Daml sandbox v2.0: fixing namespace

Hi team,

It is understood that daml sandbox v2.0 comes with a canton participant node, with the namespace changing every time we start it.

Is it possible to fix that namespace? Or at least give an option to do so? Reasons

(1) We have a CI environment built prior to 2.0, in which we are using hardcoded Party ID (fixed) as input for some contract creation. This breaks when we move to sandbox 2.0 as the Party we input needs to have the latest namespace.

(2) It makes sense to have this namespace for identity in a typical canton setup (multiple participant nodes), but the sandbox is just a one participant node + one domain. For dev/test purpose, there is no much need on the identity in a sandbox.

Or kindly advice if there is any workaround to address this challenge.

Many thanks in advance.

kc

Generally, if you assume static identities in your development setup, then it will start to fall apart once you try to deploy it to production, where the cryptographic keys are used to generate identities. Therefore, I’d recommend that you really fix your development setup.

However, if you want to preserve identities between deployments, you can export the private keys and use them to manually re-initialise the node. I’ve described this previously here:

Canton offline key for static participant ID Questions

Hello, In order to keep a participant ID static, I created an offline key using participant1.keys.secret.`export`(namespace, Some("/participantKey.key")) This seems successful and the key file is generated. Afterwards I start a new Canton instance, start the participant and run participant1.keys.secret.load("participantKey.key", Some("newly-imported-identity-key")) this also seems to execute successfully, but then when I run a health status I see that the participant ID hash is not the pub…

You might also want to read our blogpost on how you can work with the dynamic party ids in 2.0.

Thanks @Ratko_Veprek .

I tried to use daml sandbox and did something like key download/upload. Here are some findings.

Download/upload is not seen in the daml canton-console.

@ sandbox.keys.secret.
discard                   generate_signing_key      list
generate_encryption_key   help

I suspect it is because the daml canton-console is using remote-participants. I have tested this with canton examples/01-simple-topology and I see both upload and download.

@ participant1.keys.secret.
delete                    generate_encryption_key   list
discard                   generate_signing_key      upload
download                  help

Kindly advise if it is the case. If so, it seems I cannot download/upload key in the sandbox.

Many thanks.
kc

(PS: I have tested the recovery of namespace in a canton 2.0.0 setup. Thanks a lot for your post!)

Download / Upload are only available for local nodes, not remote ones. I think you should be able to use a bootstrap script with the sandbox, so you could place these commands in the script.

Great hints!

I have create a conf with canton.participants.sandbox.init.auto-init = false and a bootstrap file to run this

sandbox.keys.secret.upload("secret.key",Some("idm key"))
val namespace = "1220ac408737588147dab3091b3596b18b58a739b8341d7cbb0078af11857f336ebe"
sandbox.topology.namespace_delegations.authorize(TopologyChangeOp.Add, namespace, namespace, true)
sandbox.topology.init_id("sandbox", namespace)
val enc = sandbox.keys.secret.generate_encryption_key()
val sig = sandbox.keys.secret.generate_signing_key()
sandbox.topology.owner_to_key_mappings.authorize(TopologyChangeOp.Add, sandbox.id, enc.fingerprint, enc.purpose)
sandbox.topology.owner_to_key_mappings.authorize(TopologyChangeOp.Add, sandbox.id, sig.fingerprint, sig.purpose)
sandbox.domains.connect_local(local)

and successfully keep the namespace. Thanks a lot!

cheers,
kc