graph-tooling icon indicating copy to clipboard operation
graph-tooling copied to clipboard
verified publisher icon graphprotocol

allow passing private key and bypassing web ui for `graph publish`

Open saihaj opened this issue 1 year ago • 4 comments

In https://github.com/graphprotocol/graph-tooling/pull/1670 introduce a new command that allows publishing to the network. It links user to go to the cli.thegraph.com (located here) and the user adds metadata and finishes signing in their wallet.

@schmidsi suggested that we should allow user filling out all this metadata via the CLI and then let them provide a local private key which will be used to sign the transaction.

saihaj avatar May 27 '24 17:05 saihaj

Maybe using this: https://github.com/smartcontractkit/env-enc

schmidsi avatar May 27 '24 17:05 schmidsi

I think that this should definitely be added. There are many developers that I think would strongly benefit by being able to automate publishing of their deployments.

mitchhs12 avatar May 27 '24 18:05 mitchhs12

@saihaj any update on this?

schmidsi avatar Jun 20 '24 16:06 schmidsi

Copy-pasted from Slack. Thanks @DenisCarriere and @schmidsi for the suggestions.

Regarding this issue, I don't think we should be allowing developers to be copy-pasting their private key directly in a CLI

Usually when doing a demo, it's not wise to be showcasing your private key and if the CLI has this as a requirement, it will always be difficult to run a demo to publish a Subgraph directly via CLI, also when doing bash commands, the last commands are usually retained in history by zsh, this would force devs to expose their private key on every publish command.

Solution: Have the CLI have it's own password encrypted private key management, there's a lot of examples on how to implement this

Copying over some CLI methods that StreamingFast built a long time ago (eosc) which was very effective as private key management CLI solution:

Usage:
  graph vault [command]

Available Commands:
  add         Add private keys to an existing vault taking input from the shell
  create      Create a new encrypted EVM keys vault
  export      Export private keys (and corresponding public keys) inside an graph vault.
  list        List public keys inside an graph vault.
  serve       Serves signing queries on a local port.

on that same topic, Simon mentioned a good alternative to this by using env-enc: https://github.com/smartcontractkit/env-enc That would also achieve the same goal and be easier to implement

alex-pakalniskis avatar Nov 04 '24 15:11 alex-pakalniskis