Sui Keytool CLI
Sui CLI keytool 명령은 주소 관리 및 생성, 개인 키, 서명 또는 zkLogin 작업 등을 위한 다양한 명령 수준의 액세스를 제공한다. 예를 들어, 사용자는 Sui Wallet에서 개인 키를 내보내고 sui keytool import [...] 명령을 사용하여 로컬 Sui CLI 지갑으로 가져올 수 있다.
Commands
Usage: sui keytool [OPTIONS] <COMMAND>
Commands:
convert Convert private key from legacy formats (e.g. Hex or Base64) to Bech32 encoded 33 byte `flag || private key` begins with `suiprivkey`
decode-or-verify-tx Given a Base64 encoded transaction bytes, decode its components. If a signature is provided, verify the signature against the transaction
and output the result.
decode-multi-sig Given a Base64 encoded MultiSig signature, decode its components. If tx_bytes is passed in, verify the multisig
generate Generate a new key pair with key scheme flag {ed25519 | secp256k1 | secp256r1} with optional derivation path, default to
m/44'/784'/0'/0'/0' for ed25519 or m/54'/784'/0'/0/0 for secp256k1 or m/74'/784'/0'/0/0 for secp256r1. Word length can be { word12 |
word15 | word18 | word21 | word24} default to word12 if not specified
import Add a new key to sui.keystore using either the input mnemonic phrase or a private key (from the Wallet), the key scheme flag {ed25519 |
secp256k1 | secp256r1} and an optional derivation path, default to m/44'/784'/0'/0'/0' for ed25519 or m/54'/784'/0'/0/0 for secp256k1
or m/74'/784'/0'/0/0 for secp256r1. Supports mnemonic phrase of word length 12, 15, 18`, 21, 24
list List all keys by its Sui address, Base64 encoded public key, key scheme name in sui.keystore
load-key pair This reads the content at the provided file path. The accepted format can be [enum SuiKeyPair] (Base64 encoded of 33-byte `flag ||
privkey`) or `type AuthorityKeyPair` (Base64 encoded `privkey`). This prints out the account key pair as Base64 encoded `flag ||
privkey`, the network key pair, worker key pair, protocol key pair as Base64 encoded `privkey`
multi-sig-address To MultiSig Sui Address. Pass in a list of all public keys `flag || pk` in Base64. See `keytool list` for example public keys
multi-sig-combine-partial-sig Provides a list of participating signatures (`flag || sig || pk` encoded in Base64), threshold, a list of all public keys and a list of
their weights that define the MultiSig address. Returns a valid MultiSig signature and its sender address. The result can be used as
signature field for `sui client execute-signed-tx`. The sum of weights of all signatures must be >= the threshold
multi-sig-combine-partial-sig-legacy
show Read the content at the provided file path. The accepted format can be [enum SuiKeyPair] (Base64 encoded of 33-byte `flag || privkey`)
or `type AuthorityKeyPair` (Base64 encoded `privkey`). It prints its Base64 encoded public key and the key scheme flag
sign Create signature using the private key for the given address in Sui Keystore. Any signature commits to a [struct IntentMessage]
consisting of the Base64 encoded of the BCS serialized transaction bytes itself and its intent. If intent is absent, default will be
used
sign-kms Creates a signature by leveraging AWS KMS. Pass in a key-id to leverage Amazon KMS to sign a message and the base64 pubkey. Generate
PubKey from pem using MystenLabs/base64pemkey Any signature commits to a [struct IntentMessage] consisting of the Base64 encoded of the
BCS serialized transaction bytes itself and its intent. If intent is absent, default will be used
unpack This takes [enum SuiKeyPair] of Base64 encoded of 33-byte (`flag || privkey`). It outputs the key pair into a file at the current
directory where the address is the filename, and prints out its Sui address, Base64 encoded public key, the key scheme, and the key
scheme flag
zk-login-sign-and-execute-tx Given the max_epoch, generate an OAuth url, ask user to paste the redirect with id_token, call salt server, then call the prover
server, create a test transaction, use the ephemeral key to sign and execute it by assembling to a serialized zkLogin signature
zk-login-enter-token A workaround to the above command because sometimes token pasting does not work. All the inputs required here are printed from the
command above
zk-login-sig-verify Given a zkLogin signature, parse it if valid. If tx_bytes provided, it verifies the zkLogin signature based on provider and its latest
JWK fetched. Example request: sui keytool zk-login-sig-verify --sig $SERIALIZED_ZKLOGIN_SIG --tx-bytes $TX_BYTES --provider Google
--curr-epoch 10
help Print this message or the help of the given subcommand(s)
Options:
--keystore-path <KEYSTORE_PATH>
--json Return command outputs in json format
-h, --help Print help
JSON output
명령에 --json 플래그를 추가하여 사용자에게 친숙한 기본 Sui CLI 출력 대신 JSON 형식으로 응답을 포맷할 수 있다. 예를 들어 매우 큰 dataset의 경우, 작은 화면에서는 결과를 표시하기 어려울 수 있으므로 이 기능이 유용할 수 있다. 이러한 경우 --json 플래그가 유용하다.
