Run a Mithril Signer node (SPO)
In this guide, you will learn how to setup a Mithril Signer on top of a Cardano SPO Node for the testnet.
Here is an up to date list of all the Mithril Networks, their configurations and their status:
Last update: 02/28/2023
- Preview
- Preprod
- Mainnet
pre-release-preview
| Information | - |
|---|---|
| Mithril Network | pre-release-preview 🔎 |
| Cardano Network | preview |
| Cardano Magic Id | 2 |
| Supported | Yes ✔️ |
| Status | Pre-Release 🟠 |
| Aggregator Endpoint | https://aggregator.pre-release-preview.api.mithril.network/aggregator ↗️ |
| Genesis Verification Key | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/pre-release-preview/genesis.vkey ↗️ |
| Era Reader Adapter Type | cardano-chain |
| Era Reader Address | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/pre-release-preview/era.addr ↗️ |
| Era Reader Verification Key | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/pre-release-preview/era.vkey ↗️ |
| Build From | Latest Pre-Release ↗️ |
testing-preview
⚠️ For devs only
| Information | - |
|---|---|
| Mithril Network | testing-preview 🔎 |
| Cardano Network | preview |
| Cardano Magic Id | 2 |
| Supported | Yes ✔️ |
| Status | Unstable 🔴 |
| Aggregator Endpoint | https://aggregator.testing-preview.api.mithril.network/aggregator ↗️ |
| Genesis Verification Key | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/testing-preview/genesis.vkey ↗️ |
| Era Reader Adapter Type | cardano-chain |
| Era Reader Address | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/testing-preview/era.addr ↗️ |
| Era Reader Verification Key | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/testing-preview/era.vkey ↗️ |
| Build From | Main Branch ↗️ |
release-preprod
| Information | - |
|---|---|
| Mithril Network | release-preprod 🔎 |
| Cardano Network | preprod |
| Cardano Magic Id | 1 |
| Supported | Yes ✔️ |
| Status | Release 🟢 |
| Aggregator Endpoint | https://aggregator.release-preprod.api.mithril.network/aggregator ↗️ |
| Genesis Verification Key | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/release-preprod/genesis.vkey ↗️ |
| Era Reader Adapter Type | cardano-chain |
| Era Reader Address | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/release-preprod/era.addr ↗️ |
| Era Reader Verification Key | https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/release-preprod/era.vkey ↗️ |
| Build From | Latest Release ↗️ |
release-mainnet
| Information | - |
|---|---|
| Mithril Network | release-mainnet |
| Cardano Network | mainnet |
| Cardano Magic Id | - |
| Supported | No ❌ |
| Status | - |
| Aggregator Endpoint | - |
| Genesis Verification Key | - |
| Era Reader Adapter Type | - |
| Era Reader Address | - |
| Era Reader Verification Key | - |
| Build From | - |
In this documentation, we use the generic:
- **YOUR_CARDANO_NETWORK** identifier, but you need to replace it with the name of the network that runs on your Cardano node (e.g.
preprod) - **YOUR_AGGREGATOR_ENDPOINT** identifier, but you need to replace it with the endpoint of an aggregator that runs on the Cardano network you target (e.g.
https://aggregator.release-preprod.api.mithril.network/aggregator) - **YOUR_GENESIS_VERIFICATION_KEY** identifier, but you need to replace it with the genesis verification key url that runs on the Cardano network you target (e.g.
https://raw.githubusercontent.com/input-output-hk/mithril/main/mithril-infra/configuration/release-preprod/genesis.vkey) - **YOUR_ERA_READER_ADAPTER_TYPE** identifier, but you need to replace it with the era reader adapter type used by the Mithril network you target (e.g.
cardano-chain) - **YOUR_ERA_READER_ADDRESS** identifier, but you need to replace it with the era reader address url used by the Mithril network you target (e.g.
https://raw.githubusercontent.com/input-output-hk/mithril/main/address.addr) - **YOUR_ERA_READER_VERIFICATION_KEY** identifier, but you need to replace it with the era reader verification key url used by the Mithril network you target (e.g.
https://raw.githubusercontent.com/input-output-hk/mithril/main/TEST_ONLY_era.vkey)
This guide is working only on a Linux machine.
For more information about the Mithril Protocol, please refer to the About Mithril section.
Pre-requisites
What you'll need
Operating a Cardano Node as a Stake Pool:
- The Cardano
Operational Certificatefile of the pool - The Cardano
KES Secret Keyfile of the pool
- The Cardano
Access to the file system of a
relayCardano Node running on thetestnet:- Read rights on the
Databasefolder (--database-pathsetting of the Cardano Node) - Read/Write rights on the
Inter Process Communicationfile (usuallyCARDANO_NODE_SOCKET_PATHenv var used to launch the Cardano Node)
- Read rights on the
Install a recent version of the
cardano-cli(version 8.0.0+)Install a correctly configured Rust toolchain (latest stable version).
Install OpenSSL development libraries, for example on Ubuntu/Debian/Mint run
apt install libssl-devEnsure the SQLite3 version is at least
3.35(released Apr. 2021)Install a recent version of
jq(version1.6+)apt install jq
Mithril Keys Certification
Certify your Pool Id
You must declare your Cardano Operational Certificate file and KES Secret Key file which allows to:
- Compute automatically the
PoolId - Verify that you are the owner of the
PoolId, and thus of the associated stakes used by Mithril protocol - Verify that you are the owner of the Mithril
Signer Secret Key, and thus allowed to contribute to the multi-signatures and certificate production of the Mithril network
Building your own executable
Download source
Download from GitHub (HTTPS)
git clone https://github.com/input-output-hk/mithril.git
Or (SSH)
git clone git@github.com:input-output-hk/mithril.git
Build Mithril Signer binary
Switch to build branch / tag
# **YOUR_BUILD_BRANCH_OR_TAG** depends on the Mithril network you target,
# please refer to the **Build From** column of the above **Mithril Networks** table
git switch **YOUR_BUILD_BRANCH_OR_TAG**
Change directory
cd mithril/mithril-signer
Run tests (Optional)
make test
Build executable
make build
Download compiled binary
Each Release / Pre-Release distribution comes with pre compiled binaries ready to use or wrapped in a debian package.
