Merge branch 'main' into release-builds

Author: geoff-vball

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (C) 2019-2024, Ava Labs, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -1,114 +1,76 @@
-# Cubist Signer
+# Cube Signer Sidecar
 
-A proxy to be run alongside an
-[`avalanchego`](https://github.com/ava-labs/avalanchego) validator, used for all
-bls signatures (currently used for peer handshakes and ICM message signatures).
-This service runs a [gRPC](https://grpc.io/) server, implementing the
-[`signer.proto` service definition](https://github.com/ava-labs/avalanchego/blob/master/proto/signer/signer.proto).
-When the `gRPC` endpoints are hit, they make subsequent requests to the
-[Cubist-API](https://signer-docs.cubist.dev/api)
+This repository contains a proxy that can be run alongside [AvalancheGo](https://github.com/ava-labs/avalanchego) nodes to integrate them with [CubeSigner](https://cubist.dev/products/cubesigner-self-custody) for secure BLS key management powered by [Cubist](https://cubist.dev/). AvalancheGo nodes currently use BLS keys for peer handshakes and to sign [ICM messages](https://build.avax.network/docs/cross-chain/avalanche-warp-messaging/overview). By integrating with CubeSigner, AvalancheGo nodes do not need to store their BLS keys in memory or on disk. Instead, the keys are generated and kept within a remote hardware security module (HSM), and the AvalancheGo node is configured to request signatures from that HSM as needed via this `cube-signer-sidecar`.
+
+This service runs a [gRPC](https://grpc.io/) server, implementing the [`signer.proto` service definition](https://github.com/ava-labs/avalanchego/blob/master/proto/signer/signer.proto). When the `gRPC` endpoints are hit, they make subsequent requests to the [CubeSigner API](https://signer-docs.cubist.dev/api) to get the requested signature.
+
+A Cubist account is required to be able to properly use the `cube-signer-sidecar`.
 
 ## Building
 
-The `api/` directory contains generated code from the
-[Cubist OpenAPI specification](https://raw.githubusercontent.com/cubist-labs/CubeSigner-TypeScript-SDK/main/packages/sdk/spec/openapi.json).
-We use the [`spec/get-schemas.go`] script to filter the API-spec for the three
-endpoints that we care about as well as all the schemas that those endpoints
-use. The filtered Open-API specification is output to
-`spec/filtered-openapi.json`.
+The `api/` directory contains generated code from the [CubeSigner OpenAPI specification](https://raw.githubusercontent.com/cubist-labs/CubeSigner-TypeScript-SDK/main/packages/sdk/spec/openapi.json). The [`spec/get-schemas.go`] script is used to filter the API-spec for the three relevant endpoints, as well as all the schemas that those endpoints
+use. The filtered Open-API specification is output to `spec/filtered-openapi.json`.
 
-If there are changes in `spec/filtered-openapi.json`, you _must_ run
-`go generate ./signerserver` to re-generate the client code in the `api/`
-directory.
+If there are changes in `spec/filtered-openapi.json`, the `go generate ./signerserver` _must_ be run to re-generate the client code in the `api/` directory.
 
 ## Testing
 
-Currently, the only way to test the code is using
-[this PR](https://github.com/ava-labs/avalanchego/pull/3725) where you have to
-set the `--staking-rpc-signer=127.0.0.1:50051` configuration flag. You must
-first start this application before starting the `avalanchego` node.
+The `cube-signer-sidecar` depends on the AvalancheGo changes implemented in [this PR](https://github.com/ava-labs/avalanchego/pull/3965). In order to test it, set the `--staking-rpc-signer-endpoint=127.0.0.1:50051` configuration flag, and ensure that the `cube-signer-sidecar` application is running before starting the `avalanchego` node.
 