Examples
다음 예제는 가장 자주 사용되는 명령 중 일부이다.
List the key pairs in the local wallet
sui keytool list 명령을 사용하여 ~/.sui/sui_config/sui.keystore 파일에 있는 모든 Sui 주소를 읽을 수 있는 형식으로 출력한다.
$ sui keytool list
╭────────────────────────────────────────────────────────────────────────────────────────────╮
│ ╭─────────────────┬──────────────────────────────────────────────────────────────────────╮ │
│ │ suiAddress │ 0x3047f142a84297a42a65fb0a8c7a716d9d1b0bd0413d6bfa5ddfec45df175235 │ │
│ │ publicBase64Key │ AHsXwcxaWNaNtCIIszwu7V2G6HO8aNM1598w/8y0zI5q │ │
│ │ keyScheme │ ed25519 │ │
│ │ flag │ 0 │ │
│ │ peerId │ 7b17c1cc5a58d68db42208b33c2eed5d86e873bc68d335e7df30ffccb4cc8e6a │ │
│ ╰─────────────────┴──────────────────────────────────────────────────────────────────────╯ │
│ ╭─────────────────┬──────────────────────────────────────────────────────────────────────╮ │
│ │ suiAddress │ 0x514692f08249c3e9957799ce29074695840422564bff85e424b56de462913e0d │ │
│ │ publicBase64Key │ AKJCGi8R8TslhYdO2OHIjI6rbr+to1eR+vlOjigLY6SX │ │
│ │ keyScheme │ ed25519 │ │
│ │ flag │ 0 │ │
│ │ peerId │ a2421a2f11f13b2585874ed8e1c88c8eab6ebfada35791faf94e8e280b63a497 │ │
│ ╰─────────────────┴──────────────────────────────────────────────────────────────────────╯ │
╰────────────────────────────────────────────────────────────────────────────────────────────╯
Generate a new key pair and store it in a file
ed25519 스키마로 새 키 쌍을 생성하려면 sui keytool generate ed25519 명령을 사용한다. 다른 스키마는 sui keytool generate –help 를 참조한다. 키 쌍 파일은 현재 디렉터리에 저장되며, 파일 이름은 주소이다. 파일의 내용은 33바이트 flag || privkey 로 구성된 Base64 인코딩 문자열이다.
$ sui keytool generate ed25519
╭─────────────────┬───────────────────────────────────────────────────────────────────────────────────╮
│ suiAddress │ 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25 │
│ publicBase64Key │ AKTAGf9iv0JqeLXXlsr4PUzBXb9VY8lK7xiZMS50GSu6 │
│ keyScheme │ ed25519 │
│ flag │ 0 │
│ mnemonic │ cushion price ability recall payment embody kid media rude mosquito chalk broom │
│ peerId │ a4c019ff62bf426a78b5d796caf83d4cc15dbf5563c94aef1899312e74192bba │
╰─────────────────┴───────────────────────────────────────────────────────────────────────────────────╯
Show the key pair data from a file
sui keytool show [filename] 명령을 사용하면 파일에 저장된 키 쌍 데이터를 볼 수 있다. 예를 들어, 이전 명령은 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25.key 라는 파일을 생성했다.
