Skip to content

Commit

Permalink
docs: add lndsigner info to remote signing docs
Browse files Browse the repository at this point in the history
  • Loading branch information
ViktorTigerstrom committed Nov 22, 2024
1 parent 37e2ffc commit bc0c0dc
Showing 1 changed file with 41 additions and 2 deletions.
43 changes: 41 additions & 2 deletions docs/remote-signing.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,14 @@ node permits a single inbound gRPC connection **from** the watch-only lnd node.
Conversely, when configured as an "outbound" remote signer, it allows a single
outbound gRPC connection **to** the watch-only lnd node.

## Lndsigner

Starting with `lnd` `v0.19.0-beta`, every `lnd` release includes an additional
binary called `lndsigner`. This is a stripped-down version of `lnd` designed
specifically for use as a "remote signer" in remote signing setups. It exposes
only the features needed for remote signing and includes a streamlined
configuration file to make setup easier for users.

## Example setups

In the examples below, we demonstrate how to configure the "signer" node and the
Expand All @@ -63,7 +71,8 @@ and is not connected to the internet or LN P2P network at all. Ideally only a
single RPC based connection (that can be firewalled off specifically) can be
opened to this node from the host on which the node "watch-only" is running.

Recommended entries in `lnd.conf`:
Recommended entries in `lnd.conf` if using an `lnd` instance as the remote
signer:

```text
# Indicates that the node will function as an inbound remote signer
Expand Down Expand Up @@ -97,6 +106,17 @@ bitcoin.mainnet=true
bitcoin.node=nochainbackend
```

If you instead use the `lndsigner` binary as the remote signer, it is
recommended to include the following entries in `lndsigner.conf`:

```text
# Indicates that lndsigner will function as an inbound remote signer
signerrole=signer-inbound
# Specifies the mainnet network (mainnet is the default value if not set).
network=mainnet
```

After successfully starting up "signer", the following command can be run to
export the `xpub`s of the wallet:

Expand Down Expand Up @@ -176,7 +196,7 @@ steps remains in place.
#### Step 1: export the `xpub`s of the outbound signer node's wallet

When starting the signer node to export the `xpub`s of the wallet, these entries
in `lnd.conf` are recommended:
in `lnd.conf` are recommended if using an `lnd` instance as the remote signer:

```text
# We apply some basic "hardening" parameters to make sure no connections to the
Expand Down Expand Up @@ -213,6 +233,25 @@ remotesigner.macaroonpath=/home/signer/example/watch-only.custom.macaroon
remotesigner.tlscertpath=/home/signer/example/watch-only.tls.cert
```

If you instead use the `lndsigner` binary as the remote signer, it is
recommended to include the following entries in `lndsigner.conf`:

```text
# Indicates that lndsigner will function as an outbound remote signer. If this
# config option isn't set, this value defaults to "signer-outbound" as well.
signerrole=signer-outbound
# Specifies the mainnet network (mainnet is the default value if not set).
network=mainnet
# The watch-only node's RPC host.
watchonlyrpchost=zane.example.internal:10019
# A macaroon and TLS certificate for the watch-only node.
watchonlymacaroonpath=/home/signer/example/watch-only.custom.macaroon
watchonlytlscertpath=/home/signer/example/watch-only.tls.cert
```

**Note:** The watch-only node’s `rpchost`, `macaroonpath`, and `tlscertpath`
specified in the configuration will not resolve successfully until steps 2 and 3
are completed, as these files do not yet exist, and no node is currently running
Expand Down

0 comments on commit bc0c0dc

Please sign in to comment.