github.com/DFWallet/tendermint-cosmos@v0.0.2/docs/tools/remote-signer-validation.md (about) 1 # tm-signer-harness 2 3 Located under the `tools/tm-signer-harness` folder in the [Tendermint 4 repository](https://github.com/DFWallet/tendermint-cosmos). 5 6 The Tendermint remote signer test harness facilitates integration testing 7 between Tendermint and remote signers such as 8 [KMS](https://github.com/tendermint/kms). Such remote signers allow for signing 9 of important Tendermint messages using 10 [HSMs](https://en.wikipedia.org/wiki/Hardware_security_module), providing 11 additional security. 12 13 When executed, `tm-signer-harness`: 14 15 1. Runs a listener (either TCP or Unix sockets). 16 2. Waits for a connection from the remote signer. 17 3. Upon connection from the remote signer, executes a number of automated tests 18 to ensure compatibility. 19 4. Upon successful validation, the harness process exits with a 0 exit code. 20 Upon validation failure, it exits with a particular exit code related to the 21 error. 22 23 ## Prerequisites 24 25 Requires the same prerequisites as for building 26 [Tendermint](https://github.com/DFWallet/tendermint-cosmos). 27 28 ## Building 29 30 From the `tools/tm-signer-harness` directory in your Tendermint source 31 repository, simply run: 32 33 ```bash 34 make 35 36 # To have global access to this executable 37 make install 38 ``` 39 40 ## Docker Image 41 42 To build a Docker image containing the `tm-signer-harness`, also from the 43 `tools/tm-signer-harness` directory of your Tendermint source repo, simply run: 44 45 ```bash 46 make docker-image 47 ``` 48 49 ## Running against KMS 50 51 As an example of how to use `tm-signer-harness`, the following instructions show 52 you how to execute its tests against [KMS](https://github.com/tendermint/kms). 53 For this example, we will make use of the **software signing module in KMS**, as 54 the hardware signing module requires a physical 55 [YubiHSM](https://www.yubico.com/products/yubihsm/) device. 56 57 ### Step 1: Install KMS on your local machine 58 59 See the [KMS repo](https://github.com/tendermint/kms) for details on how to set 60 KMS up on your local machine. 61 62 If you have [Rust](https://www.rust-lang.org/) installed on your local machine, 63 you can simply install KMS by: 64 65 ```bash 66 cargo install tmkms 67 ``` 68 69 ### Step 2: Make keys for KMS 70 71 The KMS software signing module needs a key with which to sign messages. In our 72 example, we will simply export a signing key from our local Tendermint instance. 73 74 ```bash 75 # Will generate all necessary Tendermint configuration files, including: 76 # - ~/.tendermint/config/priv_validator_key.json 77 # - ~/.tendermint/data/priv_validator_state.json 78 tendermint init 79 80 # Extract the signing key from our local Tendermint instance 81 tm-signer-harness extract_key \ # Use the "extract_key" command 82 -tmhome ~/.tendermint \ # Where to find the Tendermint home directory 83 -output ./signing.key # Where to write the key 84 ``` 85 86 Also, because we want KMS to connect to `tm-signer-harness`, we will need to 87 provide a secret connection key from KMS' side: 88 89 ```bash 90 tmkms keygen secret_connection.key 91 ``` 92 93 ### Step 3: Configure and run KMS 94 95 KMS needs some configuration to tell it to use the softer signing module as well 96 as the `signing.key` file we just generated. Save the following to a file called 97 `tmkms.toml`: 98 99 ```toml 100 [[validator]] 101 addr = "tcp://127.0.0.1:61219" # This is where we will find tm-signer-harness. 102 chain_id = "test-chain-0XwP5E" # The Tendermint chain ID for which KMS will be signing (found in ~/.tendermint/config/genesis.json). 103 reconnect = true # true is the default 104 secret_key = "./secret_connection.key" # Where to find our secret connection key. 105 106 [[providers.softsign]] 107 id = "test-chain-0XwP5E" # The Tendermint chain ID for which KMS will be signing (same as validator.chain_id above). 108 path = "./signing.key" # The signing key we extracted earlier. 109 ``` 110 111 Then run KMS with this configuration: 112 113 ```bash 114 tmkms start -c tmkms.toml 115 ``` 116 117 This will start KMS, which will repeatedly try to connect to 118 `tcp://127.0.0.1:61219` until it is successful. 119 120 ### Step 4: Run tm-signer-harness 121 122 Now we get to run the signer test harness: 123 124 ```bash 125 tm-signer-harness run \ # The "run" command executes the tests 126 -addr tcp://127.0.0.1:61219 \ # The address we promised KMS earlier 127 -tmhome ~/.tendermint # Where to find our Tendermint configuration/data files. 128 ``` 129 130 If the current version of Tendermint and KMS are compatible, `tm-signer-harness` 131 should now exit with a 0 exit code. If they are somehow not compatible, it 132 should exit with a meaningful non-zero exit code (see the exit codes below). 133 134 ### Step 5: Shut down KMS 135 136 Simply hit Ctrl+Break on your KMS instance (or use the `kill` command in Linux) 137 to terminate it gracefully. 138 139 ## Exit Code Meanings 140 141 The following list shows the various exit codes from `tm-signer-harness` and 142 their meanings: 143 144 | Exit Code | Description | 145 | --- | --- | 146 | 0 | Success! | 147 | 1 | Invalid command line parameters supplied to `tm-signer-harness` | 148 | 2 | Maximum number of accept retries reached (the `-accept-retries` parameter) | 149 | 3 | Failed to load `${TMHOME}/config/genesis.json` | 150 | 4 | Failed to create listener specified by `-addr` parameter | 151 | 5 | Failed to start listener | 152 | 6 | Interrupted by `SIGINT` (e.g. when hitting Ctrl+Break or Ctrl+C) | 153 | 7 | Other unknown error | 154 | 8 | Test 1 failed: public key mismatch | 155 | 9 | Test 2 failed: signing of proposals failed | 156 | 10 | Test 3 failed: signing of votes failed |