# ADR 008: PrivValidator

## Context

The current PrivValidator is monolithic and isn't easily reuseable by alternative signers.

For instance, see https://github.com/tendermint/tendermint/issues/673

The goal is to have a clean PrivValidator interface like:

```
type PrivValidator interface {
	Address() data.Bytes
	PubKey() crypto.PubKey

	SignVote(chainID string, vote *types.Vote) error
	SignProposal(chainID string, proposal *types.Proposal) error
	SignHeartbeat(chainID string, heartbeat *types.Heartbeat) error
}
```

It should also be easy to re-use the LastSignedInfo logic to avoid double signing.

## Decision

Tendermint node's should support only two in-process PrivValidator implementations:

- PrivValidatorUnencrypted uses an unencrypted private key in a "priv_validator.json" file - no configuration required (just `tendermint init`).
- PrivValidatorSocket uses a socket to send signing requests to another process - user is responsible for starting that process themselves.

The PrivValidatorSocket address can be provided via flags at the command line -
doing so will cause Tendermint to ignore any "priv_validator.json" file and to attempt
to connect over the socket.

In addition, Tendermint will provide implementations that can be run in that external process.
These include:

- PrivValidatorEncrypted uses an encrypted private key persisted to disk - user must enter password to decrypt key when process is started.
- PrivValidatorLedger uses a Ledger Nano S to handle all signing.

What follows are descriptions of useful types

### Signer

```
type Signer interface {
	Sign(msg []byte) (crypto.Signature, error)
}
```

Signer signs a message. It can also return an error.

### ValidatorID


ValidatorID is just the Address and PubKey

```
type ValidatorID struct {
	Address data.Bytes    `json:"address"`
	PubKey  crypto.PubKey `json:"pub_key"`
}
```

### LastSignedInfo

LastSignedInfo tracks the last thing we signed:

```
type LastSignedInfo struct {
	Height    int64            `json:"height"`
	Round     int              `json:"round"`
	Step      int8             `json:"step"`
	Signature crypto.Signature `json:"signature,omitempty"` // so we dont lose signatures
	SignBytes data.Bytes       `json:"signbytes,omitempty"` // so we dont lose signatures
}
```

It exposes methods for signing votes and proposals using a `Signer`.

This allows it to easily be reused by developers implemented their own PrivValidator.

### PrivValidatorUnencrypted

```
type PrivValidatorUnencrypted struct {
	ID             types.ValidatorID `json:"id"`
	PrivKey        PrivKey           `json:"priv_key"`
	LastSignedInfo *LastSignedInfo   `json:"last_signed_info"`
}
```

Has the same structure as currently, but broken up into sub structs.

Note the LastSignedInfo is mutated in place every time we sign.

### PrivValidatorJSON

The "priv_validator.json" file supports only the PrivValidatorUnencrypted type.

It unmarshals into PrivValidatorJSON, which is used as the default PrivValidator type.
It wraps the PrivValidatorUnencrypted and persists it to disk after every signature.

## Status

Proposed.

## Consequences

### Positive

- Cleaner separation of components enabling re-use.

### Negative

- More files - led to creation of new directory.

### Neutral