Merge pull request #626 from oasisprotocol/matevz/docs/deprecate-oasi…

…s-core-ledger

Deprecate oasis-core-ledger

.gitmodules

@@ -5,9 +5,6 @@
 [submodule "external/oasis-sdk"]
 	path = external/oasis-sdk
 	url = https://github.com/oasisprotocol/oasis-sdk
-[submodule "external/oasis-core-ledger"]
-	path = external/oasis-core-ledger
-	url = https://github.com/oasisprotocol/oasis-core-ledger
 [submodule "external/adrs"]
 	path = external/adrs
 	url = https://github.com/oasisprotocol/adrs

docs/general/manage-tokens/faq.md

@@ -110,15 +110,26 @@ and [import it to the Oasis wallet][oasis-wallet-import-private-key].
 
 ### Chromium under Ubuntu does not recognize my Ledger device. What is the problem?
 
-First check that you added the Ledger udev device descriptors as mentioned in the [Linux installation guide](https://support.ledger.com/hc/en-us/articles/4404389606417-Download-and-install-Ledger-Live). Next, check that your Ledger wallet is recognized by the [Oasis Core Ledger tool](../../oasis-core-ledger/usage/address.md). You should see something like this:
-
-```bash
-$ oasis-core-ledger show_address
-oasis1qp8d9kuduq0zutuatjsgltpugxvl38cuaq3gzkmn
-Ensure account address shown on device's screen matches the outputted address.
-```
-
-If all of the above works, then the issue is most likely that Chromium does not have the permission to access your Ledger device. Starting with Ubuntu 20.04 the Chromium browser is installed via snap package by default. Snap is more convenient for upstream developers to deploy their software and it also adds additional layer of security by using apparmor. In our case however, it prevents Chromium to access arbitrary USB devices with WebUSB API including your Ledger device. A workaround for this issue is to install Chromium natively using the official [Chormium beta PPA](https://launchpad.net/\~saiarcot895/+archive/ubuntu/chromium-beta) or the official [Google Chrome .deb package](https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb).
+First check that you added the Ledger udev device descriptors as mentioned in
+the [Linux installation guide]. Next, check that your Ledger wallet is
+recognized by the [Oasis CLI]. You should be able to add your Ledger account to
+the Oasis CLI wallet by running:
+
+![code shell](../../../external/cli/examples/wallet/create.in.static)
+
+If all of the above works, then the issue is most likely that Chromium does not
+have the permission to access your Ledger device. Starting with Ubuntu 20.04 the
+Chromium browser is installed via snap package by default. Snap is more
+convenient for upstream developers to deploy their software and it also adds
+additional layer of security by using apparmor. In our case however, it prevents
+Chromium to access arbitrary USB devices with WebUSB API including your Ledger
+device. A workaround for this issue is to install Chromium natively using the
+official [Chormium beta PPA] or the official [Google Chrome .deb package].
+
+[Linux installation guide]: https://support.ledger.com/hc/en-us/articles/4404389606417-Download-and-install-Ledger-Live
+[Oasis CLI]: cli/README.md
+[Chormium beta PPA]: https://launchpad.net/\~saiarcot895/+archive/ubuntu/chromium-beta
+[Google Chrome .deb package]: https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
 
 ### Are Ethereum and Oasis wallets that different? I can use the same mnemonics with both, right?
 

docs/general/manage-tokens/holding-rose-tokens/ledger-wallet.md

@@ -142,8 +142,10 @@ tasks (sending, staking, ParaTime deposits and withdrawals), but also generating
 and/or signing raw transactions, multi-signatures, network governance
 operations etc.
 
-Ledger is supported by the Oasis CLI. Follow the instructions in the
-[Oasis CLI Tools] page to learn more.
+Ledger is supported by the [Oasis CLI]. You can add a new Ledger account to the
+Oasis CLI by invoking the [`oasis wallet create`] command. For example:
+
+![code shell](../../../../external/cli/examples/wallet/create-ledger.in.static)
 
