# Remote BLS Signer
## Overview
Simple HTTP BLS signer service.
This service is designed to be consumed by Ethereum 2.0 clients, looking for a more secure avenue to store their BLS12-381 secret keys, while running their validators in more permisive and/or scalable environments.
One goal of this package is to be standard compliant. There is a [current draft for an Ethereum Improvement Proposal (EIP)](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-3030.md) in progress. Please refer to the [roadmap](#roadmap) for a list of advanced features.
## API
### Standard
### `GET /upcheck`
_**Responses**_
Success |
--- | ---
Code | `200`
Content | `{"status": "OK"}`
---
### `GET /keys`
Returns the identifiers of the keys available to the signer.
_**Responses**_
Success |
--- | ---
Code | `200`
Content | `{"keys": "[identifier]"}`
---
### `POST /sign/:identifier`
URL Parameter |
--- | ---
`:identifier` | `public_key_hex_string_without_0x`
_**Request**_
JSON Body |
|
--- | --- | ---
`bls_domain` | **Required** | The BLS Signature domain.
As defined in the [specification](https://github.com/ethereum/eth2.0-specs/blob/dev/specs/phase0/beacon-chain.md#domain-types), in lowercase, omitting the `domain` prefix.
Supporting `beacon_proposer`, `beacon_attester`, and `randao`.
`data` | **Required** | The data to be signed.
As defined in the specifications for [block](https://github.com/ethereum/eth2.0-APIs/blob/master/types/block.yaml), [attestation](https://github.com/ethereum/eth2.0-APIs/blob/master/types/attestation.yaml), and [epoch](https://github.com/ethereum/eth2.0-APIs/blob/master/types/misc.yaml).
`fork` | **Required** | A `Fork` object containing previous and current versions.
As defined in the [specification](https://github.com/ethereum/eth2.0-APIs/blob/master/types/misc.yaml)
`genesis_validators_root` | **Required** | A `Hash256` for domain separation and chain versioning.
| Optional | Any other field will be ignored by the signer
_**Responses**_
Success |
--- | ---
Code | `200`
Content | `{"signature": ""}`
_or_
Error |
--- | ---
Code | `400`
Content | `{"error": ""}`
_or_
Error |
--- | ---
Code | `404`
Content | `{"error": "Key not found: "}`
## Build instructions
1. [Get Rust](https://www.rust-lang.org/learn/get-started).
2. Go to the root directory of this repository.
3. Execute `make`
4. The binary `lighthouse` will most likely be found in `./target/release`.
5. Run it as `lighthouse remote_signer` or `lighthouse rs`.
## Running the signer
### Storing the secret keys as raw files
* Steps to store a secret key
* Choose an empty directory, as the backend will parse every file looking for keys.
* Create a file named after the **hex representation of the public key without 0x**.
* Write the **hex representation of the secret key without 0x**.
* Store the file in your chosen directory.
* Use this directory as a command line parameter (`--storage-raw-dir`)
### Command line flags
```
USAGE:
lighthouse remote_signer [OPTIONS]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
--debug-level The verbosity level for emitting logs. [default: info] [possible values:
info, debug, trace, warn, error, crit]
--listen-address The address to listen for TCP connections. [default: 0.0.0.0]
--log-format Specifies the format used for logging. [possible values: JSON]
--logfile File path where output will be written.
--port The TCP port to listen on. [default: 9000]
--spec Specifies the default eth2 spec type. [default: mainnet] [possible values:
mainnet, minimal, interop]
--storage-raw-dir <DIR> Data directory for secret keys in raw files.
```
## Roadmap
- [X] EIP standard compliant
- [ ] Metrics
- [ ] Benchmarking & Profiling
- [ ] Release management
- [ ] Architecture builds
- [ ] Support EIP-2335, BLS12-381 keystore
- [ ] Support storage in AWS Cloud HSM
- [ ] Route with the `warp` library
- [ ] Slashing protection pipeline
- [ ] TLS/SSL support for requests
- [ ] Authentication by HTTP Header support
- [ ] Confidential computing support (e.g. Intel SGX)
## LICENSE
* Apache 2.0.