Skip to content
You are reading EthSigner development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

EthSigner command line

This reference describes the syntax of the EthSigner Command Line Interface (CLI) options. EthSigner signs transaction with a key stored in an encrypted file or an external vault (for example, Hashicorp):

  • ethsigner [Options] file-based-signer [File Options]
  • ethsigner [Options] hashicorp-signer [Hashicorp Options]
  • ethsigner [Options] azure-signer [Azure Options]
  • ethsigner [Options] multikey-signer [Multikey Options]

Note

Options

chain-id

Chain ID of the network to receive the signed transactions.

--chain-id=<chainId>
--chain-id=2017

data-path

Directory in which to store temporary files.

--data-path=<PATH>
--data-path=/Users/me/my_node/data

downstream-http-host

Host to which received requests are forwarded. Default is localhost.

--downstream-http-host=<downstreamHttpHost>
--downstream-http-host=192.168.05.14

downstream-http-path

Path to which received requests are forwarded. Default is /.

Might be required if connecting to a cloud-based Ethereum client such as Infura.

--downstream-http-path=<downstreamHttpPath>
--downstream-http-path=/v3/d0e63ca5bb1e4eef2284422efbc51a56

downstream-http-port

Port to which received requests are forwarded.

--downstream-http-port=<downstreamHttpPort>
--downstream-http-port=6174

downstream-http-request-timeout

Timeout period (in milliseconds) for downstream requests. Default is 5000.

--downstream-http-request-timeout=<downstreamHttpRequestTimeout>
--downstream-http-request-timeout=3000

downstream-http-tls-enabled

Enable or disable TLS for server connections. Defaults to false.

--downstream-http-tls-enabled[=<true|false>]
--downstream-http-tls-enabled

downstream-http-tls-ca-auth-enabled

Allow connections to servers with trusted CAs.

Defaults to true.

--downstream-http-tls-ca-auth-enabled[=<true|false>]
--downstream-http-tls-enabled=false

downstream-http-tls-keystore-file

Keystore file (in PKCS #12 format) that contains the private key and certificate presented to the server during authentication.

--downstream-http-tls-keystore-file=<keystoreFile>
--downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx

downstream-http-tls-keystore-password-file

Password file used to decrypt the keystore.

--downstream-http-tls-keystore-password-file=<passwordFile>
--downstream-http-tls-keystore-password-file=/Users/me/my_node/password

downstream-http-tls-known-servers-file

File containing the hostnames, ports, and SHA256 certificate fingerprints of trusted servers.

--downstream-http-tls-known-servers-file=<serversFile>
--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers

http-cors-origins

A list of domain URLs for CORS validation. You must enclose the URLs in double quotes and separate them with commas.

Listed domains can access the node using JSON-RPC. If your client interacts with EthSigner using a browser app (such as Remix or a block explorer), you must allow the client domains.

The default value is “none”. If you do not allow any domains, browser apps cannot interact with your EthSigner node.

Tip

For testing and development purposes, use "all" or "*" to accept requests from any domain. We don’t recommend accepting requests from any domain for production environments.

--http-cors-origins=<httpListenHost>
----http-cors-origins="http://remix.ethereum.org","http://medomain.com"

http-listen-host

Host on which JSON-RPC HTTP listens. Default is localhost.

--http-listen-host=<httpListenHost>
--http-listen-host=10.100.111.1

http-listen-port

Port on which JSON-RPC HTTP listens. Default is 8545.

--http-listen-port=<httpListenPort>
--http-lisentport=6174

logging

Logging verbosity levels. Options are: OFF, FATAL, WARN, INFO, DEBUG, TRACE, ALL. Default is INFO.

-l, --logging=<LOG VERBOSITY LEVEL>
--logging=DEBUG

help

Displays the help and exits.

-h, --help

tls-allow-any-client

Allows any client to connect.

Important

Cannot be used with --tls-allow-ca-clients and --tls-known-clients-file

--tls-allow-any-client

tls-allow-ca-clients

Allows clients signed with trusted CA certificates to connect.

--tls-allow-ca-clients

tls-keystore-file

PKCS #12 formatted keystore. Used to enable TLS for client connections.

--tls-keystore-file=<keystoreFile>
--tls-keystore-file=/Users/me/my_node/certificate.pfx

tls-keystore-password-file

Password file used to decrypt the keystore.

--tls-keystore-password-file=<passwordFile>
--tls-keystore-password-file=/Users/me/my_node/password

tls-known-clients-file

File containing the SHA-256 fingerprints of authorized clients.

--tls-known-clients-file=<clientsFile>
--tls-keystore-file=/Users/me/my_node/knownClients

version

Displays the version and exits.

-V, --version

File options

key-file

File containing key with which transactions are signed.

-k, --key-file=<keyFile>
--key-file=/Users/me/my_node/transactionKey

password-file

File containing password for the key with which transactions are signed.

-p, --password-file=<passwordFile>
--password-file=/Users/me/my_node/password

Hashicorp options

auth-file

File containing authentication data for Hashicorp Vault. The authentication data is the root token displayed by the Hashicorp Vault server.

--auth-file=<authFile>
--auth-file=/Users/me/my_node/auth_file

host

Host of the Hashicorp Vault server. Default is localhost.

--host=<serverHost>
--host="http://host.com"

port

Port of the Hashicorp Vault server. Default is 8200.

--port=<serverPort>
--port=23000

signing-key-path

Path to secret in the Hashicorp Vault containing the private key for signing transactions. Default is /secret/data/ethsignerSigningKey.

--signing-key-path=<signingKeyPath>
--signing-key-path=/my_secret/ethsignerSigningKey

timeout

Timeout in milliseconds for requests to the Hashicorp Vault server. Default is 10000.

--timeout=<timeout>
--timeout=5000

tls-enabled

Connect to Hashicorp Vault server using TLS. Default is true.

--tls-enabled[=<true|false>]
--tls-enabled=false

tls-known-server-file

File containing the hostname, port, and SHA256 certificate fingerprint of the Hashicorp Vault server.

--tls-known-server-file=<hashicorpServerFile>
--tls-known-server-file=/Users/me/my_node/knownHashicorpServers

Azure options

client-id

ID used to authenticate with Azure Key Vault.

--client-id=<clientID>
--client-id="MyClientID"

client-secret-path

Path to file containing secret used to access the vault.

--client-secret-path=<clientSecretPath>
--client-secret-path=/Path/MySecret

key-name

Name of key to be used.

--key-name=<keyName>
--key-name="MyKey"

key-version

Version of the specified key to use.

--key-version=<keyVersion>
--key-version="7c01fe58d68148bba5824ce418241092"

keyvault-name

Name of the vault to access. Sub-domain of vault.azure.net.

--keyvault-name=<keyVaultName>
--keyvault-name="MyKeyVault"

Multikey Options

directory

Path to the directory containing the TOML files required to access keys.

--directory=<directoryPath>
--directory=/Users/me/keys
Questions or feedback? You can discuss issues and obtain free support on EthSigner Discord channel.
For paid professional support by Pegasys, contact us at support@pegasys.tech