Creating a Delegated Group Multisig AID

[pfeairheller]

This document describes the steps to follow to create a delegated group multisig AID using the command line tool from KERIpy and two agents hosted in KERIA, one controlled using the SignifyPy client library and one controlled using the Signify-ts client library. All the scripts described in this document are located in the scripts directory of Signify-ts.

Overview

This procedure described in this document creates an AID (delegator) with a single signing key using the KERIpy command line, 3 AIDs (multisig-kli, multisig-sigpy, multisig-sigts) each with a single signing key using the KERIpy command line, the SignifyPy client library and the Signify-ts client library respectively. It then creates a group multisig AID called multisig and declares the delegator AID as the delegator. Each client waits for the delegation approval and then collaborates with the other members to create Endpoint Role Authorizations for the multisig AID. All AIDs share the "demo witness pool" for witnesses and the two AIDs created using the Signify client libraries share a single KERIA instance for hosting their agents. The rest of this document describes how to launch the necessary components and run the scripts.

1. Prerequisites

KERIpy, KERIA and SignifyPy all require Python version 3.10.4 and at least pip version 22.0.4. An up-to-date version of libsodium needs to be installed on the target system. It is recommended to use venv or similar to create a unique virtual environment for each repository. Signify-ts requires node version v18.16.1, npm version 9.5.1 as well as ts-node to run the scripts mentioned here. The following list of commands details how to initialize each repository:

KERIpy

$ git clone https://github.com/WebOfTrust/keripy.git
$ cd keripy
$ pip install -r requirements.txt

KERIA

$ git clone https://github.com/WebOfTrust/keria.git
$ cd keria
$ git checkout main
$ pin install -r requirements.txt

SignifyPy

$ git clone https://github.com/WebOfTrust/signifypy.git
$ cd signifypy
$ git checkout main
$ pip install -r requirements.txt

Signify-TS

$ git clone https://github.com/WebOfTrust/signify-ts.git
$ cd signify-ts
$ git checkout main
$ npm install 
$ cd examples/scripts
$ npm install
$ npm install ts-node

KERIpy and KERIA share database initialization code and will share the same base directory for all databases. The logic for each is to use the base directory of /usr/local/var/keri if that directory is available and writable. If that directory is not available, each script will create a directory named .keri in the current user's HOME directory (if it does not already exist) and use that as the base for all databases. The scripts described in this document expect that they are starting with empty databases. For each run of the scripts described it is recommended to delete the contents of the base directory available to you.

For example, if you have /usr/local/var/keri writable for your user, running:

$ rm -rf /usr/local/var/keri/*

This will clear out the databases created by each script for a clean run of this procedure.

The convention for the rest of this document is to assume the use of venv for Python scripts and will preface the prompt in the examples with the name of a suggested venv environment in parenthesis. For example, (keripy) $ for executing commands with the virtual environment for KERIpy.

Finally, all scripts are written expecting the Bash shell and have only been tested on MacOS and Linux using the Bash shell on those architectures.

2. Witness Pool

The scripts for the Delegator AID, SignifyPy AID and KERIpy command line AID are all hardcoded to use the same witness AIDs. This approach allows for all environments to be easily configured with endpoints for those witnesses and to use the witnesses that are made available in the KERIpy demo witness pool. To launch the KERIpy demo witness pool, you must run the following command using the KERIpy virtual environment from the KERIpy repository directory. The command will print the witness AIDs that are provided. The command must be left running while all other scripts are run.

(keripy) $ kli witness demo
Witness wan : BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha
Witness wil : BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM
Witness wes : BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX
Witness wit : BM35JN8XeJSEfpxopjn5jr7tAHCE5749f0OobhMLCorE
Witness wub : BIj15u5V11bkbtAxMA7gcNJZcax-7TgaBMLsQnMHpYHP
Witness wyz : BF2rZTW79z4IXocYRQnjjsOuvFUQv-ptCf8Yltd7PfsM

3. KERIA Service

The scripts for creating the AIDs for SiginfyPy and SignifyTS are both hardcoded to use a KERIA service launched on the default ports for KERIA (3901 and 3902). To launch the KERIA service you must run the following command using the KERIA virtual environment from the KERIA repository directory. This command will print out a message indicating that it is ready and waiting for requests. This command must be left running while the remaining scripts execute.

