Signing

← Back to Examples Overview

Secure secret management and external KMS signing for production-grade security.

Examples (3)

Example	Description
Ed25519 Signing From Keyring	This example demonstrates how to retrieve secrets from a keyring and use them to sign transactions. Key concepts: Using keyring library to securely store and retrieve mnemonic Mock keyring for CI/testing when OS keyring is unavailable Implementing WrappedEd25519Seed interface for secure key handling Converting mnemonic to seed and deriving signing key Creating Algorand account with generated signers Registering signer with AlgorandClient using set_signer_from_account() Signing and sending a payment transaction Prerequisites: OS that has keyring support (macOS Keychain, Windows Credential Manager, Linux Secret Service) keyring library installed (uv pip install keyring) For testing without keyring: Mock keyring will be used automatically in CI
HD Signing From Keyring	This example demonstrates how to retrieve HD extended private keys from a keyring and use them to sign transactions. Key concepts: Generating an HD wallet using the Peikert derivation scheme Deriving extended private keys (96 bytes: scalar + prefix + chain code) Storing and retrieving HD keys from OS keyring Mock keyring for CI/testing when OS keyring is unavailable Implementing WrappedHdExtendedPrivateKey interface The last 32 bytes (chain code) are not needed for signing Padding 64-byte secrets to 96 bytes for storage efficiency Registering signer with AlgorandClient using set_signer_from_account() Prerequisites: OS that has keyring support (macOS Keychain, Windows Credential Manager, Linux Secret Service) keyring library installed (uv pip install keyring) For testing without keyring: Mock keyring will be used automatically in CI
Ed25519 Signing from AWS KMS	This example demonstrates how to use AWS KMS to perform Ed25519 signing for Algorand transactions. Includes a mock KMS client for testing when AWS credentials are not available. Key concepts: Using AWS KMS for secure key storage and signing Mock KMS client for local development/testing Retrieving public key from KMS in SPKI format Parsing DER-encoded public key to extract raw Ed25519 public key Implementing RawEd25519Signer with KMS Generating Algorand address from KMS-managed key Registering signer with AlgorandClient using set_signer_from_account() Prerequisites: AWS credentials configured (for real KMS usage): AWS_REGION environment variable KEY_ID environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (or use OIDC in CI) boto3 library installed (uv pip install boto3) For testing without AWS: Mock client will be used automatically

Example

Description

Ed25519 Signing From Keyring

This example demonstrates how to retrieve secrets from a keyring and use them to sign transactions.

Key concepts:

Using keyring library to securely store and retrieve mnemonic
Mock keyring for CI/testing when OS keyring is unavailable
Implementing WrappedEd25519Seed interface for secure key handling
Converting mnemonic to seed and deriving signing key
Creating Algorand account with generated signers
Registering signer with AlgorandClient using set_signer_from_account()
Signing and sending a payment transaction

Prerequisites:

OS that has keyring support (macOS Keychain, Windows Credential Manager, Linux Secret Service)
keyring library installed (uv pip install keyring)
For testing without keyring: Mock keyring will be used automatically in CI

HD Signing From Keyring

This example demonstrates how to retrieve HD extended private keys from a keyring and use them to sign transactions.

Key concepts:

Generating an HD wallet using the Peikert derivation scheme
Deriving extended private keys (96 bytes: scalar + prefix + chain code)
Storing and retrieving HD keys from OS keyring
Mock keyring for CI/testing when OS keyring is unavailable
Implementing WrappedHdExtendedPrivateKey interface
The last 32 bytes (chain code) are not needed for signing
Padding 64-byte secrets to 96 bytes for storage efficiency
Registering signer with AlgorandClient using set_signer_from_account()

Prerequisites:

OS that has keyring support (macOS Keychain, Windows Credential Manager, Linux Secret Service)
keyring library installed (uv pip install keyring)
For testing without keyring: Mock keyring will be used automatically in CI

Ed25519 Signing from AWS KMS

This example demonstrates how to use AWS KMS to perform Ed25519 signing for Algorand transactions. Includes a mock KMS client for testing when AWS credentials are not available.

Key concepts:

Using AWS KMS for secure key storage and signing
Mock KMS client for local development/testing
Retrieving public key from KMS in SPKI format
Parsing DER-encoded public key to extract raw Ed25519 public key
Implementing RawEd25519Signer with KMS
Generating Algorand address from KMS-managed key
Registering signer with AlgorandClient using set_signer_from_account()

Prerequisites:

AWS credentials configured (for real KMS usage):
AWS_REGION environment variable
KEY_ID environment variable
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (or use OIDC in CI)
boto3 library installed (uv pip install boto3)
For testing without AWS: Mock client will be used automatically

Quick Start

Run any example from the repository’s examples directory:

cd examples
uv run python signing/01_ed25519_from_keyring.py