-
Notifications
You must be signed in to change notification settings - Fork 449
docs: tw768-kms #3419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
pete-vielhaber
wants to merge
9
commits into
master
Choose a base branch
from
tw768-kms
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+87
−0
Open
docs: tw768-kms #3419
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
ba16cbc
Initial push of content
pete-vielhaber 678d3cb
Adding kms signing services doc
pete-vielhaber 9419820
Style
pete-vielhaber 46a884b
Merge branch 'master' into tw768-kms
anegg0 59a109f
Apply suggestions from code review
pete-vielhaber b71836e
Fixing frontmatter
pete-vielhaber 22390fc
Apply suggestions from code review
pete-vielhaber 488ad6b
Merge branch 'master' into tw768-kms
anegg0 c50eeb3
Apply suggestions from code review
pete-vielhaber File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
82 changes: 82 additions & 0 deletions
82
docs/launch-arbitrum-chain/integrations/bp-kms-signing-services.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| --- | ||
| title: 'Batch poster: External signing (KMS)' | ||
| sidebar_label: 'KMS and signing services' | ||
| description: 'Learn how to integrate external signing—including AWS KMS for the batch poster for your chain.' | ||
| author: pete-vielhaber | ||
| sme: jason-w123 | ||
| user_story: As an Arbitrum chain operator, I want to integrate KMS and signing services for my batch poster. | ||
| content_type: how-to | ||
| --- | ||
|
|
||
| Nitro's batch poster (and staker) sign their L1 transaction through the **DataPoster** component. By default it signs locally with a private key, but it also supports **generic RPC-based external signing**: instead of holding the key, Nitro sends an unsigned transaction to a remote signer over (m)TLS, gets back a signed transaction, and independently verifies it. | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
|
|
||
| :::info | ||
|
|
||
| There is **no native AWS KMS integration** in the Nitro codebase. KMS support is achieved by running a _separate signer service_ that talks to KMS and exposes an Ethereum-style `eth_signTransaction` RPC endpoint. Nitro connects to that endpoint. In other words: "KMS support" = external signer pointed at a KMS-backed signing service. | ||
|
|
||
| ::: | ||
|
|
||
| ## How it works internally | ||
|
|
||
| 1. **Connect**—`rpcClient()` dials the signer URL with a TLS config: optional client cert/key for mTLS (`ClientCert`/`ClientPrivateKey`), optional `RootCA` (lets you use self-signed certs), and `InsecureSkipVerify`. | ||
| 2. **Sign**—`externalSigner()` returns a signer callback that: | ||
|
|
||
| - Converts the transaction to `apitypes.SendTxArgs` via `TxToSignTxArgs` | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
| - Note that it fully supports EIP-4844 blob transactions (blobs, commitments, proofs), which the batch poster needs. | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
| - Calls the configured RPC method: `client.CallContext(ctx, &data, opts.Method, args)`, expecting an RLP-encoded signed transaction back. | ||
| - **Verifies** the returned transaction: the hash must match the request and the recovered sender must equal the configured `Address`. This means TLS is _not_ relied on for authentication—the signature itself is checked at the application layer. | ||
|
|
||
| ## Configuration | ||
|
|
||
| The config struct is `ExternalSignerCfg`: | ||
|
|
||
| | Field | koanf key | Purpose | | ||
| | -------------------- | ---------------------- | -------------------------------------------------------------------------------------------- | | ||
| | `URL` | `url` | RPC endpoint of the signer. **Setting this enables external signing** (overrides local key). | | ||
| | `Address` | `address` | Hex Ethereum address the signer controls; used to verify returned signatures. | | ||
| | `Method` | `method` | RPC method name, e.g., `eth_signTransaction`. | | ||
| | `RootCA` | `root-ca` | (Optional) CA cert to trust — enables self-signed server certs. | | ||
| | `ClientCert` | `client-cert` | (Optional) client cert for mTLS. | | ||
| | `ClientPrivateKey` | `client-private-key` | (Optional) client key for mTLS (required if `client-cert` set). | | ||
| | `InsecureSkipVerify` | `insecure-skip-verify` | Skip server TLS verification (not recommended). | | ||
|
|
||
| This config is nested under both the batch poster and the staker. So the full CLI flag paths are: | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
|
|
||
| **Batch poster:** | ||
|
|
||
| ``` | ||
| --node.batch-poster.data-poster.external-signer.url | ||
| --node.batch-poster.data-poster.external-signer.address | ||
| --node.batch-poster.data-poster.external-signer.method | ||
| --node.batch-poster.data-poster.external-signer.root-ca | ||
| --node.batch-poster.data-poster.external-signer.client-cert | ||
| --node.batch-poster.data-poster.external-signer.client-private-key | ||
| --node.batch-poster.data-poster.external-signer.insecure-skip-verify | ||
| ``` | ||
|
|
||
| **Staker** uses the same fields under `--node.staker.data-poster.external-signer.*` | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
|
|
||
| When `external-signer.url` is empty, the batch poster requires a local key. The check in `cmd/nitro/nitro.go` confirms this—and note that **AnyTrust mode still needs a local key** (external signing isn't supported alongside AnyTrust there). | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
|
|
||
| ## What the signer service must implement | ||
|
|
||
| Your signer (whether KMS-backed or otherwise) must expose an HTTPS RPC server with a method matching `Method`, that: | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
|
|
||
| - Accepts an Ethereum transaction object (`apitypes.SendTxArgs`—the standard `eth_signTransaction` shape, including blob fields for EIP-4844), | ||
| - Returns the RLP-encoded **signed** transaction as a hex string, | ||
| - Signs with the key for the address you configured as `address`. | ||
|
|
||
| If you use mTLS, the server must require and verify the client cert that matches `client-cert`/`client-private-key`. | ||
|
|
||
| ## Reference implementations | ||
|
|
||
| Nitro ships two working examples you can model a KMS service on: | ||
|
|
||
| - **`cmd/mockexternalsigner/mockexternalsigner.go`**—a standalone signer binary. It | ||
| builds an `rpc.Server`, registers a signing method, serves over HTTPS with | ||
| `tls.RequireAndVerifyClientCert`, and prints the exact flags to pass to Nitro. Swap the | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
| local-key `txOpts.Signer` for a KMS-backed signer and you have a KMS integration. | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
| - **`arbnode/dataposter/externalsignertest/externalsignertest.go`**—the test harness, | ||
| showing the server side (`SignerAPI`, method registration, cert setup with | ||
| `RequireAndVerifyClientCert`). The RPC method (`externalsignertest.go:185`) takes | ||
| `*apitypes.SendTxArgs` and returns the RLP-encoded signed tx as `hexutil.Bytes`. | ||
|
pete-vielhaber marked this conversation as resolved.
Outdated
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.