(keria) $ keria start --config-dir scripts --config-file demo-witness-oobis
The Agency is loaded and waiting for requests...

4. Delegator Script

The script for the delegator is located in the examples/scripts directory of the Signify-ts repository and is called delegator.sh. This is the simplest of the scripts. It creates the delegator AID with a single signing key and single rotation key that uses 3 of the KERIpy demo witnesses with a witness threshold of 2. To execute this script, you must use the KERIpy virtual environment from the examples/scripts directory of the Signify-ts repository. Before launching this script, you must "source" the environment initialization file in that directory named env.sh. To initialize the delegator, execute the following:

(keripy) $ source ./env.sh
(keripy) $ ./delegator.sh
KERI Keystore created at: /usr/local/var/keri/ks/delegator
KERI Database created at: /usr/local/var/keri/db/delegator
KERI Credential Store created at: /usr/local/var/keri/reg/delegator

Loading 10 OOBIs...
http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha/controller succeeded
http://127.0.0.1:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM/controller succeeded
http://127.0.0.1:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX/controller succeeded
http://127.0.0.1:7723/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy succeeded
http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao succeeded
http://127.0.0.1:7723/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw succeeded
http://127.0.0.1:7723/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g succeeded
http://127.0.0.1:7723/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E succeeded
http://127.0.0.1:7723/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi succeeded
http://127.0.0.1:7723/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY succeeded
Waiting for witness receipts...
Prefix  EHpD0-CDWOdu5RJ8jHBSUkOqBZ3cXeDVHWNb_Ul89VI7
        Public key 1:  DPg4INjWDxsd4DzFCOAL0Kd7ic7TpvpJpUd_tTEVFOZg

Waiting for delegation request...

The script has created the database and keystore for the delegator AID, loaded all the out-of-band introductions (OOBIs) in its configuration file and created the Delegator AID. It then launches the KERIpy command line command for approving delegation requests. This script must be left running while the rest of the scripts are executed.

5. KERIpy Command Line Multisig Participant

The script for the KERIpy command line AID is located in the examples/scripts directory of the Signify-ts repository. This script uses the KERIpy command line to create the multisig-kli AID that has a single signing key and single rotation key that uses 3 of the KERIpy demo witness pool witnesses with a witness threshold of 2. To execute this script you must use the KERIpy virtual environment from the examples/scripts directory of the Signify-ts repository. Before launching this script, you must "source" the environment initialization file in that directory named env.sh.

(keripy) $ source ./env.sh
(keripy) $ ./multisig-kli.sh
KERI Keystore created at: /usr/local/var/keri/ks/multisig-kli
KERI Database created at: /usr/local/var/keri/db/multisig-kli
KERI Credential Store created at: /usr/local/var/keri/reg/multisig-kli

Loading 10 OOBIs...
http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha/controller succeeded
http://127.0.0.1:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM/controller succeeded
http://127.0.0.1:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX/controller succeeded
http://127.0.0.1:7723/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy succeeded
http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao succeeded
http://127.0.0.1:7723/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw succeeded
http://127.0.0.1:7723/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g succeeded
http://127.0.0.1:7723/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E succeeded
http://127.0.0.1:7723/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi succeeded
http://127.0.0.1:7723/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY succeeded
Waiting for witness receipts...
Prefix  EFBmwh8vdPTofoautCiEjjuA17gSlEnE3xc-xy-fGzWZ
        Public key 1:  DM1XbVrBOpVRyXDCKlvMWNE_qkkGU4rVq-7_bHP7za8W

End role authorization added for role mailbox
Press any key after multisig-sigpy and multisig-sigts have been created:

At this point, the multisig-kli AID has been created and published to its witnesses. It is now waiting for confirmation from the user that the other multisig participant scripts have been launched before it tries to resolve the OOBIs for the other participants. This script must be left running while the other scripts are launched.

