: build it, connect with the admin key, then open the Signers tab to create a keystore or HD wallet. See Adding Signers below.
Manual Setup
If you prefer manual control, see docs/CONFIGURATION.md for the full config reference and use config.example.yaml as a starting point.
Adding Signers
The server starts without signers. Add them after startup:
- TUI (recommended): Use
-api-key-file data/admin_private.pemso you don't need to paste the key. Example (plain HTTP):./remote-signer-tui -api-key-id admin -api-key-file data/admin_private.pem -url http://localhost:8548. If you enabled TLS during setup, usehttps://and pass CA (and for mTLS, client cert/key), e.g.-url https://localhost:8548 -tls-ca ./certs/ca.crtor with mTLS:-tls-ca ./certs/ca.crt -tls-cert ./certs/client.crt -tls-key ./certs/client.key. See docs/TUI.md. After setup (Docker), you can choose "Open TUI to add signers now?" to launch it. In the Signers tab create a keystore (import private key) or create/import an HD wallet. Password requirements (enforced): at least 16 characters, and must include uppercase + lowercase + digit + symbol. 24+ characters recommended. - API:
POST /api/v1/evm/signers(admin only). See docs/API.md. - Config: Edit
chains.evm.signers.private_keysin your config file. See docs/CONFIGURATION.md.
Supported Sign Types
| Type | Description |
|---|---|
hash |
Sign pre-hashed data (32 bytes) |
raw_message |
Sign raw bytes |
eip191 |
Sign EIP-191 formatted message |
personal |
Sign personal message (\x19Ethereum Signed Message:\n) |
typed_data |
Sign EIP-712 typed data |
transaction |
Sign transaction (Legacy/EIP-2930/EIP-1559) |
Documentation
Getting Started
| Document | Description |
|---|---|
| Use Cases | Treasury, bot, DeFi scenarios |
| Architecture | System design, layers, adapters |
Configure
| Document | Description |
|---|---|
| Configuration Reference | Full config.yaml reference |
| Rules, Templates & Presets | Concepts: rule templates, instances, presets, and examples |
| Rule Syntax Reference | All rule types: address list, value limit, Solidity, JS, message pattern |
| JS Rules (evm_js) | In-process JavaScript rules via Sobek |
| config.example.yaml | Annotated configuration template |
Integrate
| Document | Description |
|---|---|
| API Reference | Complete endpoint docs: authentication, signing, rules, audit |
| Integration Guide | JS/TS client library, MetaMask Snap |
Deploy & Operate
| Document | Description |
|---|---|
| Deployment Guide | Docker, Kubernetes, HA, monitoring, backup |
| TLS / mTLS Guide | Certificate trust model, generation, production best practices |
| TUI Guide | Terminal UI: build, run, key bindings |
Security
| Document | Description |
|---|---|
| Security Overview | Defense-in-depth: 8 layers from network to application |
| Security Review | Findings, priorities, implementation status |
Development
| Document | Description |
|---|---|
| Components | Core interfaces, data types, services |
| Request Flow | 8-step signing flow with state machine |
| Testing Guide | Unit tests, E2E, rule validation, coverage |
Versioning — The version shown in the TUI and /health follows the repository tag (e.g. tag v0.1.1 → version 0.1.1). When you change code under tui/, bump the version in cmd/remote-signer/main.go; the pre-commit hook enforces this.
Roadmap
- EIP-712 Typed Data Validation
- Terminal UI (TUI)
- Go Client SDK
- JS/TS Client SDK
- Solidity Rule Coverage Enforcement
- Solana Chain Support
- Cosmos Chain Support
- Bitcoin Chain Support
- Web UI Dashboard
- Audit Log Export (S3, Elasticsearch)
License
MIT License
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
maltest
command
|
|
|
remote-signer
command
|
|
|
remote-signer-cli
command
|
|
|
tui
command
|
|
|
validate-rules
command
|
|
|
examples
|
|
|
go
command
Example: Remote Signer Go Client with TLS/mTLS
|
Example: Remote Signer Go Client with TLS/mTLS |
|
internal
|
|
|
audit
Package audit provides a background monitor that periodically scans audit records for anomaly patterns and sends notifications when thresholds are exceeded.
|
Package audit provides a background monitor that periodically scans audit records for anomaly patterns and sends notifications when thresholds are exceeded. |
|
ruleconfig
Package ruleconfig provides strict format validation for rule configuration only.
|
Package ruleconfig provides strict format validation for rule configuration only. |
|
validate
Package validate provides shared input validation for API, config, and chain layer.
|
Package validate provides shared input validation for API, config, and chain layer. |
|
pkg
|
|
|
client
Package client provides a Go SDK for the remote-signer service.
|
Package client provides a Go SDK for the remote-signer service. |
|
client/audit
Package audit provides audit log client services for the remote-signer.
|
Package audit provides audit log client services for the remote-signer. |
|
client/evm
Package evm provides EVM-specific client services for the remote-signer.
|
Package evm provides EVM-specific client services for the remote-signer. |
|
client/mock
Package mock provides per-resource mock implementations for testing.
|
Package mock provides per-resource mock implementations for testing. |
|
client/templates
Package templates provides template client services for the remote-signer.
|
Package templates provides template client services for the remote-signer. |
Click to show internal directories.
Click to hide internal directories.