Skip to main content

Ledger vault

Connect the ledger device to the system in which signatory is running. Install tezos-wallet and tezos-baker apps from ledger live.

Note: Developer mode might be needed to install baker app. Ledger Developer mode

Configuration

NameTypeRequiredDescription
idstringLedger Device ID. Use first available device if not specified
keysstring arrayManaged key IDs
close_afterdurationOPTIONALClose device after a certain period of inactivity

Keys & ID format and meaning

Syntax: derivation/bip32

Where bip32 is BIP 0032 path and derivation is one of derivation schemes: ed25519, secp256k1, p-256, secp256r1 (alias for p-256), bip25519, bip32-ed25519 (alias for bip25519). bip25519 is a BIP 0032 compliant scheme, others use some sort of a custom hash chain.

Ledger specific root m/44'/1729' may be omitted.

Examples (equivalent): bip32-ed25519/m/44'/1729'/0'/0', bip32-ed25519/44'/1729'/0'/0', bip25519/0'/0'

Example

vaults:
ledger:
driver: ledger
config:
id: 3944f7a0
keys:
- "bip32-ed25519/0'/0'"
- "secp256k1/0'/1'"
close_after: 3600s

close_after field in config

Configure this value as per your requirement. As you don't know the time between the blocks assigned to your baker, it is better to configure it for at least a few hours to prevent the ledger from closing, often due to inactivity.

Example:

close_after: 3600s

Transports

By default Ledger vault uses usb transport. Another available transport is tcp used primarily for interaction with Speculos emulator. It can be enabled using transport option:

vaults:
ledger:
driver: ledger
config:
id: 3944f7a0
transport: tcp://127.0.0.1:9999
keys:
- "bip32-ed25519/0'/0'"
- "secp256k1/0'/1'"
close_after: 3600s

In addition signatory-cli ledger command also accepts -t / --transport key with the same URL-like syntax:

signatory-cli ledger --transport 'tcp://127.0.0.1:9999' list

Getting data from ledger for signatory configuration using CLI

Keep tezos-wallet app open for the below commands and for signing any wallet transactions. During every wallet transaction Accept/Reject input should be provided in the ledger when prompted.

    % ./signatory-cli list -c ./sig-ledger.yaml 
INFO[0000] Initializing vault vault=ledger vault_name=ledger
Public Key Hash: tz1TrrJS7XU2WGJJEZcPxaB7cXWLd8pCL7SW
Vault: Ledger
ID: bip32-ed25519/44'/1729'/0'/0'
Active: true
Allowed Operations: [block endorsement generic]
Allowed Kinds: [delegation endorsement origination reveal transaction]
Public Key Hash: tz2ByDXtXn3Wj4k6DoJnyKHMA68xJvL1nBmV
Vault: Ledger
ID: secp256k1/44'/1729'/0'/1'

List all connected Ledgers

% signatory-cli ledger list
Path: IOService:/AppleARMPE/arm-io@10F00000/AppleT810xIO/usb-drd1@2280000/AppleT8103USBXHCI@01000000/usb-drd1-port-hs@01100000/USB2.1 Hub@01100000/AppleUSB20Hub@01100000/AppleUSB20HubPort@01130000/Nano S@01130000/Nano S@0/AppleUserUSBHostHIDDevice
ID: tz1Qrqpz6bVUgZc5o5qARHB7j2v57z6knm55 / 3944f7a0
Version: TezBake 2.2.11 a6fbd27f

Ledger device lock

Signatory acquires a read lock on the ledger device when in operation. Be aware that when the Signatory service is running, and it has a valid configuration for a ledger device, the signatory-cli binary will encounter error "ledger: hidapi: failed to open device" trying to list ledgers. Only 1 process can acquire a read lock on the ledger device.

Setup baking with signatory and ledger

Keep tezos-baker app open for the below configurations and when the baker is running. No prompt will be seen in ledger during signing operations.

signatory-cli ledger setup-baking [--chain-id <chain_id>] [--main-hwm <hwm>] [--test-hwm <hwm>] [-d <device>] <path>

Example:

signatory-cli ledger setup-baking -d 3944f7a0 "bip32-ed25519/44'/1729'/0'/0'"

Reset high water marks

signatory-cli ledger set-high-watermark [-d <device>] <hwm>

Example:

signatory-cli ledger set-high-watermark -d 3944f7a0 0