6. SignifyPy Client Library Multisig Participant

The script for the SignifyPy client AID is located in the examples/scripts directory of the Signify-ts repository. This script uses the SignifyPy client library to create the multisig-sigpy AID hosted in an Agent in the KERIA service. This AID has a single signing key and single rotation key that uses 3 of the KERIpy demo witness pool witnesses with a witness threshold of 2. To execute this script you must use the SignifyPy virtual environment from the examples/scripts directory of the Signify-ts repository. Before launching this script, you must "source" the environment initialization file in that directory named env.sh.

(signifypy) $ source ./env.sh
(signifypy) $ ./multisig-sigpy.sh
EP5JMOzNfDL8WbpRiyLxrsVg7GF-HcjIOsceqeluauxj
EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz
Person agent created
Person AID EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk created
multisig-sigpy resolving delegator...
... done
multisig-sigpy resolving multisig-kli...
... done

Press any key after multisig-sigts is created?

At this point, the multisig-sigpy AID has been created and published to its witnesses. In addition, this script has resolved the OOBIs for the delegator AID as well as for the multisig-kli AID. It is now waiting for confirmation from the user that the multisig-sigts participant script has been launched before it tries to resolve the OOBI for that participant. This script must be left running while the final script is launched.

7. Signify-ts Client Library Multisig Participant

The script for the Signify-ts client AID is located in the examples/scripts directory of the Signify-ts repository. This script uses the Signify-ts client library to create the multisig-sigts AID hosted in an Agent in the KERIA service. This AID has a single signing key and single rotation key. This AID does not use any witnesses for its participant AID. To execute this script you must use the proper node environment from the examples/scripts directory of the Signify-ts repository. Before launching this script, you must "source" the environment initialization file in that directory named env.sh.

$ source ./env.sh
$ ./multisig-sigts.sh
Signify client ready!
ELI7pg979AdhmvrjDeam2eAO2SR5niCgnjAJXJHtJose
Connected:
 Agent:  EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei    Controller:  ELI7pg979AdhmvrjDeam2eAO2SR5niCgnjAJXJHtJose
Created AID:  {
  v: 'KERI10JSON00012b_',
  t: 'icp',
  d: 'ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V',
  i: 'ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V',
  s: '0',
  kt: '1',
  k: [ 'DNwaetMMIMbt708EPsdCGHZpMe3gf1OZV-R7LTcJBLnK' ],
  nt: '1',
  n: [ 'EHUXA8lpGe1MObjP8RZs9WijzNsjKdoSql_zajgJGLQ6' ],
  bt: '0',
  b: [],
  c: [],
  a: []
}
Resolving delegator...
done.
Resolving multisig-kli...
done.
Resolving multisig-sigpy...
done.
Done
Press any key to create endpoints for multisig AID...

At this point, the multisig-sigts AID has been created. In addition, this script has resolved the OOBIs for the delegator AID, the multisig-kli AID and the multisig-sigpy AID. In addition, this script has initiated the creation of the delegated group multisig AID called multisig. It is now waiting for confirmation from the user that the other participants have joined the multisig group AID, as the delegator has approved the delegation and then it will create the endpoint role authorizations for the multisig AID that allow each participant to receive messages on behalf of the multisig AID. This script must be left running while all other scripts are allowed to continue.

8. Confirming Completion of All Scripts

Each script will now prompt the user for the required confirmation that it is able to continue to the next steps. The procedure is asynchronous and the confirmation can be completed in any order for the multisig participant scripts. Hitting <Enter> in the window for each of the multisig participants will allow them to progress to multisig AID creation and delegation request submission.

The delegator script will not prompt until the multisig AID has been created by all the participants and the delegation request has been received. The prompt will look as follows:

Waiting for delegation request...
Delegation inception request from EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU.
Accept [Y|n]?

