Make it easier to recombine keys

[OisinKyne]

Problem to be solved

Potential customers expressed their concern that they can't bail from a DV fast. This has been intentional for us so far, but in practice it makes sense to hear customers say "we need a way to safely unwind a DV and go with a normal validator if something goes wrong".

Proposed solution

We have a variety of options for implementing this, and I think they have different tradeoffs.

• We could do something slick and automated and involve the network
• We can do something simple and basic and offline

I am a proponent of the latter, which is basically bringing in the combine.go program into the main charon cli interface. It puts the onus on assembling the private keys in one place on the operators, and leaves nothing to the imagination with respect to this being a centralising option.

My suggestion is we add a command (charon combine)
With short description: Combines private key shares into a single private key for a DV.

And long description Combines private key shares into a single private key for a DV. Warning, running this private key in a validator alongside the original distributed validator will result in slashing.

I think the default input dir could be .. Which means that the command would scan the current folder for .charon's

Also in scope of this ticket is documenting this process in the docs site with good tree outlines of the folder hierarchy.

Could also invest in lots of good error handling to help someone get the folder structure into something that works for the command. Unhelpful file parsing errors here will be an unpleasant UX for the probably distressed user.

Example input

If we want to combine a 5 of 7, one operator must gather a threshold of .charon folders, and must put them alongside one another. This command will traverse this folder (going 1 deep to find lock files and enrs), and will combine the private keys and output them to a folder of keystores and passwords at the end if it can find everything it needs.

charon combine --data-dir=example_combine

Folder structure:

 tree -a example_combine
example_combine
├── .charon-cgvhb
│   ├── charon-enr-private-key
│   ├── cluster-lock.json
│   ├── deposit-data.json
│   └── validator_keys
│       ├── keystore-0.json
│       └── keystore-0.txt
├── .charon-dsf
│   ├── charon-enr-private-key
│   ├── cluster-definition.json
│   ├── cluster-lock.json
│   ├── deposit-data.json
│   └── validator_keys
│       ├── keystore-0.json
│       └── keystore-0.txt
├── .charon-egdfg
│   ├── charon-enr-private-key
│   ├── cluster-definition.json
│   ├── cluster-lock.json
│   ├── deposit-data.json
│   └── validator_keys
│       ├── keystore-0.json
│       └── keystore-0.txt
├── .charon-ethberlin
│   ├── charon-enr-private-key
│   ├── cluster-definition.json
│   ├── cluster-lock.json
│   ├── deposit-data.json
│   └── validator_keys
│       ├── keystore-0.json
│       └── keystore-0.txt
└── .charon-gsrsd
    ├── charon-enr-private-key
    ├── cluster-lock.json
    ├── deposit-data.json
    └── validator_keys
        ├── keystore-0.json
        └── keystore-0.txt

Example output

tree validator_keys 
validator_keys
├── keystore-0.json
└── keystore-0.txt

Out of Scope

Technically, some of the subfolders in the input need not be a full .charon folder, they could be just a /validator_keys folder and we would be able to figure it out. Happy to put this out of scope for this ticket, but in future if people get stuck and need help, we could make it such that only one of the subfolders needs to be a full .charon and the rest could be only private keys, but that is too complex for now so we'll leave it out until we really need it.

[gsora]

We should come up with a way to handle many validators at once

We could have users setup their keystore files in a directory that's named after the validator's public key, at that point combine could iterate over all the directories with appropriate names and go from there.

[gsora]

Thinking about this again, why should we allow combining multiple validators key at once?

I'd say if someone wants to recombine multiple validator keys, they will run the tool multiple times targeting it to different folders containing different keys.

Keeping it simple has historically worked good.