Subcommands
The Web3Signer subcommands are used to specify the platform being used:
web3signer [Options] eth2 [Eth2 Options]web3signer [Options] eth2 export [Eth2 Export Options]web3signer [Options] eth2 import [Eth2 Import Options]web3signer [Options] eth1web3signer [Options] filecoin [Filecoin Options]
Specifying subcommand options
The subcommand must be specified on the command line, but the subcommand options can be specified:
- On the command line
- As environment variables
- In a YAML configuration file.
For example, you can set the options for the filecoin subcommand in an environment variables
export WEB3SIGNER_FILECOIN_NETWORK=TESTNET, but the subcommand must be specified in the command line
Example
web3signer --key-store-path=/Users/me/keyFiles/ filecoin
Environment variables
For each subcommand option, the equivalent environment variable is:
- Upper-case
_replaces-- Has a
WEB3SIGNER_+<SIGNING_OPTION>_prefix. For example setfilecoin --networkusing theWEB3SIGNER_FILECOIN_NETWORKenvironment variable.
Note
Only subcommand options can be set in environment variables. The actual subcommand must be specified in the command line.
View help
To view the command line help for the subcommands:
Options
eth1
eth2
azure-vault-enabled
--azure-vault-enabled=<BOOLEAN>
--azure-vault-enabled=true
WEB3SIGNER_ETH2_AZURE_VAULT_ENABLED=true
eth2.azure-vault-enabled: true
Allow Web3Signer to bulk load all keys from the specified Azure Vault.
azure-client-id
--azure-client-id=<STRING>
--azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11
WEB3SIGNER_ETH2_AZURE_CLIENT_ID=87efaa5b-4029-4b54-98bb2e2e8a11
eth2.azure-client-id: "87efaa5b-4029-4b54-98bb2e2e8a11"
ID used to authenticate with Azure Key Vault.
Required when --azure-vault-auth-mode is CLIENT_SECRET or
USER_ASSIGNED_MANAGED_IDENTITY.
azure-client-secret
--azure-client-secret=<STRING>
--azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z
WEB3SIGNER_ETH2_AZURE_CLIENT_SECRET=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z
eth2.azure-client-secret: "0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z"
The secret used to access the vault along with the ID specified in azure-client-id.
azure-tenant-id
--azure-tenant-id=<STRING>
--azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81
WEB3SIGNER_ETH2_AZURE_TENANT_ID=34255fb0-379b-4a1a-bd47-d211ab86df81
eth2.azure-tenant-id: "34255fb0-379b-4a1a-bd47-d211ab86df81"
The tenant ID of the Azure Portal instance being used.
azure-vault-auth-mode
--azure-vault-auth-mode=<STRING>
--azure-vault-auth-mode=USER_ASSIGNED_MANAGED_IDENTITY
WEB3SIGNER_ETH2_AZURE_VAULT_AUTH_MODE=USER_ASSIGNED_MANAGED_IDENTITY
eth2.azure-vault-auth-mode: "USER_ASSIGNED_MANAGED_IDENTITY"
Authentication mode for Azure Vault. Options are CLIENT_SECRET, SYSTEM_ASSIGNED_MANAGED_IDENTITY,
and USER_ASSIGNED_MANAGED_IDENTITY. Defaults to CLIENT_SECRET.
Set --azure-client-id if using CLIENT_SECRET or
USER_ASSIGNED_MANAGED_IDENTITY.
azure-vault-name
--azure-vault-name=<STRING>
--azure-vault-name=AzureKeyVault
WEB3SIGNER_ETH2_AZURE_VAULT_NAME=AzureKeyVault
eth2.azure-vault-name: "AzureKeyVault"
Name of the vault to access. Sub-domain of vault.azure.net.
network
--network=<NETWORK>
--network=mainnet
WEB3SIGNER_ETH2_NETWORK=mainnet
network: "mainnet"
Predefined network configuration. Accepts a predefined network name, or file path or URL to a YAML configuration file. See the Ethereum 2.0 specification for examples.
The default is mainnet.
Important
If Teku connects to a network other than mainnet, then this option must be specified, and it
must match the --network value of the connected Teku client.