Answering Y to that prompt will approve the delegation and the rest of the scripts will progress to the next step. At this point, the delegator script will be complete and is no longer needed. Each of the multisig participant scripts will progress to the creation of endpoint role authorizations for the multisig AID. The multisig-kli.sh will display the configuration it is creating as follows:

Adding the following endpoint role authorizations for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU
+---------------------------------------------------------------+----------------------------------------------+---------+-------+
| From Member                                                   |                  Adding AID                  | In Role | Local |
+---------------------------------------------------------------+----------------------------------------------+---------+-------+
| multisig-sigpy (EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk) | EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz |  Agent  |       |
| multisig-kli (EFBmwh8vdPTofoautCiEjjuA17gSlEnE3xc-xy-fGzWZ)   | BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX | Mailbox |   *   |
| multisig-sigts (ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V) | EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei |  Agent  |       |
+---------------------------------------------------------------+----------------------------------------------+---------+-------+

Authorize new Roles [Y|n]? 

Entering 'Y' at that prompt will create 3 endpoint role authorizations and submit them to the other members for approval. The remaining two multisig participant scripts will prompt as follows, requiring only the <Enter> key to complete the creation of the endpoint role authorizations and the completion of all scripts:

Press any key to create endpoints for multisig AID...

All the multisig participant scripts will wait for fully signed endpoint role authorizations and when received will exit. The scripts and the libraries they use have varying levels logging/debug output enabled so each will look slightly different when complete. The following sections provide examples of successful output for each of the scripts and programs described here:

KERIpy Demo Witness Pool

(keripy) $ kli witness demo
Witness wan : BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha
Witness wil : BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM
Witness wes : BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX
Witness wit : BM35JN8XeJSEfpxopjn5jr7tAHCE5749f0OobhMLCorE
Witness wub : BIj15u5V11bkbtAxMA7gcNJZcax-7TgaBMLsQnMHpYHP
Witness wyz : BF2rZTW79z4IXocYRQnjjsOuvFUQv-ptCf8Yltd7PfsM

KERIA Service

(keria) $ keria start --config-dir scripts --config-file demo-witness-oobis
The Agency is loaded and waiting for requests...
  Agent: EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz   Controller: EP5JMOzNfDL8WbpRiyLxrsVg7GF-HcjIOsceqeluauxj
  Agent: EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei   Controller: ELI7pg979AdhmvrjDeam2eAO2SR5niCgnjAJXJHtJose
Sending multisig event to 2 other participants
Waiting for other signatures for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU:0...
Sending multisig event to 2 other participants
Waiting for other signatures for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU:0...
We are the witnesser, sending EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU to delegator
Waiting for delegation approval...
Waiting for delegation approval...
Waiting for fully signed witness receipts for 0
Delegation approval for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU received.
Waiting for witness receipts for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU
Witness receipts complete, EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU confirmed.
Delegation approval for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU received.
Witness receipts complete, EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU confirmed.

Delegator

(keripy) $ source ./env.sh
(keripy) $ ./delegator.sh
KERI Keystore created at: /usr/local/var/keri/ks/delegator
KERI Database created at: /usr/local/var/keri/db/delegator
KERI Credential Store created at: /usr/local/var/keri/reg/delegator

Loading 10 OOBIs...
http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha/controller succeeded
http://127.0.0.1:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM/controller succeeded
http://127.0.0.1:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX/controller succeeded
http://127.0.0.1:7723/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy succeeded
http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao succeeded
http://127.0.0.1:7723/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw succeeded
http://127.0.0.1:7723/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g succeeded
http://127.0.0.1:7723/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E succeeded
http://127.0.0.1:7723/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi succeeded
http://127.0.0.1:7723/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY succeeded
Waiting for witness receipts...
Prefix  EHpD0-CDWOdu5RJ8jHBSUkOqBZ3cXeDVHWNb_Ul89VI7
        Public key 1:  DPg4INjWDxsd4DzFCOAL0Kd7ic7TpvpJpUd_tTEVFOZg

Waiting for delegation request...
Delegation inception request from EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU.
Accept [Y|n]? Y
Delegagtor Prefix  EHpD0-CDWOdu5RJ8jHBSUkOqBZ3cXeDVHWNb_Ul89VI7
        Delegate EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU inception Anchored at Seq. No.  1
Delegate EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU inception event committed.
(keripy) $