 [Ledger]: https://www.ledger.com
 [Oasis app]: https://github.com/Zondax/ledger-oasis
@@ -157,4 +159,5 @@ Ledger is supported by the Oasis CLI. Follow the instructions in the
 [Nano S Plus]: https://support.ledger.com/hc/en-us/articles/4445777839901-Update-Ledger-Nano-S-Plus-firmware
 [BIP 39]: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
 [Oasis Wallets]: ../oasis-wallets/README.mdx
-[Oasis CLI Tools]: ../cli/README.md
+[Oasis CLI]: ../cli/README.md
+[`oasis wallet create`]: ../cli/wallet.md#create

docs/node/mainnet/upgrade-log.md

@@ -366,8 +366,7 @@ oasis-node consensus submit_tx \
 [upgrade governance proposal]: ../../core/consensus/services/governance.md#submit-proposal
 [your entity's nonce]: ../../general/manage-tokens/cli/account.md#show
 [Oasis CLI Tools Setup]: ../../core/oasis-node/cli.md#storing-base-and-signer-flags-in-an-environment-variable
-[Installing Oasis App on Your Ledger Wallet]:
-  ../../oasis-core-ledger/usage/setup#installing-oasis-app-on-your-ledger-wallet
+[Installing Oasis App on Your Ledger Wallet]: ../../general/manage-tokens/holding-rose-tokens/ledger-wallet.md
 
