Docs

keytool

Sui Keystore Tool

The Sui Keystore Tool is a command-line tool that provides various functionalities related to key management for the Sui network. It supports the following commands:

Usage

movement sui keytool [OPTIONS] <COMMAND>

Commands

  • convert Convert private key from wallet format (hex of 32 byte private key) to sui.keystore format (base64 of 33 byte flag || private key) or vice versa.

  • decode-tx-bytes Given a Base64 encoded transaction bytes, decode its components.

  • decode-multi-sig Given a Base64 encoded MultiSig signature, decode its components. If tx_bytes is passed in, verify the multisig.

  • generate Generate a new keypair with key scheme flag {ed25519 | secp256k1 | secp256r1} with optional derivation path. Default derivation paths are m/44'/784'/0'/0'/0' for ed25519, m/54'/784'/0'/0/0 for secp256k1, and m/74'/784'/0'/0/0 for secp256r1. Word length can be { word12 | word15 | word18 | word21 | word24}. Default word length is word12 if not specified.

  • import Add a new key to sui.keystore. Supports adding key using either the input mnemonic phrase or a private key (from the Wallet). Key scheme flag {ed25519 | secp256k1 | secp256r1} and an optional derivation path can be specified. Default derivation paths are m/44'/784'/0'/0'/0' for ed25519, m/54'/784'/0'/0/0 for secp256k1, and m/74'/784'/0'/0/0 for secp256r1. Supports mnemonic phrase of word length 12, 15, 18, 21, 24.

  • list List all keys in sui.keystore. Each key is displayed with its Sui address, Base64 encoded public key, and key scheme name.

  • load-keypair Read the content at the provided file path. The accepted format can be (Base64 encoded of 33-byte flag || privkey) or type AuthorityKeyPair (Base64 encoded privkey). This command prints out the account keypair, network keypair, worker keypair, and protocol keypair as Base64 encoded private keys.

  • multi-sig-address Generate a MultiSig Sui Address. Pass in a list of all public keys (flag || pk in Base64).

  • multi-sig-combine-partial-sig Provides a list of participating signatures (flag || sig || pk encoded in Base64), threshold, a list of all public keys, and a list of their weights that define the MultiSig address. Returns a valid MultiSig signature and its sender address. The result can be used as the signature field for sui client execute-signed-tx. The sum of weights of all signatures must be greater than or equal to the threshold.

  • multi-sig-combine-partial-sig-legacy

  • show Read the content at the provided file path. The accepted format can be (Base64 encoded of 33-byte flag || privkey) or type AuthorityKeyPair (Base64 encoded privkey). It prints out the Base64 encoded public key and the key scheme flag.

  • sign Create a signature using the private key for the given address in sui keystore. The signature commits to a consisting of the Base64 encoded of the BCS serialized transaction bytes itself and its intent. If the intent is absent, the default intent will be used.

  • sign-kms Creates a signature by leveraging AWS KMS. Pass in a key-id to leverage Amazon KMS to sign a message and the Base64 encoded pubkey. Generate PubKey from pem using MystenLabs/base64pemkey. The signature commits to a consisting of the Base64 encoded of the BCS serialized transaction bytes itself and its intent. If the intent is absent, the default intent will be used.

  • unpack This command takes of Base64 encoded of 33-byte flag || privkey). It outputs the keypair into a file at the current directory where the address is the filename, and prints out its Sui address, Base64 encoded public key, the key scheme, and the key scheme flag.

  • zk-login-sign-and-execute-tx Given the max_epoch, generate an OAuth URL, ask the user to paste the redirect with id_token, call the salt server, then call the prover server, create a test transaction, and use the ephemeral key to sign and execute it by assembling to a serialized zkLogin signature.

  • zk-login-enter-token A workaround to the above command because sometimes token pasting does not work. All the inputs required here are printed from the command above.

  • zk-login-sig-verify Given a zkLogin signature, parse it if valid. If bytes are provided, parse them as either TransactionData or PersonalMessage based on intent_scope. It verifies the zkLogin signature based on its latest JWK fetched.

  • zk-login-insecure-sign-personal-message TESTING ONLY: Given a string of data, sign with the fixed dev-only ephemeral key and output a zkLogin signature with a fixed dev-only proof with a fixed max epoch of 10.

  • help Print this message or the help of the given subcommand(s).

Options

  • --keystore-path <KEYSTORE_PATH> Path to the keystore file.

  • --json Return command outputs in JSON format.

  • -h, --help Print help.

  • -V, --version Print version.

PreviousfinalizeNextconvert

Last updated