validator-keys-tool icon indicating copy to clipboard operation
validator-keys-tool copied to clipboard
verified publisher icon ripple

Support signing via a third party signer

Open manthanhd opened this issue 1 year ago • 2 comments

Validator keys tool currently supports generating of the validator token using a private key that lives on the disk. For security, we're storing keys over HSM and MPC, that is exposed via an API. The API accepts payload to sign and eventually returns a signature.

The private key is never exposed outside of the system so it is not possible to import the private key on the disk for signing purposes. The signing process has to happen remotely, via an API call.

There are different ways of implementing this but one that comes to mind is:

  1. The validator keys tool supports some CLI option that produces the payload / digest to sign
  2. We take this payload / digest and make the API call to sign via a curl command
  3. Once we have the signature, we pass that into the validator tool, into something that finalizes it into the validator token

Thoughts?

manthanhd avatar Mar 04 '24 13:03 manthanhd

@manthanhd This sounds like a reasonable addition to the tool. As a next step, let's further define what the changes would be here?

To clarify, I think #1 would need to be added to the tool; #2 would be a manual step that you will make (i.e., the tool will not make API calls) and #3 would need to be added to the tool.

Does that sound about right?

sappenin avatar Mar 11 '24 16:03 sappenin

Hey @sappenin, yes this is correct. I can help validate this flow by implementing #2 on our side.

manthanhd avatar Mar 11 '24 17:03 manthanhd