Skip to content

Release v1.2.0 - Ready for Rio, Now with AWS CloudHSM and DynamoDB
Compare
Choose a tag to compare
@github-actions github-actions released this 14 Apr 22:57
· 6 commits to main since this release
v1.2.0
1921175
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This release introduces significant new features, primarily focused on enhancing security and backend options with AWS CloudHSM support via PKCS#11 and an AWS DynamoDB watermark backend. It includes Tezos Rio protocol support, substantial documentation improvements, and internal refactoring for better maintainability and robustness.

New Features

  • AWS CloudHSM & PKCS#11 Vault Backend:
    • Introduced support for AWS CloudHSM via the new PKCS#11 vault backend (driver: pkcs11). This backend also allows Signatory to interface with other Hardware Security Modules (HSMs) and cryptographic tokens supporting the standard PKCS#11 interface.
    • Supports automatic discovery of keys on the token or manual configuration of specific key pairs via labels or IDs.
    • Includes specific handling (extended_private: true option) required for AWS CloudHSM, where public key data is read from the private key object handle.
    • Docker Image Integration: The official Signatory Docker images (Ubuntu-based) now include the necessary AWS CloudHSM client library, simplifying deployment in containerized environments. Users only need to mount their CloudHSM configuration.
    • CloudHSM Deprecation Notice: Users relying on AWS CloudHSM should be aware of potential deprecations affecting specific SDK versions or cryptographic mechanisms. Please refer to the official AWS CloudHSM Deprecation Notifications for current details. If you require assistance migrating from other signing solutions to Signatory to address these or other deprecations, please contact [email protected]. We operate under a mutual "pre-NDA" basis for such inquiries.
  • AWS DynamoDB Watermark Backend:
    • Added a new watermark backend (driver: aws) using AWS DynamoDB. This provides a persistent, distributed, and highly available watermark solution suitable for multi-instance Signatory deployments or cloud environments.
    • Automatically creates the DynamoDB table (watermark by default) if it doesn't exist on startup.
    • Configuration uses standard AWS credentials (environment variables recommended) and region settings. If the IAM role attached to the EC2 instance has been given DynamDB permissions, Signatory will use those credentials automatically without needing to be configured.

Improvements & Refactoring

  • Atomic DynamoDB Watermark Updates: Refactored the AWS watermark backend to use a single, atomic DynamoDB PutItem operation with a conditional expression. This replaces the previous read-modify-write loop, improving robustness and performance by performing the safety check server-side.
  • Vault Interface Refactoring: The core Vault and KeyReference (previously StoredKey) interfaces were refactored:
    • Signing responsibility moved from the Vault to the key itself (KeyReference.Sign).
    • Vaults now load/enumerate keys during initialization (New), removing the need for a separate Unlock step for most backends.
    • Simplified Vault interface (List, Close, Name).
  • Policy Engine: Updated the policy engine to correctly recognize and handle Tezos pseudo-operations (e.g., stake, unstake) based on operation content, allowing for more granular signing policies.
  • Configuration: Added yaml:",inline" tag to AWS watermark configuration for a cleaner YAML structure.
  • Logging: Improved log messages for the AWS DynamoDB watermark backend to clearly indicate whether a new table was created or an existing one is being used.
  • Build/CI:
    • Updated GitHub Actions artifact upload/download steps to v4.
    • Integrated CloudHSM client installation into the Docker build process.

Protocol Updates

  • Tezos Rio Protocol: This version of Signatory is fully compatible with the Tezos Rio protocol (Protocol Rio Reference). Compatibility has been validated on the Rio testnet since its genesis block.

Documentation

  • Major Overhaul: Significantly restructured and expanded documentation.
    • Added a central docs/watermarks.md page explaining the concept, importance, and backends.
    • Added a detailed docs/aws_dynamodb.md page covering configuration, table design, AWS CLI usage, and troubleshooting for the DynamoDB watermark backend.
    • Improved docs/pkcs11.md with clear explanations for AWS CloudHSM usage (esp. extended_private), automatic discovery, installation guidance, new Docker integration steps, and better examples. Added CloudHSM deprecation warnings.

Future Backend Support (Preview)

  • Work is underway to add support for AWS Nitro Enclaves. This future backend will provide secure, isolated compute environments for key management and signing operations directly within EC2 instances. This development is expected to pave the way for supporting BLS signatures within Signatory for Tezos and opens up interesting possibilities for leveraging other Trusted Execution Environments (TEEs) in the future. Stay tuned for its release in an upcoming version!
Assets 9
Loading