Sui Keytool CLI
Sui CLI keytool 명령은 주소 관리 및 생성, 개인 키, 서명 또는 zkLogin 작업 등을 위한 다양한 명령 수준의 액세스를 제공한다. 예를 들어, 사용자는 Sui Wallet에서 개인 키를 내보내고 sui keytool import [...] 명령을 사용하여 로컬 Sui CLI 지갑으로 가져올 수 있다.
Check Sui CLI installation
Before you can use the Sui CLI, you must install it. To check if the CLI exists on your system, open a terminal or console and type the following command:
$ sui --version
If the terminal or console responds with a version number, you already have the Sui CLI installed.
If the command is not found, follow the instructions in Install Sui to get the Sui CLI on your system.
Commands
Usage: sui keytool [OPTIONS] <COMMAND>
Commands:
convert Convert private key from legacy formats (e.g. Hex or Base64) to Bech32 encoded 33 byte `flag || private key` begins with `suiprivkey`
decode-or-verify-tx Given a Base64 encoded transaction bytes, decode its components. If a signature is provided, verify the signature against the transaction
and output the result.
decode-multi-sig Given a Base64 encoded MultiSig signature, decode its components. If tx_bytes is passed in, verify the multisig
generate Generate a new key pair with key scheme flag {ed25519 | secp256k1 | secp256r1} with optional derivation path, default to
m/44'/784'/0'/0'/0' for ed25519 or m/54'/784'/0'/0/0 for secp256k1 or m/74'/784'/0'/0/0 for secp256r1. Word length can be { word12 |
word15 | word18 | word21 | word24} default to word12 if not specified
import Add a new key to sui.keystore using either the input mnemonic phrase or a private key (from the Wallet), the key scheme flag {ed25519 |
secp256k1 | secp256r1} and an optional derivation path, default to m/44'/784'/0'/0'/0' for ed25519 or m/54'/784'/0'/0/0 for secp256k1
or m/74'/784'/0'/0/0 for secp256r1. Supports mnemonic phrase of word length 12, 15, 18`, 21, 24
list List all keys by its Sui address, Base64 encoded public key, key scheme name in sui.keystore
load-key pair This reads the content at the provided file path. The accepted format can be [enum SuiKeyPair] (Base64 encoded of 33-byte `flag ||
privkey`) or `type AuthorityKeyPair` (Base64 encoded `privkey`). This prints out the account key pair as Base64 encoded `flag ||
privkey`, the network key pair, worker key pair, protocol key pair as Base64 encoded `privkey`
multi-sig-address To MultiSig Sui Address. Pass in a list of all public keys `flag || pk` in Base64. See `keytool list` for example public keys
multi-sig-combine-partial-sig Provides a list of participating signatures (`flag || sig || pk` encoded in Base64), threshold, a list of all public keys and a list of
their weights that define the MultiSig address. Returns a valid MultiSig signature and its sender address. The result can be used as
signature field for `sui client execute-signed-tx`. The sum of weights of all signatures must be >= the threshold
multi-sig-combine-partial-sig-legacy
show Read the content at the provided file path. The accepted format can be [enum SuiKeyPair] (Base64 encoded of 33-byte `flag || privkey`)
or `type AuthorityKeyPair` (Base64 encoded `privkey`). It prints its Base64 encoded public key and the key scheme flag
sign Create signature using the private key for the given address in Sui Keystore. Any signature commits to a [struct IntentMessage]
consisting of the Base64 encoded of the BCS serialized transaction bytes itself and its intent. If intent is absent, default will be
used
sign-kms Creates a signature by leveraging AWS KMS. Pass in a key-id to leverage Amazon KMS to sign a message and the base64 pubkey. Generate
PubKey from pem using MystenLabs/base64pemkey Any signature commits to a [struct IntentMessage] consisting of the Base64 encoded of the
BCS serialized transaction bytes itself and its intent. If intent is absent, default will be used
unpack This takes [enum SuiKeyPair] of Base64 encoded of 33-byte (`flag || privkey`). It outputs the key pair into a file at the current
directory where the address is the filename, and prints out its Sui address, Base64 encoded public key, the key scheme, and the key
scheme flag
zk-login-sign-and-execute-tx Given the max_epoch, generate an OAuth url, ask user to paste the redirect with id_token, call salt server, then call the prover
server, create a test transaction, use the ephemeral key to sign and execute it by assembling to a serialized zkLogin signature
zk-login-enter-token A workaround to the above command because sometimes token pasting does not work. All the inputs required here are printed from the
command above
zk-login-sig-verify Given a zkLogin signature, parse it if valid. If tx_bytes provided, it verifies the zkLogin signature based on provider and its latest
JWK fetched. Example request: sui keytool zk-login-sig-verify --sig $SERIALIZED_ZKLOGIN_SIG --tx-bytes $TX_BYTES --provider Google
--curr-epoch 10
help Print this message or the help of the given subcommand(s)
Options:
--keystore-path <KEYSTORE_PATH>
--json Return command outputs in json format
-h, --help Print help
JSON output
명령에 --json 플래그를 추가하여 사용자에게 친숙한 기본 Sui CLI 출력 대신 JSON 형식으로 응답을 포맷할 수 있다. 예를 들어 매우 큰 dataset의 경우, 작은 화면에서는 결과를 표시하기 어려울 수 있으므로 이 기능이 유용할 수 있다. 이러한 경우 --json 플래그가 유용하다.