KERIpy Command Line Multisig Participant

(keripy) $ source ./env.sh
(keripy) $ ./multisig-kli.sh
KERI Keystore created at: /usr/local/var/keri/ks/multisig-kli
KERI Database created at: /usr/local/var/keri/db/multisig-kli
KERI Credential Store created at: /usr/local/var/keri/reg/multisig-kli

Loading 10 OOBIs...
http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha/controller succeeded
http://127.0.0.1:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM/controller succeeded
http://127.0.0.1:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX/controller succeeded
http://127.0.0.1:7723/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy succeeded
http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao succeeded
http://127.0.0.1:7723/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw succeeded
http://127.0.0.1:7723/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g succeeded
http://127.0.0.1:7723/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E succeeded
http://127.0.0.1:7723/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi succeeded
http://127.0.0.1:7723/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY succeeded
Waiting for witness receipts...
Prefix  EFBmwh8vdPTofoautCiEjjuA17gSlEnE3xc-xy-fGzWZ
        Public key 1:  DM1XbVrBOpVRyXDCKlvMWNE_qkkGU4rVq-7_bHP7za8W

End role authorization added for role mailbox
Press any key after multisig-sigpy and multisig-sigts have been created:
http://127.0.0.1:5642/oobi/EHpD0-CDWOdu5RJ8jHBSUkOqBZ3cXeDVHWNb_Ul89VI7/witness/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha resolved
http://127.0.0.1:3902/oobi/EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk/agent/EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz resolved
http://127.0.0.1:3902/oobi/ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V/agent/EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei resolved
Group identifier inception initialized for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU
Waiting for other signatures for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU:0...
Waiting for delegation approval...
Delegation approval for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU received.
Waiting for witness receipts for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU
Witness receipts complete, EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU confirmed.

Alias:  multisig
Identifier: EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU
Seq No: 0
Delegated Identifier
    Delegator:  EHpD0-CDWOdu5RJ8jHBSUkOqBZ3cXeDVHWNb_Ul89VI7 ✔ Anchored

Group Identifier
    Local Indentifier:  EFBmwh8vdPTofoautCiEjjuA17gSlEnE3xc-xy-fGzWZ ✔ Fully Signed

Witnesses:
Count:          3
Receipts:       3
Threshold:      2

Public Keys:
        1. DPmhSfdhCPxr3EqjxzEtF8TVy0YX7ATo0Uc8oo2cnmY9
        2. DM1XbVrBOpVRyXDCKlvMWNE_qkkGU4rVq-7_bHP7za8W
        3. DNwaetMMIMbt708EPsdCGHZpMe3gf1OZV-R7LTcJBLnK

Press any key to create endpoints for multisig AID...
Adding the following endpoint role authorizations for EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU
+---------------------------------------------------------------+----------------------------------------------+---------+-------+
| From Member                                                   |                  Adding AID                  | In Role | Local |
+---------------------------------------------------------------+----------------------------------------------+---------+-------+
| multisig-sigpy (EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk) | EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz |  Agent  |       |
| multisig-kli (EFBmwh8vdPTofoautCiEjjuA17gSlEnE3xc-xy-fGzWZ)   | BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX | Mailbox |   *   |
| multisig-sigts (ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V) | EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei |  Agent  |       |
+---------------------------------------------------------------+----------------------------------------------+---------+-------+

Authorize new Roles [Y|n]? Y
Waiting for approvals from other members...
All endpoint role authorizations approved
(keripy) $

SignifyPy Client Library Multisig Participant

(signifypy) $ source ./env.sh
(signifypy) $ ./multisig-sigpy.sh
EP5JMOzNfDL8WbpRiyLxrsVg7GF-HcjIOsceqeluauxj
EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz
Person agent created
Person AID EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk created
multisig-sigpy resolving delegator...
... done
multisig-sigpy resolving multisig-kli...
... done

