Skip to content

feat: Add KMS signer backend #3171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alpe wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: Add KMS signer backend #3171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
7b7cda5
Start ksm
alpe Mar 16, 2026
ec30921
Extend kms
alpe Mar 16, 2026
25f1aa4
Improve kms
alpe Mar 16, 2026
d56fe5f
Merge branch 'main' into alex/3163_kms
alpe Mar 19, 2026
8619c69
Better doc, config and tests
alpe Mar 19, 2026
8810f41
Linting only
alpe Mar 19, 2026
5363cdb
Changelog
alpe Mar 19, 2026
a4f7bf6
Add remote signer GCO KMS (#3182)
alpe Mar 20, 2026
5006360
Merge branch 'main' into alex/3163_kms
alpe Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Strict raft state. [#3167](https://github.com/evstack/ev-node/pull/3167)
- Retry fetching the timestamp on error in da-client [#3166](https://github.com/evstack/ev-node/pull/3166)

### Changes
### Added

- Add AWS KMS signer backend [#3171](https://github.com/evstack/ev-node/pull/3171)
- Subscribe to forced inclusion namespace events [#3146](https://github.com/evstack/ev-node/pull/3146)

## v1.0.0
Expand Down
2 changes: 1 addition & 1 deletion apps/evm/cmd/init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func InitCmd() *cobra.Command {
}
}

proposerAddress, err := rollcmd.CreateSigner(&cfg, homePath, passphrase)
proposerAddress, err := rollcmd.CreateSigner(cmd.Context(), &cfg, homePath, passphrase)
if err != nil {
return err
}
Expand Down
37 changes: 34 additions & 3 deletions apps/evm/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,34 @@ require (
)

require (
cloud.google.com/go v0.123.0 // indirect
cloud.google.com/go/auth v0.18.2 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cloud.google.com/go/compute/metadata v0.9.0 // indirect
cloud.google.com/go/iam v1.5.3 // indirect
cloud.google.com/go/kms v1.26.0 // indirect
cloud.google.com/go/longrunning v0.8.0 // indirect
connectrpc.com/connect v1.19.1 // indirect
connectrpc.com/grpcreflect v1.3.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20251001021608-1fe7b43fc4d6 // indirect
github.com/StackExchange/wmi v1.2.1 // indirect
github.com/armon/go-metrics v0.4.1 // indirect
github.com/aws/aws-sdk-go-v2 v1.41.4 // indirect
github.com/aws/aws-sdk-go-v2/config v1.32.12 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.19.12 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 // indirect
github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
github.com/aws/smithy-go v1.24.2 // indirect
github.com/benbjohnson/clock v1.3.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bits-and-blooms/bitset v1.20.0 // indirect
Expand All @@ -49,6 +71,7 @@ require (
github.com/emicklei/dot v1.6.2 // indirect
github.com/ethereum/c-kzg-4844/v2 v2.1.6 // indirect
github.com/fatih/color v1.18.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/ferranbt/fastssz v0.1.4 // indirect
github.com/filecoin-project/go-clock v0.1.0 // indirect
github.com/filecoin-project/go-jsonrpc v0.10.1 // indirect
Expand All @@ -68,7 +91,10 @@ require (
github.com/google/flatbuffers v25.1.24+incompatible // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/gopacket v1.1.19 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
github.com/googleapis/gax-go/v2 v2.18.0 // indirect
github.com/gorilla/websocket v1.5.3 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
github.com/hashicorp/go-hclog v1.6.3 // indirect
Expand Down Expand Up @@ -177,6 +203,8 @@ require (
github.com/wlynxg/anet v0.0.5 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
go.opentelemetry.io/otel v1.42.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect
Expand All @@ -195,16 +223,19 @@ require (
golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
golang.org/x/mod v0.33.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/oauth2 v0.36.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.42.0 // indirect
golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 // indirect
golang.org/x/text v0.35.0 // indirect
golang.org/x/time v0.12.0 // indirect
golang.org/x/time v0.15.0 // indirect
golang.org/x/tools v0.42.0 // indirect
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
gonum.org/v1/gonum v0.17.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
google.golang.org/api v0.272.0 // indirect
google.golang.org/genproto v0.0.0-20260217215200-42d3e9bedb6d // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260217215200-42d3e9bedb6d // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260311181403-84a4fc48630c // indirect
google.golang.org/grpc v1.79.2 // indirect
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the latest version of google.golang.org/grpc and does it fix GHSA-p77j-4mvh-x3m3?

💡 Result:

The latest version of google.golang.org/grpc is v1.79.3, released on 2026-03-17. Yes, it fixes GHSA-p77j-4mvh-x3m3. The release notes explicitly state under Security: "server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted 'deny' rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)". This matches the vulnerability description in advisories (CVE-2026-33186), which involves authorization bypass via missing leading slash in :path.

Citations:

Upgrade google.golang.org/grpc to v1.79.3 to fix critical authorization bypass vulnerability

google.golang.org/grpc v1.79.2 contains GHSA-p77j-4mvh-x3m3 (CVE-2026-33186), an authorization bypass where malformed :path headers missing the leading slash can bypass path-based access controls in gRPC interceptors. Since the KMS signer uses gRPC to communicate with cloud KMS services, this vulnerability affects the security of signing operations. Upgrade to v1.79.3, which fixes this issue by rejecting non-canonical paths.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/evm/go.mod` at line 239, Update the grpc dependency entry to
google.golang.org/grpc v1.79.3 in the go.mod (replace the existing
google.golang.org/grpc v1.79.2 // indirect line), then run go mod tidy (or go
get google.golang.org/grpc@v1.79.3) to update the lockfiles and verify module
downloads; this addresses the CVE by ensuring the project uses the patched grpc
version.

google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Expand Down
Loading
Loading