what's Signatory?

Signatory is a protocol-aware remote signer tailored for the Tezos blockchain, enabling secure delegation of signing operations for baking, oracles, and dApps. It interfaces with hardware security modules (HSMs), cloud key management services (AWS KMS, GCP KMS, Azure Key Vault), Ledger devices, and trusted execution environments (TEEs) like AWS Nitro Enclaves. Key features include watermarking to prevent double-signing, granular policy controls (e.g., chain ID restrictions, operation filtering, BLS proof-of-possession), and support for Tezos protocol evolutions such as Rio, Seoul, Tallinn, DAL attestations, and tz4/BLS keys. Built by ECAD Labs, Signatory automates attestation aggregation to reduce bandwidth (e.g., ~900MB to ~14MB/day), provides Prometheus metrics for observability, and offers CLI tools for key import/generation. It ensures startup resilience by skipping faulty vaults and supports non-root containers with PKCS#11. This makes it ideal for enterprise bakers and teams prioritizing key security without performance trade-offs.

Signatory to showcase its Tezos remote signer at TezDev XP Zone conference on March 30.