Press any key after multisig-sigts is created?
multisig-sigpy resolving multisig-sigts...
... done
{
  "vn": [
    1,
    0
  ],
  "i": "EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk",
  "s": "0",
  "p": "",
  "d": "EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk",
  "f": "0",
  "dt": "2023-08-21T16:27:10.709805+00:00",
  "et": "icp",
  "kt": "1",
  "k": [
    "DPmhSfdhCPxr3EqjxzEtF8TVy0YX7ATo0Uc8oo2cnmY9"
  ],
  "nt": "1",
  "n": [
    "EAORnRtObOgNiOlMolji-KijC_isa3lRDpHCsol79cOc"
  ],
  "bt": "2",
  "b": [
    "BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha",
    "BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM",
    "BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX"
  ],
  "c": [],
  "ee": {
    "s": "0",
    "d": "EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk",
    "br": [],
    "ba": []
  },
  "di": ""
}
{
  "vn": [
    1,
    0
  ],
  "i": "ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V",
  "s": "0",
  "p": "",
  "d": "ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V",
  "f": "0",
  "dt": "2023-08-21T16:27:24.974263+00:00",
  "et": "icp",
  "kt": "1",
  "k": [
    "DNwaetMMIMbt708EPsdCGHZpMe3gf1OZV-R7LTcJBLnK"
  ],
  "nt": "1",
  "n": [
    "EHUXA8lpGe1MObjP8RZs9WijzNsjKdoSql_zajgJGLQ6"
  ],
  "bt": "0",
  "b": [],
  "c": [],
  "ee": {
    "s": "0",
    "d": "ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V",
    "br": [],
    "ba": []
  },
  "di": ""
}
waiting on multisig creation...
group multisig created:
{
  "v": "KERI10JSON0002c7_",
  "t": "dip",
  "d": "EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU",
  "i": "EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU",
  "s": "0",
  "kt": [
    "1/3",
    "1/3",
    "1/3"
  ],
  "k": [
    "DPmhSfdhCPxr3EqjxzEtF8TVy0YX7ATo0Uc8oo2cnmY9",
    "DM1XbVrBOpVRyXDCKlvMWNE_qkkGU4rVq-7_bHP7za8W",
    "DNwaetMMIMbt708EPsdCGHZpMe3gf1OZV-R7LTcJBLnK"
  ],
  "nt": [
    "1/3",
    "1/3",
    "1/3"
  ],
  "n": [
    "EAORnRtObOgNiOlMolji-KijC_isa3lRDpHCsol79cOc",
    "EPJy-TM6OHBJeAFTpb31YVrDSPXQTYmhvDc7DioakK8h",
    "EHUXA8lpGe1MObjP8RZs9WijzNsjKdoSql_zajgJGLQ6"
  ],
  "bt": "2",
  "b": [
    "BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha",
    "BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM",
    "BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX"
  ],
  "c": [],
  "a": [],
  "di": "EHpD0-CDWOdu5RJ8jHBSUkOqBZ3cXeDVHWNb_Ul89VI7"
}
Press any key to create endpoints for multisig AID...
Waiting for approvals from other members...
All endpoint role authorizations approved
(signifypy) $