Possible values are:
| Network | Chain | Type | Description |
|---|---|---|---|
mainnet |
Eth 2.0 | Production | Main network. |
minimal |
Eth 2.0 | Test | Used for local testing and development networks. |
pyrmont |
Eth 2.0 | Test | Multi-client testnet. |
prater |
Eth 2.0 | Test | Multi-client testnet. |
slashing-protection-db-password
--slashing-protection-db-password=<PASSWORD>
--slashing-protection-db-password=changeme
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_PASSWORD=change
eth2.slashing-protection-db-password: "changeme"
The password to connect to the slashing protection database.
slashing-protection-db-pool-configuration-file
--slashing-protection-db-pool-configuration-file=<FILE>
--slashing-protection-db-pool-configuration-file=/Users/me/config/HikariConfig.properties
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_POOL_CONFIGURATION_FILE=/Users/me/config/HikariConfig.properties
eth2.slashing-protection-db-pool-configuration-file: "/Users/me/config/HikariConfig.properties"
HikariCP connection pool configuration file.
Web3Signer uses HikariCP to manage database connections, and uses the default configuration values. The defaults perform well in most deployments, but you can be override them with this option.
slashing-protection-db-url
--slashing-protection-db-url=<JDBC_URL>
--slashing-protection-db-url=jdbc:postgresql://localhost/web3signer
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_URL=jdbc:postgresql://localhost/web3signer
eth2.slashing-protection-db-url: "jdbc:postgresql://localhost/web3signer"
The Java Database Connectivity (JDBC) URL of the slashing protection database.
Note
If using a non-default port number for your PostgreSQL database, then include the port number in the database URL.
slashing-protection-db-username
--slashing-protection-db-username=<USERNAME>
--slashing-protection-db-username=postgres
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_USERNAME=postgres
eth2.slashing-protection-db-username: "postgres"
The username to use when connecting to the slashing protection database.
slashing-protection-enabled
--slashing-protection-enabled=<BOOLEAN>
--slashing-protection-enabled=false
WEB3SIGNER_ETH2_SLASHING_PROTECTION_ENABLED=false
eth2.slashing-protection-enabled: false
Enables Web3Signer slashing protection. If true, then all signing operations are validated against
historical data before signing.
The default is true.
slashing-protection-pruning-at-boot-enabled
--slashing-protection-pruning-at-boot-enabled=<BOOLEAN>
--slashing-protection-pruning-at-boot-enabled=false
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_AT_BOOT_ENABLED=false
eth2.slashing-protection-pruning-at-boot-enabled: false
When set to false, slashing protection database pruning
is disabled at boot and only takes place at the scheduled pruning intervals.
The default is true.
slashing-protection-pruning-enabled
--slashing-protection-pruning-enabled=<BOOLEAN>
--slashing-protection-pruning-enabled=true
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_ENABLED=true
eth2.slashing-protection-pruning-enabled: true
Enables slashing protection database pruning.
The default is false.
slashing-protection-pruning-epochs-to-keep
--slashing-protection-pruning-epochs-to-keep=<LONG>
--slashing-protection-pruning-epochs-to-keep=12000
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_EPOCHS_TO_KEEP=12000
eth2.slashing-protection-pruning-epochs-to-keep: 12000
Number of epochs to keep when pruning the slashing protection database.
The default is 10000.
slashing-protection-pruning-interval
--slashing-protection-pruning-interval=<LONG>
--slashing-protection-pruning-interval=48
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_INTERVAL=48
eth2.slashing-protection-pruning-interval: 48
Hours between slashing protection database pruning operations.
The default is 24.
slashing-protection-pruning-slots-per-epoch
--slashing-protection-pruning-slots-per-epoch=<LONG>
--slashing-protection-pruning-slots-per-epoch=20
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_SLOTS_PER_EPOCH=20
eth2.slashing-protection-pruning-slots-per-epoch: 20
Number of slots per epoch. This number multiplied by the number of epochs to keep determines what blocks to keep when pruning the slashing protection database.
The default is 32 as defined on MainNet.
eth2 export
Exports the slashing protection database to a file.
to
--to=<FILE>
--to=/Users/me/my_node/interchange.json
WEB3SIGNER_ETH2_EXPORT_TO=/Users/me/my_node/interchange.json
eth2.export.to: /Users/me/my_node/interchange.json
The file to export the slashing protection database to. The exported file uses the validator client interchange format.
eth2 import
Import a slashing protection database from a file.
from
--from=<FILE>
--from=/Users/me/my_node/interchange.json
WEB3SIGNER_ETH2_IMPORT_FROM=/Users/me/my_node/interchange.json
eth2.import.from: /Users/me/my_node/interchange.json
The file to import the slashing protection database from. The file must be formatted in the validator client interchange format
filecoin
network
--network=<NETWORK>
--network=TESTNET
WEB3SIGNER_FILECOIN_NETWORK=TESTNET
filecoin.network: "TESTNET"
Predefined network configuration. Accepts a predefined network name. The default is TESTNET.