中文 | English
A secure, policy-driven signing service for EVM chains. Controls what gets signed through a rule engine, not just who can sign.
| Component | Description |
|---|---|
| Server | Daemon exposing a REST API (:8548), with Ed25519 auth, SQLite or PostgreSQL, and a rule engine |
| CLI | remote-signer binary — unified entrypoint for server start, tui, validate, api-key, evm sign/broadcast/simulate, rule management |
| TUI | Terminal UI (remote-signer tui) for interactive monitoring and management |
| Web UI | React dashboard served by the daemon at http://127.0.0.1:8548 |
| Desktop | Electron shell (.dmg/.exe/.AppImage) wrapping the daemon + Web UI |
| Chrome Extension | EIP-1193 provider injection (window.ethereum) for dApp connectivity |
| MCP Server | remote-signer-mcp (npm) — exposes all operations as MCP tools for AI agents (Claude Code, Cursor, etc.) |
| JS/TS SDK | remote-signer-client (npm) — full TypeScript client with Ed25519 auth, polling, batch signing |
| Go SDK | pkg/client — resource-based Go client (client.EVM.Sign.Execute, client.Templates.Get, etc.) |
| Rust SDK | pkg/rs-client — native Rust client with Ed25519 authentication |
The evm_solidity_expression rule type requires forge (Foundry) to compile and evaluate Solidity expressions at sign-time. If forge is unavailable, the server starts without Solidity support, and all Solidity rule operations (create, update, instantiate, preset apply) return HTTP 503.
Install forge:
# Recommended: foundryup (macOS, Linux, WSL)
curl -L https://foundry.paradigm.xyz | bash
foundryup
# Homebrew (macOS / Linux)
brew install foundry
# Verify
forge --versionThe Docker image includes forge automatically via multi-stage build — no host installation needed.
curl -sSLf -o remote-signer \
"https://github.com/ivanzzeth/remote-signer/releases/latest/download/remote-signer-$(uname -s | tr A-Z a-z)-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" \
&& chmod +x remote-signer
./remote-signerFirst launch creates ~/.remote-signer/ with a default config (SQLite, :8548, no TLS) and generates an admin Ed25519 keypair. The private key path is printed once to stderr.
bash <(curl -fsSL https://raw.githubusercontent.com/ivanzzeth/remote-signer/main/scripts/setup.sh)git clone https://github.com/ivanzzeth/remote-signer.git && cd remote-signer && ./scripts/setup.shHOST_UID=$(id -u) HOST_GID=$(id -g) docker compose -f docker-compose.local.yml up -dPulls ghcr.io/ivanzzeth/remote-signer:latest (multi-arch: linux/amd64, linux/arm64), bind-mounts your existing ~/.remote-signer into the container, and adds restart-on-crash. Same SQLite DB, admin keystore, signers, and API keys as the native daemon — switch back and forth without migration.
For production multi-instance behind PostgreSQL, see docker-compose.yml and Deployment Guide. For all release-engineering and version conventions, see GIT.md.
Each release ships .dmg (macOS), .exe (Windows), and .AppImage (Linux) installers built around an Electron shell that wraps the daemon. Download from the latest Releases page.
The Electron shell is just a browser window pointed at the daemon's local HTTP server (http://127.0.0.1:8548), so while the desktop app is running you can open the same UI in any regular browser on the same machine — same React app, same session, same state. Useful when you want the daemon's lifecycle handled by the desktop launcher (auto-start, restart-on-crash) but prefer your normal browser for the UI.
npm install remote-signer-clientSame version cadence as the daemon — remote-signer-client@0.3.9 matches daemon v0.3.9. See Integration Guide for usage.
Remote Signer ships with a Chrome browser extension that injects an EIP-1193 window.ethereum provider into every page, allowing dApps to use your remote-signer service for signing.
- Build the extension:
cd extension && npm ci --no-audit --no-fund && node build.mjs
- Open Chrome →
chrome://extensions - Enable Developer mode (toggle in top-right)
- Click Load unpacked and point to the
extension/directory - The Remote Signer icon appears in your toolbar
- Click the extension icon to open the popup
- Go to Settings and enter:
- Remote Signer URL (default
http://127.0.0.1:8548) - API Key ID and Private Key from your remote-signer config
- Remote Signer URL (default
- Click Test Connection to verify connectivity
- Visit any dApp — it will auto-detect the Remote Signer provider
For management tasks (rules, signers, budgets), click Open Management in the popup to access the full web dashboard.
The extension follows a three-layer isolation pattern (identical to MetaMask):
dApp page (MAIN world) ←postMessage→ content-script (ISOLATED) ←chrome.runtime→ background (service worker) ←fetch→ remote-signer API
inpage.js— injectswindow.ethereumwith EIP-1193 + EIP-6963, zero network I/Ocontent-script.js— pure bidirectional relay between MAIN world and service workerbackground.js— EIP1193Provider + RemoteSignerClient, handles all signing and RPC- No proxy needed — background worker signs requests directly with Ed25519
See ARCHITECTURE.md for the full system design.
| Document | Description |
|---|---|
| ARCHITECTURE.md | Core concepts, relationships, data flow (Signer, Wallet, API Key, Rule, Template, Preset, Budget, Audit) |
| SECURITY.md | Threat model, security boundaries, key management, breach impact analysis |
| Configuration Reference | Full config.yaml reference |
| Deployment Guide | Docker, Kubernetes, HA, monitoring, backup |
| Rules, Templates & Presets | Concepts: rule templates, instances, presets |
| Rule Syntax Reference | All rule types with examples |
| Integration Guide | Go/TS/Rust SDKs, MCP server |
| TLS / mTLS Guide | Certificate trust model, generation, production practices |
| TUI Guide | Remote Signer TUI guide (remote-signer tui): build, run, key bindings, real-time request monitoring |
| SDK/CLI Matrix | Go SDK surface mapped to CLI commands, coverage gaps, and operator tools |
| Testing Guide | Unit tests, E2E, rule validation |
| GIT.md | Release flow, version conventions, NPM_TOKEN setup, Docker compose modes |
MIT License