Hey @kristofer, in your example, you use the package via .tgz file. I’m trying to figure out if I can do it some other way. Because if I wanted to just launch the frontend without dfx, lets say to make some UI changes, having a .tgz file as a dependency won’t allow me to do that. So I’ll have to do dfx deploy and that just takes too long for quick UI changes.

If using the demo I created, you would just start the Vite development server to get hot module reloading of all UI changes during development.

pnpm run dev

Hey @kristofer, yeah checked that, were some differences between your and my project config so had to adjust that to make the hot reloading work. Just for anyone wondering I’ll also post the working vite config below.

import { sveltekit } from "@sveltejs/kit/vite";
import type { UserConfig } from "vite";
import { defineConfig, loadEnv } from "vite";
import {
  host,
  iiUrl,
  network,
  readCanisterIds,
} from "./scripts/readCanisterIds";
import path from "path";
import wasm from "vite-plugin-wasm";
import topLevelAwait from "vite-plugin-top-level-await";
// Import the new polyfill plugin
import { nodePolyfills } from 'vite-plugin-node-polyfills';


const config: UserConfig = {
  // Add nodePolyfills plugin here
  plugins: [wasm(), topLevelAwait(), sveltekit(), nodePolyfills()], // Moved wasm() and topLevelAwait() first
  resolve: {
    alias: {
      $lib: path.resolve("./src/frontend/src/lib"),
      // Removed alias for ic-vetkd-utils to let Vite handle it
    },
  },
  // Remove optimizeDeps polyfill config, let the plugin handle it
  optimizeDeps: {
    esbuildOptions: {
      // Node.js global to browser globalThis - Still might be needed depending on dependencies
      define: {
        global: "globalThis",
      },
    },
  },
  // Keep single build config
  build: {
    target: "es2020",
    rollupOptions: {}, // Remove the polyfill plugin from here
  },
  // Add SSR configuration to process ic-vetkd-utils
  ssr: {
    noExternal: ['ic-vetkd-utils'],
  },
};

export default defineConfig(({ mode }: UserConfig): UserConfig => {
  // Expand environment - .env files - with canister IDs
  process.env = {
    ...process.env,
    ...loadEnv(mode ?? "development", process.cwd()),
    ...readCanisterIds({ prefix: "VITE_" }),
    VITE_DFX_NETWORK: network,
    VITE_HOST: host,
    VITE_II_URL: iiUrl,
  };

  return {
    ...config,
    // Backwards compatibility for auto generated types of dfx that are meant for webpack and process.env
    define: {
      "process.env": {
        ...readCanisterIds({}),
        DFX_NETWORK: network,
      },
    },
  };
});

Great! Also note that as part of the final VetKey release, there will be a JS based utils library.

We’re excited to share that the vetKeys feature is now code complete and ready to be enabled on mainnet for testing purposes!

In line with the release process used for previous cryptographic features like threshold ECDSA and Schnorr signatures, we are proposing to create a test vetKD master key on a 13-node application subnet. This will allow us to:

• Conduct extended testing of vetKeys functionality on mainnet.

• Build confidence with operational procedures, including key backup and recovery workflows.

• Enable developers to experiment with the full vetKeys derivation functionality in their dApps.

• Identify edge cases and gather insights into performance and system behavior.

Important Note: The test vetKey is strictly intended for testing purposes and should not be used in production environments. The vetKeys feature is still undergoing internal security reviews and audits, and as such, we strongly recommend limiting its use to non-critical testing scenarios only.

Next steps

If this proposal is approved, we will submit follow-up proposals to:

• Back up the test key on an additional application subnet.

• Enable vetKeys derivation functionality to support end-to-end testing.

Following a successful testing phase—and assuming everything proceeds smoothly—we plan to propose the creation of the production key in later governance proposals. The earliest expected timeline for this would be mid-June.

Thanks @andrea, I have a few questions before voting if that’s okay. My understanding is that 2fq7c is currently the backup test key subnet (whereas it used to be the signing subnet, prior to 131449). In prior test key deployments the procedure has been to:

• Generate the test key on the signing subnet
• Enable the key afterwards
• Reshare the key to the backup subnet (using a set of halt, apply CUP, unhalt proposals)

In this case it seems the approach planned is to:

• Generate the test key on the backup subnet
• Reshare the key with the signing subnet (using a set of halt, apply CUP, unhalt proposals)
• Enable the key afterwards (on the signing subnet? Is there a plan to enable and test it on the backup subnet too?)

Have I understood this more or less correctly? If so would you be able to elaborate on the choice to deviate from previous procedure (including resharing to the signing subnet, instead of to the backup subnet, despite the downtime implications).

