Skip to content
You are reading EthSigner development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

EthSigner command line

This reference describes the syntax of the EthSigner Command Line Interface (CLI) options.

Specifying Options

Eth2Signer options can be specified:

If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.

Environment variables

For each command line option, the equivalent environment variable is:

  • Upper-case
  • _ replaces -
  • Has an ETHSIGNER_ prefix

For example, set --data-path using the ETHSIGNER_DATA_PATH environment variable.

You can include subcommand options as environment variables as well, for example set multikey-signer --directory using the ETHSIGNER_MULTIKEY_SIGNER_DIRECTORY environment variable.

Options

config-file

The path to the TOML configuration file. The default is none.

--config-file=<FILE>
--config-file=/home/me/me_node/config.toml
ETHSIGNER_CONFIG_FILE=/home/me/me_node/config.toml

chain-id

Chain ID of the network to receive the signed transactions.

--chain-id=<chainId>
--chain-id=2017
ETHSIGNER_CHAIN_ID=2017
chain-id=2017

data-path

Directory in which to store temporary files.

--data-path=<PATH>
--data-path=/Users/me/my_node/data
ETHSIGNER_DATA_PATH=/Users/me/my_node/data
data-path="/Users/me/my_node/data"

downstream-http-host

Host to which received requests are forwarded. Default is localhost.

--downstream-http-host=<downstreamHttpHost>
--downstream-http-host=192.168.05.14
ETHSIGNER_DOWNSTREAM_HTTP_HOST=192.168.05.14
downstream-http-host="192.168.05.14"

downstream-http-path

Path to which received requests are forwarded. Default is /.

Might be required if connecting to a cloud-based Ethereum client such as Infura.

--downstream-http-path=<downstreamHttpPath>
--downstream-http-path=/v3/d0e63ca5bb1e4eef2284422efbc51a56
ETHSIGNER_DOWNSTREAM_HTTP_PATH=/v3/d0e63ca5bb1e4eef2284422efbc51a56
downstream-http-path="/v3/d0e63ca5bb1e4eef2284422efbc51a56"

downstream-http-port

Port to which received requests are forwarded.

--downstream-http-port=<downstreamHttpPort>
--downstream-http-port=6174
ETHSIGNER_DOWNSTREAM_HTTP_PORT=6174
downstream-http-port=6174

downstream-http-request-timeout

Timeout period (in milliseconds) for downstream requests. Default is 5000.

--downstream-http-request-timeout=<downstreamHttpRequestTimeout>
--downstream-http-request-timeout=3000
ETHSIGNER_DOWNSTREAM_HTTP_REQUEST_TIMOUT=3000
downstream-http-request-timeout=3000

downstream-http-tls-enabled

Enable or disable TLS for server connections. Defaults to false.

--downstream-http-tls-enabled[=<true|false>]
--downstream-http-tls-enabled
ETHSIGNER_DOWNSTREAM_HTTP_TLS_ENABLED
downstream-http-tls-enabled

downstream-http-tls-ca-auth-enabled

Allow connections to servers with trusted CAs.

Defaults to true.

--downstream-http-tls-ca-auth-enabled[=<true|false>]
--downstream-http-tls-ca-auth-enabled=false
ETHSIGNER_DOWNSTREAM_HTTP_TLS_CA_AUTH_ENABLED=false
downstream-http-tls-ca-auth-enabled=false

downstream-http-tls-keystore-file

Keystore file (in PKCS #12 format) that contains the private key and certificate presented to the server during authentication.

--downstream-http-tls-keystore-file=<keystoreFile>
--downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KEYSTORE_FILE=/Users/me/my_node/keystore.pfx
downstream-http-tls-keystore-file="/Users/me/my_node/keystore.pfx"

downstream-http-tls-keystore-password-file

Password file used to decrypt the keystore.

