Signatory - A Tezos Remote Signer

Signatory is a remote signing daemon that allows Tezos bakers to sign endorsement and baking operations with a variety of different key management systems.

Signatory currently supports Azure Key Vault, and other backend signing services are either in planning phase, or being added.

The goal of the Signatory service is to make key management as secure as possible in a Cloud and on premise HSM context.

Security and convenience are typically diametrically opposed, but we hope to at least make it easier for the community to manage their keys in an adequately secure manner.

By supporting multiple Cloud KMS/HSM systems, we hope to help the network from centralization on a particular Cloud offering. In the first year of the Tezos network operation, there's anecdotal evidence that a lot of bakers run on AWS. AWS is a superb provider, but having a concentration of nodes on one cloud vendor centralizes the underlying infrastructure of the network which is not desirable.

Signatory is also focused on observability. Meaning that it exposes metrics about its operations. Allowing operators to see historic trends, signing volumes, errors and latencies. This allows for rich reporting and alerting capabilities.

We are very excited about offering this project to the community. Feature requests, security issues or bug reports can be reported via the Github project page: or via email to

Security issues can be encrypted using the keys available at keybase/jevonearth