Skip to content


A SCONE application must be signed by a Signing Identity to run in production mode. MRSIGNER is the public key of the Signing Identity. The signature associates MrEnclave and MRSIGNER with this application. Note that MrEnclave depends on multiple parameters, like the

  • the application code,
  • the heap size,
  • the stack size,
  • the number of threads executing inside of the enclave (see threading),
  • ...

Some of these parameters, like the heap size, are configurable. When signing a SCONE application, you should set all configurable parameters. If a parameter is not specified, a default value is used instead. When starting an application, the SCONE runtime uses by default the parameter values specified during signing.

When trying to start an application with a different configuration than it was signed for, MrEnclave will be different. The SCONE runtime will detect this and tries to sign it dynamically during runtime. Note that the private key of MRSIGNER will not be available during runtime, and hence, the startup will fail.


The command line interface scone-signer signs SCONE applications:

scone-signer sign [flags] APPLICATION_PATH

To sign a SCONE application for production, you should specify the following flags:

  • --stack=INT: The stack size (default=2MB) [SCONE_STACK]",
  • --minheap=INT: The minimal heap size (default=20MB) [SCONE_MIN_HEAP]",
  • --heap=INT: The heap size (default=64MB) [SCONE_HEAP]",
  • --tcs=INT: The number of TCS (default=8) [SCONE_TCS]",
  • --mprotect=[0|1]: mprotect: 0 - disable, 1 - enable (default=0) [SCONE_MPROTECT]",
  • --dlopen=[0|1]: dlopen: 0 - disable, 1 - enable and require loaded libraries to be authenticated/encrypted (default=0) [SCONE_ALLOW_DLOPEN]",
  • --xfrm=INT: XFRM to set in SIGSTRUCT [SCONE_XFRM]",
  • --isvsvn=INT: SGX Independent Software Vendor Security Version Number (default=0) [SCONE_ISVSVN]",
  • --isvprodid=INT SGX Independent Software Vendor Product ID (default=0) [SCONE_ISVPRODID]"

Note that we support the following units (i.e., suffix of INT):

  • G: integer value * 2^30, i.e., GB
  • M: integer value * 2^20, i.e., MB
  • K: integer value * 2^10, i.e., KB

The following flags can also be provided:

  • --key=PATH The path to private key file. If not provided, a built-in debug key will be used [SCONE_KEY]",
  • --production Sign the enclave to run in production mode. [SCONE_PRODUCTION]",
  • --env Use the SCONE_* environment variables additionally to the provided arguments. Arguments overwrite environment variables".


The key to sign an enclave is passed via flag --key. The key has to have a certain format. You can generate a key as follows:

openssl genrsa -3 -out enclave-key.pem 3072