Examples
다음 예제는 가장 자주 사용되는 명령 중 일부이다.
List the key pairs in the local wallet
sui keytool list 명령을 사용하여 ~/.sui/sui_config/sui.keystore 파일에 있는 모든 Sui 주소를 읽을 수 있는 형식으로 출력한다.
$ sui keytool list
╭────────────────────────────────────────────────────────────────────────────────────────────╮
│ ╭─────────────────┬──────────────────────────────────────────────────────────────────────╮ │
│ │ suiAddress │ 0x3047f142a84297a42a65fb0a8c7a716d9d1b0bd0413d6bfa5ddfec45df175235 │ │
│ │ publicBase64Key │ AHsXwcxaWNaNtCIIszwu7V2G6HO8aNM1598w/8y0zI5q │ │
│ │ keyScheme │ ed25519 │ │
│ │ flag │ 0 │ │
│ │ peerId │ 7b17c1cc5a58d68db42208b33c2eed5d86e873bc68d335e7df30ffccb4cc8e6a │ │
│ ╰─────────────────┴──────────────────────────────────────────────────────────────────────╯ │
│ ╭─────────────────┬──────────────────────────────────────────────────────────────────────╮ │
│ │ suiAddress │ 0x514692f08249c3e9957799ce29074695840422564bff85e424b56de462913e0d │ │
│ │ publicBase64Key │ AKJCGi8R8TslhYdO2OHIjI6rbr+to1eR+vlOjigLY6SX │ │
│ │ keyScheme │ ed25519 │ │
│ │ flag │ 0 │ │
│ │ peerId │ a2421a2f11f13b2585874ed8e1c88c8eab6ebfada35791faf94e8e280b63a497 │ │
│ ╰─────────────────┴──────────────────────────────────────────────────────────────────────╯ │
╰────────────────────────────────────────────────────────────────────────────────────────────╯
Generate a new key pair and store it in a file
ed25519 스키마로 새 키 쌍을 생성하려면 sui keytool generate ed25519 명령을 사용한다. 다른 스키마는 sui keytool generate –help 를 참조한다. 키 쌍 파일은 현재 디렉터리에 저장되며, 파일 이름은 주소이다. 파일의 내용은 33바이트 flag || privkey 로 구성된 Base64 인코딩 문자열이다.
$ sui keytool generate ed25519
╭─────────────────┬───────────────────────────────────────────────────────────────────────────────────╮
│ suiAddress │ 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25 │
│ publicBase64Key │ AKTAGf9iv0JqeLXXlsr4PUzBXb9VY8lK7xiZMS50GSu6 │
│ keyScheme │ ed25519 │
│ flag │ 0 │
│ mnemonic │ cushion price ability recall payment embody kid media rude mosquito chalk broom │
│ peerId │ a4c019ff62bf426a78b5d796caf83d4cc15dbf5563c94aef1899312e74192bba │
╰─────────────────┴───────────────────────────────────────────────────────────────────────────────────╯
Show the key pair data from a file
sui keytool show [filename] 명령을 사용하면 파일에 저장된 키 쌍 데이터를 볼 수 있다. 예를 들어, 이전 명령은 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25.key 라는 파일을 생성했다.
