Zano Resource Hub

Welcome to the Zano resource hub. You'll find comprehensive guides and documentation to help you start working with Zano as quickly as possible, as well as support if you get stuck. Let's jump right in!

Guides    API Reference

Signing transactions offline (cold-signing process)


In order to provide more security it's possible to sign transactions offline using a dedicated wallet application instance e.g. running in a secure environment.

Zano as a CryptoNote coin uses two key pairs (4 keys) per wallet: view key (secret+public) and spend key (secret+public)

So-called "hot wallet" (or watch-only wallet) uses only view secret key. This allows it to distinguish its transactions among others in the blockchain. To spend coins a wallet needs to spend secret key. It is required to sign a tx. Watch-only wallet doesn't have access to spend secret key and thus it can't spend coins.

If someone has your spend secret key, he can spend your coins. Master keys should be handled with care.


  1. In a secure environment create a new master wallet:
    1.1 Start simplewallet to generate master wallet:
    simplewallet --generate-new-wallet zano_wallet_master
    (zano_wallet_master is wallet's filename and can be changed freely)
    1.2 Type in a password when asked.
    1.3 Type the following command into wallet's console:
    save_watch_only zano_wallet_watch_only.keys WATCH_PASSWORD
    where WATCH_PASSWORD is password for a watch-only wallet.
    You should see:
    Keys stored to zano_wallet_watch_only.keys
    1.4 Type exit to quit simplewallet.
  2. Copy zano_wallet_watch_only.keys file from secure environment to your production environment where daemons and hot wallet are supposed to be run.

NOTE: zano_wallet_master.keys file contains master wallet private keys! You may want it to never leave secure environment.

  1. In production environment start the daemon (let it perform initial sync if running for the first time and make sure it is synchronized), then start the watch-only wallet:
    simplewallet --wallet-file zano_wallet_watch_only.keys --password WATCH_PASSWORD --rpc-bind-ip RPC_IP --rpc-bind-port RPC_PORT --daemon-address DEAMON_ADDR:DAEMON_PORT --log-file LOG_FILE_NAME
    (see also the Introduction; for the first run you can add --log-level=0 to avoid too verbose messages, for subsequent runs you can use --log-level=1 or --log-level=2)

Setup is complete.

Example of a transaction cold-signing

In order to sign a transaction, follow these steps:

  1. Using RPC transfer create a transaction.
    Because of using watch-only wallet keys for this instance of wallet application (please note passing zano_wallet_watch_only.keys in i.3) a transaction will not be signed and broadcasted. Instead, unsigned transaction will be prepared and returned via RPC.

RPC example (please, see also transfer RPC description in "List of RPC calls" section above):

$ curl -s -H 'content-type:application/json;' --data-binary '{"jsonrpc":"2.0","id":"0","method":"transfer", "params":{   "destinations":[{"amount":1000000000000, "address":"ZxCb5oL6RTEffiH9gj7w3SYUeQ5s53yUBFGoyGChaqpQdud2uNUaA936Q2ngcEouvmgA48WMZQyv41R2ASstyYHo2Kzeoh7GA"}], "fee":1000000000, "mixin":0, "unlock_time":0   }}'
  "id": "0",
  "jsonrpc": "2.0",
  "result": {
	"tx_blob": "",
	"tx_hash": "c41589e7559804ea4a2080dad19d876a024ccb05117835447d72ce08c1d020ec",
	"tx_unsigned_hex": "00-LONG-HEX-00"

Unsigned transaction data retrieved in tx_unsigned_hex field should be passed to secure environment for cold-signing by master wallet.

  1. Run master wallet within secure environment:
    simplewallet --wallet-file zano_wallet_master --password MASTER_PASSWORD --offline-mode
  2. Using RPC sing_transfer sing the transaction using master wallet.

RPC example:

$ curl -s -H 'content-type:application/json;' --data-binary '{"jsonrpc":"2.0","id":"0","method":"sign_transfer", "params":{  "tx_unsigned_hex" : "00-LONG-HEX-00" }'
  "id": "0",
  "jsonrpc": "2.0",
  "result": {
	"tx_signed_hex": "00-LONG-HEX-00"

Signed transaction data retrieved in tx_signed_hex field should be passed to the production environment to be broadcasted by watch-only wallet.

  1. Using RPC submit_transfer broadcast the transaction using watch-only wallet.

RPC example:

$ curl -s -H 'content-type:application/json;' --data-binary '{"jsonrpc":"2.0","id":"0","method":"submit_transfer", "params":{ "tx_signed_hex": "00-LONG-HASH-00"  }'
  "id": "0",
  "jsonrpc": "2.0",
  "result": {
	"tx_hash": "0554849abdb62f7d1902ddd14ce005722a340fc14fab4a375adc8749abf4e10b"

The transaction was successfully broadcasted over the network.

Important note on watch-only wallets

Watch-only wallet is not able naturally to calculate a balance using only a tracking view secret key and an access to the blockchain. This happens because it can't distinguish spending its own coins as it requires knowing key images for own coins, which are unknown, as key image calculation requires spend secret key.

To workaround this difficulty watch-only wallet extracts and stores key images for own coins each time a signed transaction from a cold wallet is broadcasted using submit_transfer RPC. This data is stored locally and it is required to calculate wallet's balance in case of full wallet resync.

It's important to keep this data safe and not to delete watch-only wallet's files. Otherwise, watch-only wallet won't be able to calculate a balance correctly and cold wallet may be required to be connected online for recovering funds.

Updated 2 months ago

Signing transactions offline (cold-signing process)

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.