 ### Instructions - Before upgrade
 

docs/node/run-your-node/advanced/remote-signer.mdx

@@ -0,0 +1,207 @@
+import DocCard from '@theme/DocCard';
+import {findSidebarItem} from '@site/src/sidebarUtils';
+
+# Remote Signer for Oasis Node Keys
+
+The [Oasis remote signer][oasis-core-remote-signer] is an application that
+contains logic for various Oasis Core signers. Currently, only the file-based
+signer is implemented, but support for hardware signers is in the works. Access
+to the remote signer is provided via a gRPC service through which the Oasis node
+can connect to it and request signatures.
+
+This chapter will describe how to install the Oasis remote signer and then
+configure your Oasis node to use it. We will use two separate physical machines
+for deployment:
+
+- a `server` which will function as a system running the Oasis node,
+- a `signer-server` which will run the Oasis remote signer and store the node
+  keys.
+
+**These are advanced instructions intended for node operators that want to
+increase the security of their validator nodes.**
+
+:::tip
+
+This chapter describes a tool to remotely access the [node keys] (i.e.
+`beacon.pem`, `consensus.pem`, `identity.pem`, `p2p.pem`...). There is another
+[`oasis wallet remote-signer`] Oasis CLI command which enables remote access to
+your [entity key] and should not be confused with.
+
+:::
+
+[oasis-core-remote-signer]: https://github.com/oasisprotocol/oasis-core/tree/master/go/oasis-remote-signer
+[node keys]: ../validator-node.mdx#node-keys
+[entity key]: ../validator-node.mdx#initialize-entity
+[validator-node]: ../validator-node.mdx
+[discord]: ../../../get-involved/README.md
+[`oasis wallet remote-signer`]: ../../../general/manage-tokens/cli/wallet.md#remote-signer
+
+## Prerequisites
+
+Before we continue, make sure you've followed the [Install Oasis Node Binary]
+chapter and have the Oasis node binary installed on your system.
+
+[Install Oasis Node Binary]: ../prerequisites/oasis-node.md
+
+## Install Oasis Remote Signer Binary
+
+The Oasis remote signer is part of the [Oasis Core][oasis-core-remote-signer].
+You can either download the binary or compile it from source and then copy it
+over to your `signer-server` system.
+
+:::info
+
+The Oasis remote signer is currently only supported on x86_64 Linux systems.
+
+:::
+
+### Downloading a Binary Release
+
+The Oasis remote signer binary is part of the **Oasis Core release bundle**.
+Links to the latest releases are on the Network Parameters page ([Mainnet],
+[Testnet]). The Oasis remote signer binary inside the release bundle is called
+`oasis-remote-signer`. You should always use the version of the remote signer
+matching the version of your Oasis node.
+
+[Mainnet]: ../../mainnet/README.md
+[Testnet]: ../../testnet/README.md
+
+### Building From Source
+
+Follow the [Oasis Core's Build Environment Setup and Building][oasis-core-build]
+chapter. After the Oasis Core is compiled, the `oasis-remote-signer` binary
+should be located in the `go/oasis-remote-signer` subdirectory.
+
+:::caution
+
+The code in the current [`master`] branch may be incompatible with the code used
+by other nodes on the network. Make sure to use the version specified on the
+Network Parameters page ([Mainnet], [Testnet]).
+
+:::
+
+[oasis-core-build]: ../../../core/development-setup/build-environment-setup-and-building
+[`master`]: https://github.com/oasisprotocol/oasis-core/tree/master/
+
+### Adding `oasis-remote-signer` Binary to `PATH`
+
+To install the `oasis-remote-signer` binary for the current user, copy/symlink
+it to `~/.local/bin`.
+
+To install the `oasis-remote-signer` binary for all users of the system, copy
+it to `/usr/local/bin`.
+
+## Set Up Remote Signer System
+
+### Initialize Remote Signer
+
+On `signer-server`, create a directory for the remote signer, e.g.
+`remote-signer`, by running:
+
+```
+mkdir --mode=700 remote-signer
+```
+
+Then, generate the [node keys] and the server certificate by running:
+
+```
+oasis-remote-signer init --datadir remote-signer/
+```
+
+Also, generate the remote signer's client certificate which will be used by
+the Oasis node to connect to the remote signer:
+
+```
+oasis-remote-signer init_client --datadir remote-signer/
+```
+
+### Run Remote Signer
+
+Choose the gRPC port on which the remote signer will listen for client requests
+and run:
+
+```
+oasis-remote-signer \
+--datadir remote-signer \
+--client.certificate remote-signer/remote_signer_client_cert.pem \
+--grpc.port <REMOTE-SIGNER-PORT> \
+--log.level DEBUG
+```
+
+:::tip
+
+The Oasis Remote Signer is configured to run in the foreground by default.
+
+We recommend you configure and use it with a process manager like [systemd] or
+[Supervisor].  Check out the [System Configuration] page for examples.
+
+:::
+
+[systemd]: https://github.com/systemd/systemd
+[Supervisor]: http://supervisord.org
+[System Configuration]: ../prerequisites/system-configuration.mdx#change-to-non-root
+
+### Copy Remote Signer Certificate, Client Key and Certificate
+
+In order for the Oasis node to securely connect to the Oasis remote signer and
+be able to demonstrate its authenticity, you need to copy the following files
+from `signer-server` to `server` inside the `/node/data/remote-signer`
+directory:
+
+* `remote-signer/remote_signer_server_cert.pem`: The remote signer's
+  certificate. This certificate ensures the Oasis node system is connecting to
+  the trusted remote signer system.
+* `remote-signer/remote_signer_client_key.pem`: The remote signer's client key.
+  This key enables the Oasis node system to demonstrate its authenticity when it
+  is requesting signatures from the remote signer system.
+* `remote-signer/remote_signer_client_cert.pem`: The remote signer's client
+  certificate. This certificate is the counterpart of the remote signer's client
+  key.
+
+## Configuration
+
+When [configuring your Oasis Node](../validator-node.mdx#configuration)
+on `server`, you need to add the appropriate `signer` section to configure the
+**composite** and **remote** signers. For example:
+
+```yaml
+# Signer.
+signer:
+  backend: composite
+  # Use file-based signer for entity, node and P2P keys and remote signer for the
+  # consensus key.
+  composite:
+    backends: entity:file,node:file,p2p:file,consensus:remote
+  # Configure how to connect to the Oasis Remote Signer.
+  remote:
+    address: <YOUR-REMOTE-SIGNER-IP>:<YOUR-REMOTE-SIGNER-PORT>
+    server:
+      certificate: /node/data/remote-signer/remote_signer_server_cert.pem
+    client:
+      key: /node/data/remote-signer/remote_signer_client_key.pem
+      certificate: /node/data/remote-signer/remote_signer_client_cert.pem
+```
+
+This assumes you've copied the remote signer's certificate and remote signer's
+client key and certificate to the `/node/data/remote-signer/` directory.
+
+## Starting the Oasis node
+
+[Start the Oasis node] using the modified config above. To ensure that your
+Oasis node will be able to sign consensus transactions, check that the Oasis
+remote signer is running and accepting remote client connections via the
+designated port.
+
+:::info
+
+The `/node/data` directory on `server` will only have `consensus_pub.pem` and no
+`consensus.pem` since the consensus key is backed by the Oasis remote signer.
+
+:::
+
+[Start the Oasis node]: ../validator-node.mdx#starting-the-oasis-node
+
+# See also
+
+<DocCard item={findSidebarItem('/node/run-your-node/validator-node')} />
+<DocCard item={findSidebarItem('/general/manage-tokens/cli/wallet')} />