soroban-cli
soroban-cli copied to clipboard
stellar
Add support for building transactions with a different signer to the source account
What
The CLI needs to support for adding a different signer to a transaction without the signer being the source account.
Why
The CLI today assumes that the signer of a transaction is the master key of the source account. This is fine for development and for simpler user key setups, but doesn't support slightly more complex setups or where people have their key stored on a hardware device.
Note that there are even more complex setups that might require signatures by multiple keys, or multiple parties and this issue isn't intended to address those more complex scenarios. Those scenarios will be address by the addition of the tx sign command in:
- https://github.com/stellar/stellar-cli/issues/1490
How
Add a new option --sign-with-* that is supported anywhere that --source is supported.
When a --sign-with-* is not present, the --source is the signer.
When a --sign-with-* is present, the --source is not a signer, the signer is looked up separately and signs the transaction.
Initially this issue captures the need for --sign-with-key which can accept any of the key types currently passed to --source.
Examples
For example, today the CLI supports, and it would continue to support:
soroban contract deploy --wasm ... --source me
And for example, a user should be able to sign the tx with a different key than the source:
soroban contract deploy --wasm ... --source me --sign-with-key myotherkey
This change makes the first example in the issue above shorthand for:
soroban contract deploy --wasm ... --source me --sign-with-key me
What if the user doesn't want to sign with any key? they just want to go through the build->simulate flow and then take the tx XDR and sign elsewhere?
I think we should capture that in a separate issue. I'm hoping once #1180 gets broken up into two issues that the issue that comes out of that for skipping signing on any tx built will involve adding a --no-sign or --sign false.
@tomerweller A separate issue now captures supporting that scenario: https://github.com/stellar/soroban-cli/issues/1265
After reading through https://github.com/stellar/stellar-cli/issues/1490 I think we can probably keep this the same as tx sign and only ever sign by one device/key at a time, with more complex multi-signature flows using the tx sign command multiple times.
I'm updating this issue to remove the intent to make for multiple signers, but keeping the issue open because I think from a usability pov it's important we support signing with other devices natively on commands so that users can run commands like:
soroban contract deploy --wasm ... --source me --sign-with-key mykey
or
soroban contract deploy --wasm ... --source me --sign-with-wallet-kit
cc @janewang @Ifropc @willemneal @fnando
+1
Been thinking a bit more on it: if we keep --sign-with-* options on every command that currently sings, we can be consistent over commands with simple sign. For complex signing, user can pipe output to another sign command.
I think --source-account could be a bit confusing though (as it also signs). I think we should:
- Use it as a source account always anyway.
- Use it to auto-sign, unless
--sign-withis passed - Add
--no-signflag that doesn't auto-sign with source account (as suggested in this issue) Thoughts?