I’m also curious about a couple of the parameters.

"max_queue_size": 10,
"pre_signatures_to_create_in_advance": 0

• max_queue_size is 20 for the other 3 keys, on both the signing and the backup subnet. Could I ask what the reasoning is for setting it to 10 in this case?
• pre_signatures_to_create_in_advance is set to 1 for the other 3 keys on this backup subnet (and 7 on the signing subnet). Can I ask why it’s being initialised with 0 here?

Thanks in advance

Proposal 136589 Review | Lorimer - CO.DELTA △

VOTE: YES

TLDR: See questions above, and answers below. LGTM

You may wish to follow the CO.DELTA known neuron if you found this analysis helpful.

Yes, that’s exactly the plan. We plan to propose enabling the signing subnet once the key is reshared there. The reason we are proposing to start with the backup subnet is that 2fq7c seems busier and has a considerably larger state, so it seems less disruptive to halt the other one for resharing. Note that we proposed to swap signing and backup subnets a few months for the same reason, i.e. have signing enabled on the less busy subnet.

Good questions! It should be fine to set max_queue_size to 20 and higher values, however we have not done enough load testing yet on realistic scenarios, especially with larger subnet sizes. So we are proposing some conservative value here with the intention of increasing it later on.

Regarding pre_signatures_to_create_in_advance, this parameters does not affect vetkd, as the scheme does not use presginatures, differently than ECDSA and Schnorr. However since vetkeys reuses the same chain key config record as ECDSA and Schnorr, this value has to be set currently. Note that until recently it was not possible to set it to 0, so 1 was the minimum, see here for more details: feat: CRP-2618 Allow zero `pre_signatures_to_create_in_advance` in vetKD `ChainKeyConfig` by eichhorl · Pull Request #5014 · dfinity/ic · GitHub

Proposal #136589 — Zack | CodeGov

Vote: Pending, probably YES

Reason: Checking some related commits from the latest replica updates.

Thanks for clarifying @andrea, sounds good. I’ve voted to adopt

Proposal 136589 Review | aligatorr - CO.DELTA △

VOTE: YES

TLDR: It is a testing subnet. Proposal adds chain key configuration for Vet keys.

• Rest of chain key config remain unchanged
  
  

  Screenshot_20250512_204842-1452×686 31.9 KB
• Replica version of a subnet f195ba756bc3bf170a2888699e5e74101fdac6ba
• set_gossip_config_to_default is supposed to be deprecated, is there a plan to remove it @andrea ?

You may wish to follow the CO.DELTA known neuron if you found this analysis helpful.

Proposal 136589 | Tim - CodeGov

Vote: Adopt

This proposal generates a vetKD master key for testing purposes on subnet 2fq7c. Thanks @Lorimer and @andrea for the very helpful discussion above clarifying details of the payload parameters.

Hello everyone! With the execution of proposal 136589, the test key for the vetKeys feature was generated on 2fq7c. As announced above we plan to submit follow-up proposals to reshare the test key to subnet fuqsr. See also here for more information about the process.

Does this mean key derivation has also been activated?

Proposal 136589 Review | Malith H - CO.DELTA △

VOTE: YES
TLDR:
The following proposal introduces Vet keys for subnet configuration for testing purposes 2fq7c. Diff change config only introduces Vetkeys, no other change has been made. As mentioned by @aligatorr89 set gossip config to FALSE, or is it say no change is been made ?

Context

Item	Notes
Subnet ID	2fq7c
Replica version currently live
Proposal’s stated reason	Generate a vetKD master key for testing purposes on subnet 2fq7c, with key ID Bls12_381_G2:test_key_1.
Forum discussion reviewed	YES

You may wish to follow the CO.DELTA known neuron if you found this analysis helpful.

Not yet, as discussed above it was generated on the subnet we plan to use as backup. Enabling the key will require a separate proposal that will be submitted later on.

Hi @andrea

This is super cool. Have been following with interest. Am I correct that vetSigs are not part of this rollout but coming later this year?

With vetSigs do you mean BLS signatures? If so, you can use the vetkeys API to compute them, we are working on an example to show how. Do you have a concrete example in mind for this?

Yep that’s exactly what I mean. The example is the plan I have for our decentralised publishing app:

We’re going to issue users with a BBS+ credential (so they can do selective reveal and have pseudonyms linked to their main ID via ZK). We were thinking of having an ICP canister as a trusted issuer of these credentials. However if the canister held the key all the replicas could see it. That’s not workable. With vetKeys replicas would only ever have a shard and could issue credentials with threshold BLS.