Stellar Veritas

The aim is to create a trustworthy Stellar transaction signer (and, by necessity, a pretty printer) using only Glasgow Haskell compiler code and Haskell Core libraries, reducing the possible supply chain attack surface.

Installation and usage

To build and run it, install cabal-install and use cabal run. The program expects your transaction coming from the standard input, and your private (S...) key residing in $HOME/~/.stellar-veritas-key. It will produce the decoded transaction description afterwards, with simple descriptions of the most popular operations. When it is ran from an interactive terminal, it will ask for a confirmation before signing the transaction.

You can put the binary (cabal list-bin stellar-veritas to get the path) into your $PATH and use it directly.

Encryption

The project supports key encryption. Encrypting your key protects you from key file theft (cracking a 8-character password is estimated to cost over $1M (in 2026), scales with password complexity and the performance of the computer at the moment of encryption).

To encrypt your key, run cabal run stellar-veritas -- encrypt (or just stellar-veritas encrypt after installation) and enter your password. Afterwards you'll be prompted your password every time you want to sign anything. encrypting an already-encrpyted key would result in decryption and re-encryption with new parameters and salt.

Technical details

The project contains the code of trimmed-down non-core dependencies, mainly cryptographic libraries. To avoid using bundled libraries (to build against the current Hackage), do the same in the src directory. To further reduce the amount of code under audit, weeder can be used, although the utility is dubious.

Key encryption is implemented via XOR with Argon2i KDF with an adaptive iteration count.