clients [PM-21033] Implement signing key migration

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-21033

📔 Objective

This PR handles local state handling of signing keys, and the upgrade path to signing keys.

Note: The build fails because an SDK change still needs to be merged. However, the rest of the PR is reviewable.

📸 Screenshots

⏰ Reminders before review

Contributor guidelines followed
All formatters and local linters executed and passed
Written new unit and / or integration tests where applicable
Protected functional changes with optionality (feature flags)
Used internationalization (i18n) for all UI strings
CI builds passed
Communicated to DevOps any deployment requirements
Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

👍 (:+1:) or similar for great changes
📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
❓ (:question:) for questions
🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
🎨 (:art:) for suggestions / improvements
❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
⛏ (:pick:) for minor or nitpick changes

May 26 '25 10:05 quexten

Checkmarx One – Scan Summary & Details – 6aab053a-94fa-479d-922b-7331a7161036

Great job! No new security vulnerabilities introduced in this pull request

Jun 02 '25 12:06 github-actions[bot]

Codecov Report

:x: Patch coverage is 64.95726% with 82 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 38.90%. Comparing base (d17fa04) to head (24f8b5b). :warning: Report is 13 commits behind head on main.

Files with missing lines	Patch %	Lines
...y-management/keys/response/public-keys.response.ts	0.00%	15 Missing :warning:
...ement/key-rotation/request/account-keys.request.ts	66.66%	8 Missing :warning:
...-management/keys/response/private-keys.response.ts	71.42%	5 Missing and 1 partial :warning:
...esponse/public-key-encryption-key-pair.response.ts	57.14%	3 Missing and 3 partials :warning:
...ement/keys/response/signature-key-pair.response.ts	33.33%	3 Missing and 3 partials :warning:
.../src/key-management/enums/signing-key-type.enum.ts	0.00%	5 Missing :warning:
...t/keys/services/default-key-api-service.service.ts	0.00%	5 Missing :warning:
.../security-state/services/security-state.service.ts	0.00%	5 Missing :warning:
libs/angular/src/services/jslib-services.module.ts	0.00%	4 Missing :warning:
...security-state/response/security-state.response.ts	42.85%	2 Missing and 2 partials :warning:
... and 10 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14942      +/-   ##
==========================================
+ Coverage   38.86%   38.90%   +0.03%     
==========================================
  Files        3419     3435      +16     
  Lines       97259    97460     +201     
  Branches    14611    14648      +37     
==========================================
+ Hits        37802    37918     +116     
- Misses      57798    57879      +81     
- Partials     1659     1663       +4

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

:package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Jul 15 '25 14:07 codecov[bot]

Could you add some test coverage to:

libs/common/src/platform/sync/default-sync.service.ts - No coverage for initialize_user_crypto
apps/web/src/app/key-management/key-rotation/user-key-rotation.service.ts - No coverage when EnrollAeadOnKeyRotation is enabled