 ## Running
 
 ### Key Creation
 
-To run the `cubist-signer` locally, you will need a
-[`CubeSigner`](https://github.com/cubist-partners/CubeSigner/) application
-(sorry for the similar names). If you need an invite to see the repository,
-please reach out to someone on the @ava-labs/interop team. Once installed, you
-will need to set up the `CubeSigner` and login following
-[the Getting Started instructions](https://signer-docs.cubist.dev/getting-started)
-(the docs are password protected, the password should be in the `CubeSigner`
-README). After, you will need to create a `role` with the following command:
+The [`CubeSigner`](https://github.com/cubist-partners/CubeSigner/) application is needed to set up the `cube-signer-sidecar` to be run locally. Once installed, set up the `CubeSigner` and log in following the [Getting Started instructions](https://signer-docs.cubist.dev/getting-started). The following commands can then be used to set up a role, key, and signing policy. 
 
 ```shell
+# Create a role.
 cs role create --role-name bls_signer
-```
-
-Then create a key:
 
-```shell
+# Create a key.
 cs keys create --key-type=bls-ava-icm
-```
 
-Next, set the signing policy on the key:
-
-```shell
-# you can find the <key_id> using `cs keys list`
+# Set the signing policy for the key.
+# The `cs keys list` command can be used to find the <key_id>.
 cs key set-policy --key-id <key_id> --policy '"AllowRawBlobSigning"'
-```
-
-After, you need to add the key to the role
 
-```shell
-# you can either use the full <role_id> or use the <role_name> ("bls_signer" from above, for example)
+# Add the key to the role.
+# Either the full <role_id> or the <role_name> (i.e. "bls_signer") can be used.
 cs role add-key --role-id <role_id> --key-id <key_id>
-```
 
-Finally, you can create a token file associated with the role that you created:
-
-```shell
+# Finally, create a token file associated with the role.
 cs token create --role-id <role_id> > <path_to_token_file>.json
 ```
 
 ### Configuration
 
 Below is a list of configuration options that can be set via a JSON config file passed in via `--config-file` flag or set through environment variables or flags. To get the environment variable corresponding to the key uppercase the key and change the delimiter from "-" to "_". The following precedence order is used, with each item taking precedence over items below it:
+
 1. Flags
 2. Environment variables
 3. Config file
 
 - `"token-file-path": string` (required)
 
-  This is the relative path (absolute paths also work) to the token file, we
-  created from the last step above.
+  This is the path to the token file, created in the last step above.
 
-  The `refresh-token` (part of the JSON output of `cs token create`) has a very
-  short TTL by default, so you must start the signer (this repo) before it
-  expires. Once started, your `<path_to_token>.json` file will be continuously
-  refreshed as needed. To change any of the default token parameters, see
-  `cs token create --help`.
+  The `refresh-token` (part of the JSON output of `cs token create`) has a short TTL by default, and the `cube-signer-sidecar` must be started before it expires. Once started, the `<path_to_token>.json` file will be continuously refreshed as needed. To change any of the default token parameters, see `cs token create --help`.
 
 - `"signer-endpoint": string` (required)
 
-  This is the Cubist-API endpoint.
+  The CubeSigner API endpoint.
 
 - `"key-id": string` (required)
 
-  The `cubist-signer` (this repo) can only use one key at a time as an
-  `avalanchego` validator is only meant to have a single BLS signing key.
-  Specifying the `KEY_ID` is how the Cubist-API knows what key to use for
-  signing. The `role` associated with the `role_id` filed in the token JSON will
-  need access to this key (see [Configuration](#configuration))
+  The `cube-signer-sidecar` can only use one key at a time, as an `avalanchego` validator is only meant to have a single BLS signing key. Specifying the `KEY_ID` is how the CubeSigner API knows what key to use for signing. The `role` associated with the `role_id` filed in the token JSON will need access to this key (see [Configuration](#configuration)).
 
 - `"port": int` (defaults to 50051)
 
-  Port at which to start the local signer server.
+  The port at which to start the local signer server.
 
 ### Usage
 
-Both the `SIGNER_ENDPOINT` and `KEY_ID` can be exported in your current shell
-session as they are unlikely to change if you running the signer locally.
+Both the `SIGNER_ENDPOINT` and `KEY_ID` can be exported in the current shell session as they are unlikely to change if running the signer locally.
 
 ```bash
 export SIGNER_ENDPOINT=https://gamma.signer.cubist.dev
@@ -120,11 +82,8 @@ TOKEN_FILE_PATH="./token.json" go run main/main.go
 ### E2E tests
 
 #### Running Locally
-To run E2E locally follow the steps in [Key Creation](#key-creation) above to generate a new key associated with the `e2e_signer` role and generate a session token file saved as `e2e_session.json`. After that the tests can be run via 
+To run E2E locally follow the [key creation](#key-creation) steps above to generate a new key associated with the `e2e_signer` role, and generate a session token file saved as `e2e_session.json`. After that the tests can be run via 
 
