We’re excited to announce Signatory v1.3.1, now available as a release candidate. This release brings Tallinn protocol support, new policy controls for tighter operational security, and continued improvements for enterprise and institutional operators.
Tallinn Protocol Support
Signatory v1.3.1 is ready for the upcoming Tallinn protocol upgrade. Thanks to gotez v2.3.19, all protocol interfaces and operation types are updated—no configuration changes required for existing deployments.
New Policy Controls
This release introduces two powerful new policy options for operators who need fine-grained control:
allowed_chains: Restrict signing to specific Tezos chain IDs. Prevent mainnet keys from ever signing testnet operations (or vice versa)—a common compliance requirement for institutional custodyallow_proof_of_possession: Explicitly control BLS proof-of-possession signing for tz4 keys, with PoP status now visible in key listings
Stricter Request Validation
Signatory now performs stricter validation of sign requests and operation kinds. Invalid or unrecognized operations are rejected with clear error messages, providing better security boundaries and faster debugging when clients are misconfigured.
Signature Canonization
Implemented low-S normalization for ECDSA signatures across Azure and AWS KMS vaults. This ensures signature malleability protection and consistent signature formats—important for interoperability and security auditing.
Security Updates
- Upgraded JWT authentication library to v5, addressing CVE-2024-51744
- Fixed a credential rotation bug where authentication could fail during key rotation windows
What’s Next
We’re continuing to build Signatory for enterprise and institutional operators:
- Enhanced Observability: Better metrics and structured logging for monitoring integration
- CloudHSM Backend for Nitro Enclave: AWS CloudHSM support for FIPS 140-2 Level 3 certified key storage (#724)
- Audit Readiness: Signatory is already built with auditability in mind—we’re adding improved audit logging and documentation for SOC 2 control mapping
Coming Soon: Signatory-EVM for Etherlink
We’re developing Signatory-EVM—bringing Signatory’s secure key management to Etherlink execution layer signing. This enables unified key management across Tezos X ledgers and runtimes, allowing operators to manage L1 baking keys and Etherlink EVM keys through a single, auditable signing infrastructure.
Use cases include:
- DeFi & Application Backends: Secure signing for smart contract interactions and automated operations
- Oracle Operators: HSM-backed key management for price feeds and data attestations
- Bridge Operators: Secure custody of bridge signing keys with policy controls
- Institutional Custody: Unified key management for Tezos and Etherlink assets
Interested in early access? Contact us at frontdesk@ecadlabs.com.
Upgrade Checklist
- Review release notes for full changelog
- Test in your staging environment (this is an RC release)
- Consider enabling
allowed_chainsif you operate across multiple networks - Review
allow_proof_of_possessionsettings for tz4 keys
Resources
- Release: v1.3.1-rc1 on GitHub
- Documentation: signatory.io
- New: DAL & BLS Attestations Guide
- New: Glossary
Important Notes
- This is a release candidate—please test thoroughly before production deployment
- No breaking changes; existing configurations continue to work
- Tallinn protocol support is ready for when the upgrade activates
Signatory development is partly funded by the Tezos Foundation.
Questions or feedback? Reach us at support@ecadlabs.com or open an issue on GitHub.
