The Raw Signing feature allows you to generate ECDSA and EdDSA signatures to sign any transaction type or message. This can be used for interacting with transaction types that are not natively supported in Fireblocks workspaces.
Warning: Raw Signing is an insecure signing method and is not generally recommended. Bad actors can trick someone into signing a valid transaction message and use it to steal funds. For this reason, Raw Signing is a premium feature that requires an additional purchase and is not available in workspaces by default. If you're interested in this feature and want to discuss eligibility, contact your Customer Success Manager.
Transactions not broadcast by Fireblocks, but by the customer directly, can still appear in the Console. Learn more about transaction broadcasting.
When to use Raw Signing
Typically Raw Signing is used in the following scenarios:
- Signing transactions on a blockchain that Fireblocks doesn’t currently support.
- Performing specific operations that are not currently supported on a supported blockchain (for example, staking on a lesser-known blockchain, or managing tokens on blockchains not natively supported by Fireblocks Tokenization).
- Using your cryptographic signatures to prove or validate messages (For example, proof of assets, or proof of addresses).
- Recovering funds that were sent to your address on a blockchain that we don’t currently support.
Important: During the "Basic Concepts: NaE (Numbers as Everything)" portion of the video above, it is incorrectly stated that a is 91. The correct value of a is 97.
Enabling Raw Signing
By default, Raw signing is not available in workspaces. Contact your Customer Success Manager to enable Raw Signing, which can take 3-5 business days according to our Service Level Agreement (SLA).
If Raw Signing is disabled in your workspace and you attempt to create a raw transaction, it will fail and show the BLOCKED_BY_POLICY substatus.
Policy rules for Raw Signing
Policies reject all raw transactions by default. After enabling the Raw Signing feature, you must add Policy rules that allow users to initiate, approve, and sign raw transactions from specific vault accounts.
You can also use your Policy rules to limit the range of derivation paths, vault accounts, and assets available for raw transactions. Unless explicitly defined otherwise in the rule, the rule matches with all derivation paths. When creating the rule, select Groups and accounts as your source and enter Any vault. Then you can enter a derivation path.
The derivation path used in signing can be passed along with the signing request in one of two ways:
- Explicitly: By passing the signing algorithm and the full derivation path in the transaction payload.
- Implicitly: By passing the vault account ID, the asset ID, and (optionally) the change and the address index in the transaction payload. These properties together comprise a full BIP44-like derivation path. Typically this approach is used to create custom transactions on supported protocols.
Using Raw Signing
You can use Raw Signing via the Fireblocks API. Learn more in our Developer Portal.