Multisig & policy

Canonical asks for more than one signature by default. This page explains exactly what that default is, how to set it up for a team, and why loosening it is deliberately hard.

Canonical asks for more than one signature by default. This page explains exactly what that default is, how to set it up for a team, and why loosening it is deliberately hard.

The default, in plain terms#

Every transaction — and every message signature — needs two approvals, at least one from a real person. That is the setting the wallet ships with. You did not turn it on; it is simply how it starts.

Two approvals means two different signers. One person cannot approve twice. So a brand-new wallet, which has exactly one person in it, cannot push a transaction through until you add a second approver. That is not a wall to climb over — it is the whole safety feature, working. It is also why your first transaction begins by adding one.

The same "two people" rule guards the sensitive settings too — changing your rules, your networks, or who has a key.

Seeing your current rules#

terminal
canonicalwallet policy list        # every rule and how many approvals it wants
canonicalwallet policy inspect ... # one rule, in detail

Each one tells you how many approvals it needs and whether a human is required.

Setting it up for a team#

You shape the rule two ways: by who you register as approvers, and by optionally demanding specific people on a given transaction.

Register each teammate as an approver:

terminal
canonicalwallet --token-file ~/.canonical/operator.token client register \
  --label alice --principal-kind human_operator \
  --client-token-file ./alice.token \
  --capability view_proposal --capability approve_proposal --capability reject_proposal \
  --json

Now any two of your people satisfy the default. If you want to insist that a particular person signs a particular transaction, say so when you draft it:

terminal
canonicalwallet proposal tx --chain-id 1 --from <addr> --to <addr> --value-wei <n> \
  --required-principal-kind human_operator \
  --required-principal-id <alice-principal-id>

You can list several required people, require certain kinds of signer, or define a named group with its own count.

Changing the standing rule (and the catch)#

To change how many approvals all future transactions need, you change the rule itself — and that is done through a proposal:

terminal
canonicalwallet proposal change-policy ...

Here is the catch, and it is on purpose: changing the rule is itself guarded by two-human approval. Which means:

  • A team of two or more can raise or lower the bar — they propose it and two people approve.
  • One person on their own cannot quietly drop the requirement to a single signature, because the change needs two humans to pass, and they only have one.

That is the wallet refusing to let a single key weaken its own protection behind your back. Going down to one-of-one is a supported outcome; it just has to be approved by the group that exists before the change.

If you are genuinely solo#

You do not have to recruit a team:

  • Hold two approver tokens yourself and approve twice. A little clunky, but you keep the two-signature safety.
  • Put the second token on another device — your phone, a second laptop — so a single stolen machine still cannot approve alone.

Either way you keep the thing that matters: no single key, by itself, can move your money.

Why an approval sometimes still bounces#

Even with the right people, an approval or a send can be refused. The usual reasons:

  • The transaction changed since it was reviewed (drift).
  • The review came back unsafe, or too uncertain for a machine to sign off on.
  • A person approving something high-risk-and-uncertain did not give a reason.
  • A specific required signer has not approved yet.

When in doubt, ask the wallet directly:

terminal
canonicalwallet proposal why-not-executable --id <id>