EthSigner command line

This reference describes the syntax of the EthSigner Command Line Interface (CLI) options. EthSigner signs transaction with a key stored in an encrypted file or an external vault (for example, Hashicorp):

  • ethsigner [Options] file-based-signer [File Options]
  • ethsigner [Options] hashicorp-signer [Hashicorp Options]
  • ethsigner [Options] azure-signer [Azure Options]
  • ethsigner [Options] multikey-signer [Multikey Options]

Note

Options

chain-id

Chain ID of the network to receive the signed transactions.

--chain-id=<chainId>
--chain-id=2017

data-path

Directory in which to store temporary files.

--data-path=<PATH>
--data-path=/Users/me/my_node/data

downstream-http-host

Endpoint to which received requests are forwarded. Default is localhost.

--downstream-http-host=<downstreamHttpHost>
--downstream-http-host=192.168.05.14

downstream-http-port

Endpoint to which received requests are forwarded.

--downstream-http-port=<downstreamHttpPort>
--downstream-http-port=6174

downstream-http-request-timeout

Timeout period (in milliseconds) for downstream requests. Default is 5000.

--downstream-http-request-timeout=<downstreamHttpRequestTimeout>
--downstream-http-request-timeout=3000

downstream-http-tls-enabled

Enable or disable TLS for server connections. Defaults to false.

--downstream-http-tls-enabled[=<true|false>]
--downstream-http-tls-enabled

downstream-http-tls-ca-auth-enabled

Allow connections to servers with trusted CAs.

Defaults to true.

--downstream-http-tls-ca-auth-enabled[=<true|false>]
--downstream-http-tls-enabled=false

downstream-http-tls-keystore-file

Keystore file (in PKCS #12 format) that contains the private key and certificate presented to the server during authentication.

--downstream-http-tls-keystore-file=<keystoreFile>
--downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx

downstream-http-tls-keystore-password-file

Password file used to decrypt the keystore.

--downstream-http-tls-keystore-password-file=<passwordFile>
--downstream-http-tls-keystore-password-file=/Users/me/my_node/password

downstream-http-tls-known-servers-file

File containing the hostnames, ports, and SHA256 certificate fingerprints of trusted servers.

--downstream-http-tls-known-servers-file=<serversFile>
--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers

http-listen-host

Host on which JSON-RPC HTTP listens. Default is localhost.

--http-listen-host=<httpListenHost>
--http-listen-host=8.8.8.8

http-listen-port

Port on which JSON-RPC HTTP listens. Default is 8545.

--http-listen-port=<httpListenPort>
--http-lisentport=6174

logging

Logging verbosity levels. Options are: OFF, FATAL, WARN, INFO, DEBUG, TRACE, ALL. Default is INFO.

-l, --logging=<LOG VERBOSITY LEVEL>
--logging=DEBUG

help

Displays the help and exits.

-h, --help

tls-allow-any-client

Allows any client to connect.

Important

Cannot be used with --tls-allow-ca-clients and --tls-known-clients-file

--tls-allow-any-client

tls-allow-ca-clients

Allows clients signed with trusted CA certificates to connect.

--tls-allow-ca-clients

tls-keystore-file

PKCS #12 formatted keystore. Used to enable TLS for client connections.

--tls-keystore-file=<keystoreFile>
--tls-keystore-file=/Users/me/my_node/certificate.pfx

tls-keystore-password-file

Password file used to decrypt the keystore.

--tls-keystore-password-file=<passwordFile>
--tls-keystore-password-file=/Users/me/my_node/password

tls-known-clients-file

File containing the SHA-256 fingerprints of authorized clients.

--tls-known-clients-file=<clientsFile>
--tls-keystore-file=/Users/me/my_node/knownClients

version

Displays the version and exits.

-V, --version

File options

key-file

File containing key with which transactions are signed.

-k, --key-file=<keyFile>
--key-file=/Users/me/my_node/transactionKey

password-file

File containing password for the key with which transactions are signed.

-p, --password-file=<passwordFile>
--password-file=/Users/me/my_node/password

Hashicorp options

auth-file

File containing authentication data for Hashicorp Vault. The authentication data is the root token displayed by the Hashicorp Vault server.

--auth-file=<authFile>
--auth-file=/Users/me/my_node/auth_file

host

Host of the Hashicorp Vault server. Default is localhost.

--host=<serverHost>
--host="http://host.com"

port

Port of the Hashicorp Vault server. Default is 8200.

--port=<serverPort>
--port=23000

signing-key-path

Path to secret in the Hashicorp Vault containing the private key for signing transactions. Default is /secret/data/ethsignerSigningKey.

--signing-key-path=<signingKeyPath>
--signing-key-path=/my_secret/ethsignerSigningKey

timeout

Timeout in milliseconds for requests to the Hashicorp Vault server. Default is 10000.

--timeout=<timeout>
--timeout=5000

tls-enabled

Connect to Hashicorp Vault server using TLS. Default is true.

--tls-enabled[=<true|false>]
--tls-enabled=false

tls-known-server-file

File containing the hostname, port, and SHA256 certificate fingerprint of the Hashicorp Vault server.

--tls-known-server-file=<hashicorpServerFile>
--tls-known-server-file=/Users/me/my_node/knownHashicorpServers

Azure options

client-id

ID used to authenticate with Azure Key Vault.

--client-id=<clientID>
--client-id="MyClientID"

client-secret-path

Path to file containing secret used to access the vault.

--client-secret-path=<clientSecretPath>
--client-secret-path=/Path/MySecret

key-name

Name of key to be used.

--key-name=<keyName>
--key-name="MyKey"

key-version

Version of the specified key to use.

--key-version=<keyVersion>
--key-version="7c01fe58d68148bba5824ce418241092"

keyvault-name

Name of the vault to access. Sub-domain of vault.azure.net.

--keyvault-name=<keyVaultName>
--keyvault-name="MyKeyVault"

Multikey Options

directory

Path to the directory containing the TOML files required to access keys.

--directory=<directoryPath>
--directory=/Users/me/keys