0

So I'm using Blockcypher in a project of mine and I am following the guide presented here to create a new transaction:

https://www.blockcypher.com/dev/bitcoin/?shell#creating-transactions

I'm stuck at the part where you have to sign a transaction using a signing tool. They presented a tool which is hosted on github at https://github.com/blockcypher/btcutils/tree/master/signer. Please I need clear instructions and/or clarification on how this tool is to be deployed and used.

From the GitHub page I learnt that go language has to be installed on the server before it can be used. I get that part. And I have installed and generated the signer binary. What I don't get is how exactly will the tool be used in my PHP codebase.

I am using PHP and curl to call APIs. So my question is: how exactly am I supposed to use this in my PHP code since it is a compiled go binary? The only solution that has worked for me so far is to login via SSH through the PHP code using a library like phpseclib then call the go binary from the shell programmatically to get the signed key. Somewhat like this:

private function sign_payload($to_sign, $private_key)
    {
        $ssh = new Net_SSH2('[IP]');
        if (!$ssh->login('[ssh_user]', '[password]')) {
            exit('ssh connect failure');
        }

        return $ssh->exec("cd [dir]/btcutils/signer\n./signer " . $to_sign . " " . $private_key);
    }

This is obviously extremely sub-optimal and un-scalable as I can't be having thousands of users concurrently logging in via SSH just to get a signature.

Is there no easy or straightforward endpoint or API to call to get this signature? Why is it so hard and poorly explained? Is there a PHP version? I would appreciate a prompt response to this request.

Thank you.

osii
  • 19
  • 2
  • _"I learnt that go language has to be installed on the server before it can be used"_ Erm... that makes no sense. You write go code, compile it to a binary, that runs on a server. You don't need to install the compiler server-side to run those binaries. I'd just do away with the PHP part, but if you want to stick to using PHP, and you can trust users (which never really is the case) you could just have the binary on the server, and `shell_exec` or `exec` the command – Elias Van Ootegem Apr 12 '22 at 15:07
  • Thanks for the response @EliasVanOotegem. I probably didn't word it properly, but that's what I meant. Binary must be compiled, run on server. But my question still stands. Is there another way to call that endpoint without having to `shell_exec`? The entire app is currently in PHP and we will refactor but not anytime soon. Is executing the command via shell an optimal way of doing this in production code? Is it scalable? Is it practical? – osii Apr 12 '22 at 16:31
  • Is there another way to call an external binary from PHP? No, unless you want to write a custom extension that essentially performs RPCs (assuming the binary supports it). using `exec` & co is not very efficient, but doesn't pose any immediate scalability issues. The bigger problem there is security. At some point you'll have to allow user input to be passed to a binary you don't control. The better approach IMO is to bite the bullet and either implement what that binary does in PHP, or switch to go, and re-use the packages – Elias Van Ootegem Apr 12 '22 at 16:39
  • Looking at the repo you linked, all the signer does is take the private key and the payload, and passes it on to [this function](https://github.com/btcsuite/btcd/blob/master/btcec/ecdsa/signature.go#L238). It's a simple wrapper to sign from command line. I'm sure you can find some PHP libraries that take care of signing. If not, you've just got another reason to switch sooner rather than later. – Elias Van Ootegem Apr 12 '22 at 16:43

0 Answers0