You can download them from the Release / Pre-Release distribution page that depends on the Mithril Network you are targeting.
These links are available in the Build From column of the above Mithril Networks table.
Verify binary
Verify version
Check that the Mithril Signer binary is running the correct version by running
./mithril-signer -V
You should see something like
mithril-signer 0.2.0
⚠️ Verify that the version displayed is the version described in the content of the Release / Pre-Release note (see the Build From column of the above Mithril Networks table)
Verify build
Check that the Mithril Signer binary is working fine by running its help
./mithril-signer -h
You should see
An implementation of a Mithril Signer
Usage: mithril-signer [OPTIONS]
Options:
-r, --run-mode <RUN_MODE>
Run Mode [env: RUN_MODE=] [default: dev]
-v, --verbose...
Verbosity level, add more v to increase
-c, --configuration-dir <CONFIGURATION_DIR>
Directory where the configuration file is located [default: ./config]
--disable-digests-cache
Disable immutables digests cache
--reset-digests-cache
If set the existing immutables digests cache will be reset
-h, --help
Print help information (use `--help` for more detail)
-V, --version
Print version information
If you want to dig deeper, you can get access to several level of logs from the Mithril Signer:
- Add
-vfor some logs (WARN) - Add
-vvfor more logs (INFO) - Add
-vvvfor even more logs (DEBUG) - Add
-vvvvfor all logs (TRACE)
Install the service
Move executable
Move executable to /opt/mithril
sudo mkdir -p /opt/mithril
sudo mv mithril-signer /opt/mithril
Setup the service
User=cardano: Replace this value with the correct user. We assume that the user used to run the Cardano Node iscardano. The Mithril Signer must imperatively run with the same user.In the
/opt/mithril/mithril-signer/service.envenv file:KES_SECRET_KEY_PATH=/cardano/keys/kes.skey: replace/cardano/keys/kes.skeywith the path to your CardanoKES Secret KeyfileOPERATIONAL_CERTIFICATE_PATH=/cardano/cert/opcert.cert: replace/cardano/cert/opcert.certwith the path to your CardanoOperational CertificatefileDB_DIRECTORY=/cardano/db: replace/cardano/dbwith the path to the database folder of the Cardano Node (the one in--database-path)CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket: replace with the path to the IPC file (CARDANO_NODE_SOCKET_PATHenv var)CARDANO_CLI_PATH=/app/bin/cardano-cli: replace with the path to thecardano-cliexecutableDATA_STORES_DIRECTORY=/opt/mithril/stores: replace with the path to a folder where the Mithril Signer will store its data (/opt/mithril/storese.g.)STORE_RETENTION_LIMIT: if set, this will limit the number of records in some internal stores (5 is a good fit).ERA_READER_ADAPTER_TYPE=cardano-chain: replacecardano-chainwith the era reader adapter type used in your Mithril networkERA_READER_ADAPTER_PARAMS={"address": "...", "verification_key": "..."}: replace{"address": "...", "verification_key": "..."}with the era reader params that you need to compute by running the commandjq -nc --arg address $(wget -q -O - **YOUR_ERA_READER_ADDRESS**) --arg verification_key $(wget -q -O - **YOUR_ERA_READER_VERIFICATION_KEY**) '{"address": $address, "verification_key": $verification_key}'
First create an env file that will be used by the service:
sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
KES_SECRET_KEY_PATH=**YOUR_KES_SECRET_KEY_PATH**
OPERATIONAL_CERTIFICATE_PATH=**YOUR_OPERATIONAL_CERTIFICATE_PATH**
NETWORK=**YOUR_CARDANO_NETWORK**
AGGREGATOR_ENDPOINT=**YOUR_AGGREGATOR_ENDPOINT**
RUN_INTERVAL=60000
DB_DIRECTORY=/cardano/db
CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
CARDANO_CLI_PATH=/app/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=**YOUR_ERA_READER_ADAPTER_TYPE**
ERA_READER_ADAPTER_PARAMS=**YOUR_ERA_READER_ADAPTER_PARAMS**
EOF'
Then we will create a /etc/systemd/system/mithril-signer.service description file for our service
sudo bash -c 'cat > /etc/systemd/system/mithril-signer.service << EOF
[Unit]
Description=Mithril Signer service
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=1
User=cardano
EnvironmentFile=/opt/mithril/mithril-signer.env
ExecStart=/opt/mithril/mithril-signer -vvv
[Install]
WantedBy=multi-user.target
EOF'
Reload the service configuration (Optional)
sudo systemctl daemon-reload
Then start the service
sudo systemctl start mithril-signer
Then register the service to start on boot
sudo systemctl enable mithril-signer
Then monitor status of the service
systemctl status mithril-signer.service
And monitor the logs of the service
tail /var/log/syslog
There is a 2 epochs delay between the signer node registration and its ability to create individual signatures, as explained in the Mithril Certificate Chain in depth.
After this delay, you should be able to see your PoolId listed in some of the certificates available on the Mithril Explorer