feat(awskms): add awskms support for grpc signing

[mattac21]

No description provided.

[greptile-apps]

Greptile Summary

This PR wires AWS KMS as a signing backend for the gRPC SignerService, complementing the existing consensus (privval) path. It also applies a consistent Backend rename across file, awskms, and pkcs11 packages to distinguish consensus-path types from the new gRPC Signer adapter.

• New awskms.Signer (signing/awskms/signer.go) adapts *Backend to signing.Signer; OpenSigner rejects non-ed25519 algorithms before any AWS call and delegates Sign/PubKey/Close to the wrapped backend.
• BuildGRPC extended with a closers/deferred-cleanup pattern matching Build, awskms support in newGRPCSigner, and a returned cleanup func() consumed by main.go.
• validateGRPC now resolves and writes back the absolute key_file path for file-backend keys (closing the asymmetry noted in a prior review), and validates awskms keys with the same key_id/algorithm checks used by the consensus path.

Confidence Score: 5/5

Safe to merge; the new awskms gRPC path follows the same cleanup, validation, and error-return conventions as the established consensus path.

The cleanup-on-error pattern in BuildGRPC mirrors Build exactly (deferred func checks the named return err). Path resolution for file-backend gRPC keys is now done once in validateGRPC and written back, so newGRPCSigner correctly consumes the absolute path without a second AbsPath call. The awskms.Signer adapter is thin and correct — it reuses the Backend's cached public key and Sign path, and the compile-time interface assertion in signer.go guards all implementations. No logic errors were found in the changed paths.

No files require special attention.

Important Files Changed

Filename	Overview
signing/awskms/signer.go	New adapter wrapping Backend to satisfy the gRPC signing.Signer interface; correctly delegates PubKey, Scheme, Sign, and Close. OpenSigner adds a guard rejecting non-ed25519 algorithms before any AWS call.
internal/app/build.go	BuildGRPC gains awskms support and a closers/cleanup pattern matching Build; deferred cleanup on error prevents leaks; newGRPCSigner now resolves file paths via Validate rather than an inline AbsPath call.
config/validate.go	validateGRPC extended with awskms backend validation; file key now resolves and writes back the absolute path (k.KeyFile = AbsPath), closing the asymmetry noted in the prior review thread.
signing/signer.go	Adds Close() error to the signing.Signer interface; all existing implementations (file, awskms, memEd25519 in tests) already have no-op implementations, and the compile-time assertion in server_test.go enforces the contract.
internal/app/build_awskms_test.go	Splits the existing test into consensus/grpc sub-tests; grpc sub-test discards the cleanup function without registering it with t.Cleanup, inconsistent with the consensus sub-test pattern.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant main as cmd/kms/main.go
    participant build as app.BuildGRPC
    participant val as config.Validate
    participant ns as newGRPCSigner
    participant oss as awskms.OpenSigner
    participant kms as AWS KMS

    main->>val: cfg.Validate(home)
    val-->>main: ok (resolves key paths, validates key_id/algorithm)

    main->>build: BuildGRPC(cfg, home, logger)
    build->>build: setup closers + deferred cleanup
    loop for each grpc.key
        build->>ns: newGRPCSigner(home, k)
        alt "backend=awskms"
            ns->>oss: "OpenSigner(ctx, Config{KeyID, Region, ...})"
            oss->>kms: GetPublicKey(keyID)
            kms-->>oss: PublicKey bytes
            oss-->>ns: "*Signer"
        else "backend=file"
            ns-->>ns: file.LoadSecp256k1(k.KeyFile)
        end
        ns-->>build: signing.Signer
        build->>build: append to closers
    end
    build->>build: load TLS creds, grpc.NewServer, net.Listen
    build-->>main: gs, cleanupGRPC, lis, nil

    main->>main: defer cleanupGRPC()
    main->>main: defer gs.GracefulStop()
    main->>main: go gs.Serve(lis)

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant main as cmd/kms/main.go
    participant build as app.BuildGRPC
    participant val as config.Validate
    participant ns as newGRPCSigner
    participant oss as awskms.OpenSigner
    participant kms as AWS KMS

    main->>val: cfg.Validate(home)
    val-->>main: ok (resolves key paths, validates key_id/algorithm)

    main->>build: BuildGRPC(cfg, home, logger)
    build->>build: setup closers + deferred cleanup
    loop for each grpc.key
        build->>ns: newGRPCSigner(home, k)
        alt "backend=awskms"
            ns->>oss: "OpenSigner(ctx, Config{KeyID, Region, ...})"
            oss->>kms: GetPublicKey(keyID)
            kms-->>oss: PublicKey bytes
            oss-->>ns: "*Signer"
        else "backend=file"
            ns-->>ns: file.LoadSecp256k1(k.KeyFile)
        end
        ns-->>build: signing.Signer
        build->>build: append to closers
    end
    build->>build: load TLS creds, grpc.NewServer, net.Listen
    build-->>main: gs, cleanupGRPC, lis, nil

    main->>main: defer cleanupGRPC()
    main->>main: defer gs.GracefulStop()
    main->>main: go gs.Serve(lis)

Loading

_{Reviews (2): Last reviewed commit: "normalize config path for grpc key files..." | Re-trigger Greptile}

[linear-code]

FOU-365

[mattac21]

@greptile review again and update your previous review

[mattac21]

did a refactor of the existing implementors of the Backend interface. All of the implementors were named Signer, which as the obvious name for the implementors of the Signing interface. I changed the Backend implementors to be called Backend to free up the Signer name for my new structs.

[mattac21]

not necessarily required until we get grpc signing support for pkcs11 keys, but ai kept flagging the asymmetry where we did not call close on the Signers on exit, so I added this and cleanup on exit of the grpc server that matches cleaning up the backends.

[dhfang]

I don't have full context on the motivation for starting with ed25519 support, but from what I understand this won't have any consumers. Validators don't rely on gRPC signing and we don't have solana relaying support planned yet. For the relayer and attestor we will rely on secp for the release.

[swift1337]

Suggested change

	KeyID string `yaml:"key_id"` // awskms: KMS id, ARN, or alias/<name>
	AWSKeyID string `yaml:"aws_key_id"` // awskms: KMS id, ARN, or alias/<name>

[swift1337]

ed26619 is relevant not only to AWS Keys

[swift1337]

imo, we should explicitly fail if it's not specified. Even when the backend is "", we still need a key file path.

[swift1337]

Can we wrap all of this into Server with s.Close(), s.Listener(), etc... and return only (*Server, error) ?

[swift1337]

let' move all algo types to const Algo* eg AlgoSecp256k1 (applies to all files)