--downstream-http-tls-keystore-password-file=<passwordFile>
--downstream-http-tls-keystore-password-file=/Users/me/my_node/password.txt
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt
downstream-http-tls-keystore-password-file=/Users/me/my_node/password.txt

downstream-http-tls-known-servers-file

File containing the hostnames, ports, and SHA256 certificate fingerprints of trusted servers.

--downstream-http-tls-known-servers-file=<serversFile>
--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers
ETHSIGNER_DOWNSTREAM_HTTP_TLS_KNOWN_SERVERS_FILE=/Users/me/my_node/knownServers
downstream-http-tls-known-servers-file="/Users/me/my_node/knownServers"

http-cors-origins

A list of domain URLs for CORS validation. You must enclose the URLs in double quotes and separate them with commas.

Listed domains can access the node using JSON-RPC. If your client interacts with EthSigner using a browser app (such as Remix or a block explorer), you must allow the client domains.

The default value is “none”. If you do not allow any domains, browser apps cannot interact with your EthSigner node.

Tip

For testing and development purposes, use "all" or "*" to accept requests from any domain. We don’t recommend accepting requests from any domain for production environments.

--http-cors-origins=<httpListenHost>
--http-cors-origins="http://remix.ethereum.org","http://medomain.com"
ETHSIGNER_HTTP_CORS_ORIGINS="http://remix.ethereum.org","http://medomain.com"
http-cors-origins=["http://remix.ethereum.org","https://meotherdomain.com"]

http-listen-host

Host on which JSON-RPC HTTP listens. Default is localhost.

--http-listen-host=<httpListenHost>
--http-listen-host=10.100.111.1
ETHSIGNER_HTTP_LISTEN_HOST=10.100.111.1
http-listen-host="10.100.111.1"

http-listen-port

Port on which JSON-RPC HTTP listens. Default is 8545.

--http-listen-port=<httpListenPort>
--http-listen-port=6174
ETHSIGNER_HTTP_LISTEN_PORT=6174
http-listen-port=6174

logging

Logging verbosity levels. Options are: OFF, FATAL, WARN, INFO, DEBUG, TRACE, ALL. Default is INFO.

-l, --logging=<LOG VERBOSITY LEVEL>
--logging=DEBUG
ETHSIGNER_LOGGING=DEBUG
logging="DEBUG"

help

Displays the help and exits.

-h, --help

tls-allow-any-client

Allows any client to connect.

Important

Cannot be used with --tls-allow-ca-clients and --tls-known-clients-file

--tls-allow-any-client
ETHSIGNER_TLS_ALLOW_ANY_CLIENT
tls-allow-any-client

tls-allow-ca-clients

Allows clients signed with trusted CA certificates to connect.

--tls-allow-ca-clients
ETHSIGNER_TLS_ALLOW_CA_CLIENTS
tls-allow-ca-clients

tls-keystore-file

PKCS #12 formatted keystore. Used to enable TLS for client connections.

--tls-keystore-file=<keystoreFile>
--tls-keystore-file=/Users/me/my_node/certificate.pfx
ETHSIGNER_TLS_KEYSTORE_FILE=/Users/me/my_node/certificate.pfx
tls-keystore-file="/Users/me/my_node/certificate.pfx"

tls-keystore-password-file

Password file used to decrypt the keystore.

--tls-keystore-password-file=<passwordFile>
--tls-keystore-password-file=/Users/me/my_node/password.txt
ETHSIGNER_TLS_KEYSTORE_PASSWORD_FILE=/Users/me/my_node/password.txt
tls-keystore-password-file=/Users/me/my_node/password.txt

tls-known-clients-file

File containing the SHA-256 fingerprints of authorized clients.

--tls-known-clients-file=<clientsFile>
--tls-known-clients-file=/Users/me/my_node/knownClients
ETHSIGNER_TLS_KNOWN_CLIENTS_FILE=/Users/me/my_node/knownClients
tls-known-clients-file=""/Users/me/my_node/knownClients"

version

Displays the version and exits.

-V, --version
ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on EthSigner Discord channel.
For paid professional support by Consensys, contact us at quorum@consensys.net