Multisig & policy
Canonical asks for more than one signature by default. This page explains exactly what that default is, how to set it up for a team, and why loosening it is deliberately hard.
Canonical asks for more than one signature by default. This page explains exactly what that default is, how to set it up for a team, and why loosening it is deliberately hard.
The default, in plain terms#
Every transaction — and every message signature — needs two approvals, at least one from a real person. That is the setting the wallet ships with. You did not turn it on; it is simply how it starts.
Two approvals means two different signers. One person cannot approve twice. So a brand-new wallet, which has exactly one person in it, cannot push a transaction through until you add a second approver. That is not a wall to climb over — it is the whole safety feature, working. It is also why your first transaction begins by adding one.
The same "two people" rule guards the sensitive settings too — changing your rules, your networks, or who has a key.
Seeing your current rules#
canonicalwallet policy list # every rule and how many approvals it wants
canonicalwallet policy inspect ... # one rule, in detailEach one tells you how many approvals it needs and whether a human is required.
Setting it up for a team#
You shape the rule two ways: by who you register as approvers, and by optionally demanding specific people on a given transaction.
Register each teammate as an approver:
canonicalwallet --token-file ~/.canonical/operator.token client register \
--label alice --principal-kind human_operator \
--client-token-file ./alice.token \
--capability view_proposal --capability approve_proposal --capability reject_proposal \
--jsonNow any two of your people satisfy the default. If you want to insist that a particular person signs a particular transaction, say so when you draft it:
canonicalwallet proposal tx --chain-id 1 --from <addr> --to <addr> --value-wei <n> \
--required-principal-kind human_operator \
--required-principal-id <alice-principal-id>You can list several required people, require certain kinds of signer, or define a named group with its own count.
Changing the standing rule (and the catch)#
To change how many approvals all future transactions need, you change the rule itself — and that is done through a proposal:
canonicalwallet proposal change-policy ...Here is the catch, and it is on purpose: changing the rule is itself guarded by two-human approval. Which means:
- A team of two or more can raise or lower the bar — they propose it and two people approve.
- One person on their own cannot quietly drop the requirement to a single signature, because the change needs two humans to pass, and they only have one.
That is the wallet refusing to let a single key weaken its own protection behind your back. Going down to one-of-one is a supported outcome; it just has to be approved by the group that exists before the change.
If you are genuinely solo#
You do not have to recruit a team:
- Hold two approver tokens yourself and approve twice. A little clunky, but you keep the two-signature safety.
- Put the second token on another device — your phone, a second laptop — so a single stolen machine still cannot approve alone.
Either way you keep the thing that matters: no single key, by itself, can move your money.
Why an approval sometimes still bounces#
Even with the right people, an approval or a send can be refused. The usual reasons:
- The transaction changed since it was reviewed (drift).
- The review came back unsafe, or too uncertain for a machine to sign off on.
- A person approving something high-risk-and-uncertain did not give a reason.
- A specific required signer has not approved yet.
When in doubt, ask the wallet directly:
canonicalwallet proposal why-not-executable --id <id>