Skip to main content

Raw Signing

  • Updated

Important

Raw Signing is an insecure signing method and is not generally recommended. Bad actors can trick someone into signing a valid transaction message and use it to steal funds.

For this reason, Raw Signing is a premium feature that requires an additional purchase and is not available in workspaces by default. If you're interested in this feature and want to see if your use case is eligible for it, please contact your Customer Success Manager.

Overview

The Raw Signing feature allows you to generate ECDSA and EdDSA signatures to sign any transaction type or message.

Important

During the "Basic Concepts: NaE (Numbers as Everything)" portion of the video above, it is incorrectly stated that a is 91. The correct value of a is 97.

Typically Raw Signing is used in the following scenarios:

  • When you want to sign a transaction on a blockchain that Fireblocks doesn’t currently support
  • When you want to perform an operation that we don’t currently support on a blockchain that we do support (e.g., staking on a lesser-known blockchain)
  • When you want to use cryptography to prove and validate messages (e.g., Proof of Assets, Proof of Addresses)
  • When someone sends funds to your address over a blockchain that we don’t currently support, and you want to recover the funds

Enabling Raw Signing

By default, Raw signing is not available in workspaces. Contact your Customer Success Manager to enable Raw Signing, which can take 3-5 business days according to our Service Level Agreement (SLA).

If Raw Signing is disabled in your workspace and you attempt to create a raw transaction, it will fail and show the BLOCKED_BY_POLICY substatus.

TAP rules for Raw Signing

The Transaction Authorization Policy (TAP) rejects all raw transactions by default. After enabling the Raw Signing feature, you must add TAP rules that allow users to initiate, approve, and sign raw transactions from specific vault accounts.

You can also use your TAP rules to limit the range of derivation paths, vault accounts, and assets available for raw transactions. Unless explicitly defined otherwise in the rule, the rule matches with all derivation paths. When creating the rule, select Groups and accounts as your source and enter Any vault. Then you can enter a derivation path.

The derivation path used in signing can be passed along with the signing request in one of two ways:

  • Explicitly: By passing the signing algorithm and the full derivation path.
  • Implicitly: By passing the vault account ID, the asset ID, and (optionally) the change and the address index. These properties together comprise a full BIP44-like derivation path. Typically this approach is used to create custom transactions on supported protocols.

Using Raw Signing

You can use Raw Signing via the Fireblocks API. Learn more on our Developer Portal.

Was this article helpful?
3 out of 3 found this helpful

Related Articles