Background
Canton native user registration requires a valid Canton cryptographic signature to prove ownership of the party key. The api-server validates this via auth.VerifyCantonSignature (pkg/config/config.go: SkipCantonSigVerify).
The E2E devstack currently bypasses this check by forcing SKIP_CANTON_SIG_VERIFY=true (set in tests/e2e/cmd/devstack/main.go and tests/e2e/devstack/docker/compose.go). The existing TestRegister_CantonNative_* tests run with signature verification disabled — the happy path with a real signature is untested in CI.
What Needs to Be Done
1. Wallet signing helper in the E2E devstack
Add a utility that produces a valid Canton signature for a given party and message. Canton uses Ed25519 keys managed by the participant node. The devstack already allocates parties via AllocateParty; it needs to expose signing too.
Options to explore:
- Canton admin API — check if ParticipantAdminService exposes a SignBytes or equivalent RPC
- Canton console script — run a one-shot canton script that signs a message and returns the signature
- Deterministic test key — provision the devstack with a known Ed25519 keypair for a dedicated test party and embed it in tests/e2e/devstack/util/
Target DSL interface:
sig, err := sys.Canton.SignMessage(ctx, partyID, message)
2. New E2E test: Canton native registration with real signature
Once the signing helper exists, add a test that exercises the full verified flow with SKIP_CANTON_SIG_VERIFY=false.
3. Devstack configuration
Support running the api-server in two modes: with and without sig verification. This could be done by parameterising NewAPIStack(t) with an options struct, or by running a second api-server container with SKIP_CANTON_SIG_VERIFY=false.
Acceptance Criteria
Background
Canton native user registration requires a valid Canton cryptographic signature to prove ownership of the party key. The api-server validates this via auth.VerifyCantonSignature (pkg/config/config.go: SkipCantonSigVerify).
The E2E devstack currently bypasses this check by forcing SKIP_CANTON_SIG_VERIFY=true (set in tests/e2e/cmd/devstack/main.go and tests/e2e/devstack/docker/compose.go). The existing TestRegister_CantonNative_* tests run with signature verification disabled — the happy path with a real signature is untested in CI.
What Needs to Be Done
1. Wallet signing helper in the E2E devstack
Add a utility that produces a valid Canton signature for a given party and message. Canton uses Ed25519 keys managed by the participant node. The devstack already allocates parties via AllocateParty; it needs to expose signing too.
Options to explore:
Target DSL interface:
2. New E2E test: Canton native registration with real signature
Once the signing helper exists, add a test that exercises the full verified flow with SKIP_CANTON_SIG_VERIFY=false.
3. Devstack configuration
Support running the api-server in two modes: with and without sig verification. This could be done by parameterising NewAPIStack(t) with an options struct, or by running a second api-server container with SKIP_CANTON_SIG_VERIFY=false.
Acceptance Criteria