$ sui keytool show 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25.key
╭─────────────────┬──────────────────────────────────────────────────────────────────────╮
│ suiAddress │ 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25 │
│ publicBase64Key │ AC+AKTAGf9iv0JqeLXXlsr4PUzBXb9VY8lK7xiZMS50GSu6 │
│ keyScheme │ ed25519 │
│ flag │ 0 │
│ peerId │ a4c019ff62bf426a78b5d796caf83d4cc15dbf5563c94aef1899312e74192bba │
╰─────────────────┴──────────────────────────────────────────────────────────────────────╯
Sign a transaction
$ sui keytool sign --data AAABACBRRpLwgknD6ZV3mc4pB0aVhAQiVkv/heQktW3kYpE+DQEBAQABAAAwR/FCqEKXpCpl+wqMenFtnRsL0EE9a/pd3+xF3xdSNQEaEUeErlBmGWxz3Bh+9BZh2mzayodzsri7xIZNDHRA3wIAAAAAAAAAILsR2d1FIZ5+ADDYZtJ2e9CWlpAxsGd4Y2rZrjlyTUF1MEfxQqhCl6QqZfsKjHpxbZ0bC9BBPWv6Xd/sRd8XUjXoAwAAAAAAAICWmAAAAAAAAA== --address 0x3047f142a84297a42a65fb0a8c7a716d9d1b0bd0413d6bfa5ddfec45df175235
╭──────────────┬───────────────────────────────────────────────────��───────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ suiAddress │ 0x3047f142a84297a42a65fb0a8c7a716d9d1b0bd0413d6bfa5ddfec45df175235 │
│ rawTxData │ AAABACBRRpLwgknD6ZV3mc4pB0aVhAQiVkv/heQktW3kYpE+DQEBAQABAAAwR/FCqEKXpCpl+wqMenFtnRsL0EE9a/pd3+xF3xdSNQEaEUeErlBmGWxz3Bh+9BZh2mzayodzsri7xIZNDHRA3wIAAAAAAAAAILsR │
│ │ 2d1FIZ5+ADDYZtJ2e9CWlpAxsGd4Y2rZrjlyTUF1MEfxQqhCl6QqZfsKjHpxbZ0bC9BBPWv6Xd/sRd8XUjXoAwAAAAAAAICWmAAAAAAAAA== │
│ intent │ ╭─────────┬─────╮ │
│ │ │ scope │ 0 │ │
│ │ │ version │ 0 │ │
│ │ │ app_id │ 0 │ │
│ │ ╰─────────┴─────╯ │
│ rawIntentMsg │ AAAAAAABACBRRpLwgknD6ZV3mc4pB0aVhAQiVkv/heQktW3kYpE+DQEBAQABAAAwR/FCqEKXpCpl+wqMenFtnRsL0EE9a/pd3+xF3xdSNQEaEUeErlBmGWxz3Bh+9BZh2mzayodzsri7xIZNDHRA3wIAAAAAAAAA │
│ │ ILsR2d1FIZ5+ADDYZtJ2e9CWlpAxsGd4Y2rZrjlyTUF1MEfxQqhCl6QqZfsKjHpxbZ0bC9BBPWv6Xd/sRd8XUjXoAwAAAAAAAICWmAAAAAAAAA== │
│ digest │ +B8Cbr16HfOVT50DoN/QF8HB0+oznm8KAYy8Rm+TQFo= │
│ suiSignature │ ANucBEl9TIE0uv+w965DvOjlfDUll7NUtIpJgRhPc3D3y3EtZ4cvaNbm8i5pc7TNIov/qI0FhzIYf2J6PbqoNQ57F8HMWljWjbQiCLM8Lu1dhuhzvGjTNeffMP/MtMyOag== │
╰──────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Help
각 명령에는 자체 도움말 섹션이 있다. 예를 들어 sui keytool sign –help 입력하면 다음과 같은 도움말이 표시된다.
$ sui keytool sign --help
Create signature using the private key for the given address in Sui Keystore. Any signature commits to a [struct IntentMessage] consisting of the Base64 encoded of the BCS serialized
transaction bytes itself and its intent. If intent is absent, default will be used
Usage: sui keytool sign [OPTIONS] --address <ADDRESS> --data <DATA>
Options:
--address <ADDRESS>
--data <DATA>
--json Return command outputs in json format
--intent <INTENT>
-h, --help Print help