Signify-ts Client Library Multisig Participant

$ source ./env.sh
$ ./multisig-sigts.sh
Signify client ready!
ELI7pg979AdhmvrjDeam2eAO2SR5niCgnjAJXJHtJose
Connected:
 Agent:  EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei    Controller:  ELI7pg979AdhmvrjDeam2eAO2SR5niCgnjAJXJHtJose
Created AID:  {
  v: 'KERI10JSON00012b_',
  t: 'icp',
  d: 'ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V',
  i: 'ELViLL4JCh-oktYca-pmPLwkmUaeYjyPmCLxELAKZW8V',
  s: '0',
  kt: '1',
  k: [ 'DNwaetMMIMbt708EPsdCGHZpMe3gf1OZV-R7LTcJBLnK' ],
  nt: '1',
  n: [ 'EHUXA8lpGe1MObjP8RZs9WijzNsjKdoSql_zajgJGLQ6' ],
  bt: '0',
  b: [],
  c: [],
  a: []
}
Resolving delegator...
done.
Resolving multisig-kli...
done.
Resolving multisig-sigpy...
done.
Done
Press any key to create endpoints for multisig AID...
Connected:
 Agent:  EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei    Controller:  ELI7pg979AdhmvrjDeam2eAO2SR5niCgnjAJXJHtJose
Done
{
  "v": "KERI10JSON000111_",
  "t": "rpy",
  "d": "EB9JirSV4xUILeH7RW-ngVdp2EFroa5WuiF3HHzrTEXR",
  "dt": "2023-08-21T16:27:43.780307+00:00",
  "r": "/end/role/add",
  "a": {
    "cid": "EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU",
    "role": "agent",
    "eid": "EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz"
  }
}
{
  "v": "KERI10JSON000113_",
  "t": "rpy",
  "d": "EEQq6lGx7Rs-v2NhdQmz3BCYyx9ffqhJVtM0iDBNe3bN",
  "dt": "2023-08-21T16:27:43.780307+00:00",
  "r": "/end/role/add",
  "a": {
    "cid": "EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU",
    "role": "mailbox",
    "eid": "BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX"
  }
}
{
  "v": "KERI10JSON000111_",
  "t": "rpy",
  "d": "ELlJ2N0kQvzqD363hcC_aMnw1s4jsJauqjFrCyDCL_mZ",
  "dt": "2023-08-21T16:27:43.780307+00:00",
  "r": "/end/role/add",
  "a": {
    "cid": "EAbkBt1AkiKskBb-SBACC07ioQ1sx9Q44SpKRZwKjMaU",
    "role": "agent",
    "eid": "EEXekkGu9IAzav6pZVJhkLnjtjM5v3AcyA-pdKUcaGei"
  }
}
$ 

Conclusion.

This process has created 5 AIDs, delegator, multisig-kli, multisig-sigpy, multisig-sigts and multisig. The multisig AID has 3 public signing keys and 3 rotation next digests contributed to it from the multisig-kli, multisig-sigpy, multisig-sigts AIDs and is a delegated AID with the delegator AID as its delegator. This represents a group multisig AID with contributing members from across 4 different libraries, KERIpy, KERIA, SignifyPy and Signify-ts. All of these AIDs can be manipulated using their respective client libraries and passcodes to perform operations such as credential issuance, challenge-response workflows and OOBI exchanges.

[psteniusubi]

I tried running these scripts. I can get almost everything to complete, except for ./multisig-sigpy.sh that stays forever in "Waiting for approvals from other members..." I have tried a couple of times. Any ideas what is wrong?

There is a small typo: ./multisig-sigts.sh does not exist, there is ./multisig-sigty.sh

[psteniusubi]

I'm following instructions in chapter 1, with keripy on development branch, the rest on main branches. I'm not using python venv.

Is there a particular order the delegator and multisig members should proceed to next step? Or is there something to avoid..?

[nkongsuwan]

@psteniusubi I came across the same problem that you described during my first run. My terminals for kli and sigpy freezed while sigts finished.

Then, I tried it again, deleting everything in ~/.keri/ and rerunning the witnesses and the Keria server. I then found out that you have to "Press any key" for each terminal in the correct order otherwise the script will freeze.

Here is a step-by-step of what I did:
Step 1: run witnesses, keria server, and vlei-server
Step 2: run ./delegator.sh
Step 3: run ./multisig-kli.sh
Step 4: run ./multisig-sigpy.sh
Step 5: run ./multisig-sigts.sh
Step 6: Press any key on multisig-kli's terminal
Step 7: Press any key on multisig-sigpy's terminal
Step 8: Enter "Y" on delegator's terminal
Step 9: Press any key on multisig-kli's terminal
Step 10: Enter "Y" on multisig-kli's terminal
Step 11: Press any key on multisig-sigpy's terminal
Step 12: Press any key on multisig-sigts's terminal

I hope this works for you.

[nkongsuwan]

When my multisig-kli and multisig-sigfy freezed, I think what happened was that the script in make_endroles.ts was executed too early as I "pressed any key" in the wrong order. Then, multisig-kli and multisig-sigfy were waiting for multisig-sigts, which already finished.

