Secure Advanced Infrastructure

In this tutorial, we’ll present a method to bake on the testnet as a trial. Baking on the mainnet is quite similar except that you don’t need to activate faucet accounts. Another trial alternative is to setup a private network and start baking on it. This is the most secure scenario: the key is stored in a hardware wallet plugged to a different computer from the one running the validator. In this scenario, there are actually several ledgers with the same secret key, dispatched on several machines (on Raspberry’s for instance). The baker and the endorser programs are running on one machine and connected to a proxy signer (that runs on the same machine). The remote signers will connect to proxy signer and wait for requests. When asked to sign a block or an endorsment, the proxy signer will forward the request to all connected ledgers. That way, we’d be sure to have a response from one ledger.


We’ll assume that you already checked out the testnet branch of the gitlab repository and built the binaries. We assume you are running a testnet node which stores its state in $HOME/dune-testnet-2019-07-08, and with RPC port 8733 on the local loop You might have to specify -A <addr> -P <port> after dune-client to specify different parameters before running some actions. We also suppose that the current protocol is 004-Pt24m4xi, you might have to change the names of the commands to accomodate with the current protocol.

Setting up the Secured Signer

Here are the steps to set up a Raspberry and the remote signer on a machine:

Raspberry Setup

Install and setup a linux distribution like raspbian. Then install all the dependencies for all the scripts needed to run a dune node, the ledger and the startup scripts:

$ sudo apt install \
  make m4 gcc patch unzip bubblewrap git \
  build-essential libcurl4-gnutls-dev libsodium-dev psmisc \
  libgmp-dev libev-dev libhidapi-dev m4 perl pkg-config

Ledger Setup

You need to enable udev rules to support Ledger devices on Linux:

$ wget -q -O - | sudo bash

You should now be able to connect your Ledger. Then, you need to install then Dune Ledger App. For that, just follow one of the methods given in this page .

Once this is done, we can take care of the signer.

Setup and install opam

To build Dune Network on the Raspberry, you need to install OPAM package manager:

$ sh <(curl -sL

Setup Dune Network

Clone dune-network repository form Gitlab and compile it:

$ git clone
$ cd dune-network
$ make build-deps
$ eval $(opam env)
$ make

The command make build-deps will install a fresh OCaml compiler in a local switch and all the dependencies and libraries needed to build Dune binaries. The command make will then compile Dune Network. Note that is process is rather slow.

Now you should have dune binaries ready. The next step is to import keys from the ledger.

Setup signer

In order to run a remote signer we need to import the keys (the device should be in the Dune App):

$ ./dune-signer list connected ledgers

If the ledger is connected, this will prompt information to import the key:

$ ./dune-signer import secret key <ALIAS> "ledger://<LEDGER_NAME>/<CURVE>/0'/0'"

You can check the added key with:

./dune-signer list known addresses

Lastly, you need to switch the App to baking and authorize the device to bake (signing blocks and endorsements):

$ ./dune-signer dune ledger becomes baking <ALIAS>
$ ./dune-signer setup ledger to bake for <ALIAS> --main-chain-id <CHAIN_ID>

You can replicate the process above on other Raspberry’s / machines connected from different locations. This will work as backup in case of power/network outage.

Before starting the remote signers, we need to setup the baker, endorser and proxy signer first. This is explained in the next section.

Setting up the Baker

The proxy signer is the process that is going to wait for (a) signing request from the baker and endorser and for (b) remote connexion from signers. It keeps a list of remote signers and bounces the signing requests to them. We recommend to run it on a more powerful machine than raspberry since it needs a node that is connected to the blockchain.

You’ll need to setup Dune Network as you did above on the raspberry. Please, refer to the appropriate section.

First setup: initializing proxy signer

In order to setup the Dune wallet for baking, you need to ‘prove’ that you can sign for your <DN1> key. This is done by doing a one time exchange with the signer.

First, start the proxy singer as follows:

$ ./dune-signer --proxy-wait --proxy-port <PROXY_PORT> --proxy-host [::] \
    import secret key <PROXY_ALIAS> tcp-proxy://<PROXY_PORT>/<DN1>

<PROXY_PORT> is the port on which the proxy will wait for signer connection and <PROXY_ALIAS> is an alias that will be used later when starting the baker and endorser. The command above makes the proxy wait for a connection from the remote signer.

Now, start the signer on the Raspberry, with the address/port of the machine on which the proxy is running:

$ ./dune-signer launch reverse socket signer -a <PROXY_ADDR> -p <PROXY_PORT>

Once this is done, you should be able to check that the proxy signer actually added the key of the remote signer with this command:

./dune-signer list known addresses

The steps above are only necessary the first time you setup the proxy. Running a single remote signer is sufficient to do it.

Start the signers

You can now start the proxy as follows:

$ ./dune-signer --proxy-host [::] --proxy-port <PROXY_PORT> --proxy launch socket signer -p <PROXY_BAKER_PORT>

The proxy signer will wait for connections from both the baker/endorser to sign requests and from the remote signers. <PROXY_PORT> is the port on which the proxy will wait for signers connections. <PROXY_BAKER_PORT> is the port on which it will wait for signing requests.

Then, you can (re-)start the signers on the raspberry’s / remote machines with:

$ ./dune-signer launch reverse socket signer -a <PROXY_ADDR> -p <PROXY_PORT>

The proxy signer will log successful connections of the signers.

TODO: monitoring of remote signers

Setup and start endorser/baker

The last step is to setup and start the endorser and baker.

First, we import baker’s key:

./dune-client import secret key <BAKER_ALIAS> tcp://<PROXY_BAKER_PORT>/<DN1>

where <PROXY_BAKER_PORT> should match the one used to run the proxy.

Then, we start the endorser with:

$ ./dune-endorser-<PROTO> -A -P <NODE_RPC_PORT> run <BAKER_ALIAS>

Finally, we start the baker with:

$ ./dune-baker-<PROTO> -A -P <NODE_RPC_PORT> run with local node <DUNE_DATADIR> <BAKER_ALIAS>

<PROTO> is the current protocol (at the time of writing it is 004-Pt24m4xi). <DUNE_DATADIR> is the data dir of the node (default should be $HOME/.dune-node). <NODE_RPC_PORT> is the port of the RPC server of the node (default on mainnet should be 8734).

We use since the proxy and the baker/endorser are running on the same machine.