Utility to sign Ethereum compatible signature with Google Cloud KMS.
go get -u github.com/lixin9311/ether-gcp-kms-signer
This project is inspired by ethers-gcp-kms-signer.
GCP KMS won't and cannot check if the given digest is a SHA256
one instead of other hashes without providing the original message.
So we can trick the KMS to sign a message with a Keccak256
digest.
Please note there are some differences with the standard eth behavior:
Standard eth library will generate the same stable signature for the same message by using a hash as the nonce.
Unlike most eth libs, each time KMS will generate a different signature for the same message. Since it will use a safe random number generator to generate the nonce, it should be safe, and compatible with other eth libraries.
First, you need to create a ec-sign-secp256k1-sha256
private key in Google Cloud KMS, follow the documentation here: https://cloud.google.com/kms/docs/creating-asymmetric-keys
Or, you can bring your own private key to it, by using the utils in this project to generate the correct der format key from HEX format.
Also, you can create/import multiple private keys to the same Google Cloud KMS key, by utilizing the key versioning feature.
If you provide an empty KeyVersion upon initializing the digest signer, it will try to fetch all available key versions, and treat them as different wallet - private key pairs.
Check out the code, it is simple.
wallet_signer
implements the Wallet
interface, and can be used as a wallet for eth libraries.
Or you can use digest_singer
directly to sign a hashed data.