[psteniusubi]

Thanks @nkongsuwan for figuring out the correct order! This helped me complete the task.

[pfeairheller]

The order of those later steps should not matter since the KERI protocol is asynchronous and the signatures on those events can be processed in any order. The only order I tried to enforce in the script is the initialization of the initial AIDs vs OOBI resolution. Not because it can fail, but because it can take much longer waiting for OOBI retries if you try to resolve OOBIs before the AIDs are created.

I can take a look at the ordering of things to ensure nothing is amiss, after I finish with group multisig registry creation.

[nkongsuwan]

@pfeairheller If you would not mind, may I suggest that you add one more step before step 4 (Delegator Script) that outlines how to run vLEI-server? Otherwise, the OOBIs will not be resolved and the script will freeze at the kli init step. The Prerequisites Section may also add an installation instruction for vLEI-server.

[pfeairheller]

I'll probably update the scripts to use config files that don't load those OOBIs since they are not required for this procedure.

[psteniusubi]

With the latest updates on development branches I have some challenges. Should this script work on the development branches?

I'm seeing this error from multisig-sigpy.sh

$ ./multisig-sigpy.sh
EP5JMOzNfDL8WbpRiyLxrsVg7GF-HcjIOsceqeluauxj
EERMVxqeHfFo_eIvyzBXaKdT1EyobZdSs1QXuFyYLjmz
Person agent created
Person AID EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk created
Traceback (most recent call last):
  File "/home/uroot/signify-ts/examples/scripts/create_person_aid.py", line 81, in <module>
    create_aid()
  File "/home/uroot/signify-ts/examples/scripts/create_person_aid.py", line 46, in create_aid
    identifiers.addEndRole("multisig-sigpy", eid=client.agent.pre)
  File "/home/uroot/signifypy/src/signify/app/aiding.py", line 191, in addEndRole
    keeper = self.client.manager.get(aid=hab)
  File "/home/uroot/signifypy/src/signify/core/keeping.py", line 57, in get
    raise kering.ConfigurationError(f"missing pidx in {aid}")
keri.kering.ConfigurationError: missing pidx in {'name': 'multisig-sigpy', 'prefix': 'EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk', 'salty': {'sxlt': '1AAHlpsVkXLdF0VKqxeldgtX9kMNhpd0x6TW5POj1pp53FLyFxB4fkpw9Y3_Vl-TKKeRgwu08TQJDC-6cPDz8DiKDXGP_LebvGSX', 'pidx': 0, 'kidx': 0, 'stem': 'signify:aid', 'tier': 'low', 'dcode': 'E', 'icodes': ['A'], 'ncodes': ['A'], 'transferable': True}, 'transferable': True, 'state': {'vn': [1, 0], 'i': 'EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk', 's': '0', 'p': '', 'd': 'EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk', 'f': '0', 'dt': '2023-09-06T12:12:36.087387+00:00', 'et': 'icp', 'kt': '1', 'k': ['DPmhSfdhCPxr3EqjxzEtF8TVy0YX7ATo0Uc8oo2cnmY9'], 'nt': '1', 'n': ['EAORnRtObOgNiOlMolji-KijC_isa3lRDpHCsol79cOc'], 'bt': '2', 'b': ['BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha', 'BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM', 'BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX'], 'c': [], 'ee': {'s': '0', 'd': 'EBcIURLpxmVwahksgrsGW6_dUw0zBhyEHYFk17eWrZfk', 'br': [], 'ba': []}, 'di': ''}, 'windexes': [0, 1, 2]}
Traceback (most recent call last):
  File "/home/uroot/signify-ts/examples/scripts/create_multisig_aid.py", line 79, in <module>
    create_multisig_aid()
  File "/home/uroot/signify-ts/examples/scripts/create_multisig_aid.py", line 36, in create_multisig_aid
    assert len(kli) == 1
AssertionError

[pfeairheller]

Yes, it should work, but some code pushed to signifypy to update tests broke things. I have a fix I'll be pushing later today.