 ```bash
 ./scripts/e2e_test.sh
 ```
-
-#### CI
-The base64 encoded session token is stored in Github secrets. It currently expires on 6/05/2026. When it expires, a new token can be generated and stored there.

api/client.go

@@ -19,7 +19,7 @@ const (
 )
 
 func BuildFlagSet() *pflag.FlagSet {
-	fs := pflag.NewFlagSet("cubist-signer", pflag.ExitOnError)
+	fs := pflag.NewFlagSet("cube-signer-sidecar", pflag.ExitOnError)
 	fs.Bool(HelpKey, false, "Display this help message and exit")
 	fs.String(ConfigFileKey, "", "Path to the config file")
 

api/types.go

@@ -1,18 +1,18 @@
-module github.com/ava-labs/cubist-signer
+module github.com/ava-labs/cube-signer-sidecar
 
-go 1.23.10
+go 1.23.11
 
 require (
 	github.com/ava-labs/avalanchego v1.13.2
-	github.com/oapi-codegen/oapi-codegen/v2 v2.4.1
-	github.com/oapi-codegen/runtime v1.1.1
+	github.com/oapi-codegen/oapi-codegen/v2 v2.5.0
+	github.com/oapi-codegen/runtime v1.1.2
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0
 	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.20.1
 	github.com/stretchr/testify v1.10.0
 	go.uber.org/mock v0.5.2
-	go.uber.org/zap v1.26.0
+	go.uber.org/zap v1.27.0
 	google.golang.org/grpc v1.73.0
 )
 
@@ -22,7 +22,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
-	github.com/getkin/kin-openapi v0.131.0 // indirect
+	github.com/getkin/kin-openapi v0.132.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -41,7 +41,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/speakeasy-api/openapi-overlay v0.9.0 // indirect
+	github.com/speakeasy-api/jsonpath v0.6.0 // indirect
+	github.com/speakeasy-api/openapi-overlay v0.10.2 // indirect
 	github.com/spf13/afero v1.12.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect

config/keys.go

@@ -23,8 +23,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/getkin/kin-openapi v0.131.0 h1:NO2UeHnFKRYhZ8wg6Nyh5Cq7dHk4suQQr72a4pMrDxE=
-github.com/getkin/kin-openapi v0.131.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
+github.com/getkin/kin-openapi v0.132.0 h1:3ISeLMsQzcb5v26yeJrBcdTCEQTag36ZjaGk7MIRUwk=
+github.com/getkin/kin-openapi v0.132.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -81,10 +81,10 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwd
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oapi-codegen/oapi-codegen/v2 v2.4.1 h1:ykgG34472DWey7TSjd8vIfNykXgjOgYJZoQbKfEeY/Q=
-github.com/oapi-codegen/oapi-codegen/v2 v2.4.1/go.mod h1:N5+lY1tiTDV3V1BeHtOxeWXHoPVeApvsvjJqegfoaz8=
-github.com/oapi-codegen/runtime v1.1.1 h1:EXLHh0DXIJnWhdRPN2w4MXAzFyE4CskzhNLUmtpMYro=
-github.com/oapi-codegen/runtime v1.1.1/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
+github.com/oapi-codegen/oapi-codegen/v2 v2.5.0 h1:iJvF8SdB/3/+eGOXEpsWkD8FQAHj6mqkb6Fnsoc8MFU=
+github.com/oapi-codegen/oapi-codegen/v2 v2.5.0/go.mod h1:fwlMxUEMuQK5ih9aymrxKPQqNm2n8bdLk1ppjH+lr9w=
+github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
+github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
@@ -120,8 +120,10 @@ github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/speakeasy-api/openapi-overlay v0.9.0 h1:Wrz6NO02cNlLzx1fB093lBlYxSI54VRhy1aSutx0PQg=
-github.com/speakeasy-api/openapi-overlay v0.9.0/go.mod h1:f5FloQrHA7MsxYg9djzMD5h6dxrHjVVByWKh7an8TRc=
+github.com/speakeasy-api/jsonpath v0.6.0 h1:IhtFOV9EbXplhyRqsVhHoBmmYjblIRh5D1/g8DHMXJ8=
+github.com/speakeasy-api/jsonpath v0.6.0/go.mod h1:ymb2iSkyOycmzKwbEAYPJV/yi2rSmvBCLZJcyD+VVWw=
+github.com/speakeasy-api/openapi-overlay v0.10.2 h1:VOdQ03eGKeiHnpb1boZCGm7x8Haj6gST0P3SGTX95GU=
+github.com/speakeasy-api/openapi-overlay v0.10.2/go.mod h1:n0iOU7AqKpNFfEt6tq7qYITC4f0yzVVdFw0S7hukemg=
 github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
 github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
 github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
@@ -166,8 +168,8 @@ go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
 go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

go.mod

@@ -9,9 +9,9 @@ import (
 	"strconv"
 
 	"github.com/ava-labs/avalanchego/proto/pb/signer"
-	"github.com/ava-labs/cubist-signer/api"
-	"github.com/ava-labs/cubist-signer/config"
-	"github.com/ava-labs/cubist-signer/signerserver"
+	"github.com/ava-labs/cube-signer-sidecar/api"
+	"github.com/ava-labs/cube-signer-sidecar/config"
+	"github.com/ava-labs/cube-signer-sidecar/signerserver"
 	"google.golang.org/grpc"
 )