Extend Signatory so that the sole Etherlink sequencer operator can sign sequencer “chunks” (state-root messages) under a dedicated policy entry in the Signatory config, with built-in protection against double-signing.

Motivation

Operator-Only Signing: Ensure only the designated Etherlink sequencer operator key can produce valid chunk signatures.

Policy-Driven Access: Reuse Signatory’s existing YAML policy framework to grant chunk-signing rights explicitly.

Double-Sign Protection: Leverage Signatory’s watermark system to prevent replay or duplicate signing of the same chunk.

Prototype First: Deliver a minimal, prototype-quality implementation to validate the end-to-end flow before hardening.

Operator Story

As the operator of the Etherlink sequencer,
I want Signatory to allow signing of sequencer chunks only when my key has the etherlink_chunk permission,
and to refuse any attempt to sign the same chunk twice,
so that I can safely integrate chunk signing into my roll-up workflow.

Configuration

Add a new etherlink_chunk entry under your operator key in config.yaml:
'''yaml
tezos:
tz3MhmeqpudUqEX8PYTbNDF3CVcnnjNQoo8N:
allow:
block:
endorsement:
preendorsement:
failing_noop:
generic:
- delegation
etherlink_chunk: # ← new permission
'''

Technical Proposal

1. Policy Check

Before signing, verify that the operator key’s allow: block includes etherlink_chunk.

2. Chunk Parsing & Signing

Accept raw chunk bytes (2-byte length, 20-byte placeholder, RLP payload).

Extract and sign the payload using Signatory’s existing signing primitives.

Reassemble the signed chunk.

3. Double-Sign Prevention

On signing, consult Signatory’s built-in watermark mechanism to reject any chunk that has already been signed.

4. Prototype Scope

Focus on end-to-end signing & verification using live test vectors from the RPC.

Defer detailed watermark backend choices (file, memory, AWS DynamoDB) to a later iteration.

Prototype first:

[ ] Prototype Demo: A simple script ingests a chunk from tzkt.io…smart_rollup_add_messages and outputs a valid signed chunk.

Acceptance Criteria (if we proceed beyond the prototype phase)

[ ] Policy Enforcement: Chunk-signing requests are only honored if etherlink_chunk is allowed for the key.

[ ] Valid Signatures: Signed chunks produced by Signatory verify correctly against the payload.

[ ] Double-Sign Guard: Attempts to sign an already-signed chunk are rejected.

[ ] Documentation: README updated with config snippet, example commands, and note on watermark protection.

References

Chunk Definition:
https://gitlab.com/tezos/tezos/-/blob/master/etherlink/bin_node/lib_dev/blueprint_decoder.ml

Reference Signing Logic:
https://gitlab.com/tezos/tezos/-/blob/master/etherlink/bin_node/lib_dev/sequencer_blueprint.ml

Sample Messages:
View contents[].message[] via Smart Rollup RPC at https://tzkt.io/smart_rollup_add_messages