$ sui keytool show 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25.key
╭─────────────────┬─────────────────────��─────────────────────────────────────────────────╮
│ suiAddress │ 0x5d8aa70f17d9343813d3ba6a59ecf5e8a23ffb487938e860999a722989eaef25 │
│ publicBase64Key │ AC+AKTAGf9iv0JqeLXXlsr4PUzBXb9VY8lK7xiZMS50GSu6 │
│ keyScheme │ ed25519 │
│ flag │ 0 │
│ peerId │ a4c019ff62bf426a78b5d796caf83d4cc15dbf5563c94aef1899312e74192bba │
╰─────────────────┴──────────────────────────────────────────────────────────────────────╯
Sign a transaction
$ sui keytool sign --data AAABACBRRpLwgknD6ZV3mc4pB0aVhAQiVkv/heQktW3kYpE+DQEBAQABAAAwR/FCqEKXpCpl+wqMenFtnRsL0EE9a/pd3+xF3xdSNQEaEUeErlBmGWxz3Bh+9BZh2mzayodzsri7xIZNDHRA3wIAAAAAAAAAILsR2d1FIZ5+ADDYZtJ2e9CWlpAxsGd4Y2rZrjlyTUF1MEfxQqhCl6QqZfsKjHpxbZ0bC9BBPWv6Xd/sRd8XUjXoAwAAAAAAAICWmAAAAAAAAA== --address 0x3047f142a84297a42a65fb0a8c7a716d9d1b0bd0413d6bfa5ddfec45df175235
╭──────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ suiAddress │ 0x3047f142a84297a42a65fb0a8c7a716d9d1b0bd0413d6bfa5ddfec45df175235 │
│ rawTxData │ AAABACBRRpLwgknD6ZV3mc4pB0aVhAQiVkv/heQktW3kYpE+DQEBAQABAAAwR/FCqEKXpCpl+wqMenFtnRsL0EE9a/pd3+xF3xdSNQEaEUeErlBmGWxz3Bh+9BZh2mzayodzsri7xIZNDHRA3wIAAAAAAAAAILsR │
│ │ 2d1FIZ5+ADDYZtJ2e9CWlpAxsGd4Y2rZrjlyTUF1MEfxQqhCl6QqZfsKjHpxbZ0bC9BBPWv6Xd/sRd8XUjXoAwAAAAAAAICWmAAAAAAAAA== │
│ intent │ ╭─────────┬─────╮ │
│ │ │ scope │ 0 │ │
│ │ │ version │ 0 │ │
│ │ │ app_id │ 0 │ │
│ │ ╰─────────┴─────╯ │
│ rawIntentMsg │ AAAAAAABACBRRpLwgknD6ZV3mc4pB0aVhAQiVkv/heQktW3kYpE+DQEBAQABAAAwR/FCqEKXpCpl+wqMenFtnRsL0EE9a/pd3+xF3xdSNQEaEUeErlBmGWxz3Bh+9BZh2mzayodzsri7xIZNDHRA3wIAAAAAAAAA │
│ │ ILsR2d1FIZ5+ADDYZtJ2e9CWlpAxsGd4Y2rZrjlyTUF1MEfxQqhCl6QqZfsKjHpxbZ0bC9BBPWv6Xd/sRd8XUjXoAwAAAAAAAICWmAAAAAAAAA== │
│ digest │ +B8Cbr16HfOVT50DoN/QF8HB0+oznm8KAYy8Rm+TQFo= │
│ suiSignature │ ANucBEl9TIE0uv+w965DvOjlfDUll7NUtIpJgRhPc3D3y3EtZ4cvaNbm8i5pc7TNIov/qI0FhzIYf2J6PbqoNQ57F8HMWljWjbQiCLM8Lu1dhuhzvGjTNeffMP/MtMyOag== │
╰──────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Help
각 명령에는 자체 도움말 섹션이 있다. 예를 들어 sui keytool sign –help 입력하면 다음과 같은 도움말이 표시된다.
$ sui keytool sign --help
Create signature using the private key for the given address in Sui Keystore. Any signature commits to a [struct IntentMessage] consisting of the Base64 encoded of the BCS serialized
transaction bytes itself and its intent. If intent is absent, default will be used
Usage: sui keytool sign [OPTIONS] --address <ADDRESS> --data <DATA>
Options:
--address <ADDRESS>
--data <DATA>
--json Return command outputs in json format
--intent <INTENT>
-h, --help Print help