[Tracking] - Web3Signer capabilities for Prysm

[james-prysm]

🚀 Feature Request

Description

Web3Signer is a popular remote signer tool by Consensys to allow users to store validation keys outside of the validation client.
Currently, all other PoS client teams are working to support integration with this tool and Prysm should also be a part.
documentation on the Web3signer tool can be found here https://consensys.github.io/web3signer/web3signer-eth2.html and https://docs.web3signer.consensys.net/en/latest/

Describe the solution you'd like

• Provide integration with Web3signer by implementing wrapper methods of web3signer rest api endpoints.
• Integrate support for the new keymanager remote-web3signer in the Prysm validator client for use
• Create Web3Signer Models and mapper functions for Prysm
• Prysm refactors required to get data needed for web3signer
• add validation rules to JSON structs
• Provide cli flags as webhooks to define the domain of the remote signer
• Provide cli flags to configure which keys should be used in the signing process.
• issue Re-Think and Refactor Prysm's Wallet/Keymanager Code #9883 impacted by this feature, need to refactor all of these areas
• skip test interop mode with --web, this is not supported
• Allow for reloading of set public keys ( mvp requires restart of Prysm to add new keys) implement remote keymanager api on prysm
• Add metrics and tracing capabilities to productionize
• TLS configurations which accepts connections from clients that use trusted CA certificates or self-signed certificates.
• support voluntary exit via cli for web3signer prysmctl: validator exit  #11515
• Update Prysm docs to explain support of the feature
• improve mapper tests to have more realistic data from spec tests
• web3signer for merge Web3 Signer integration updates for merge #10053
• E2E tests with real or mock support for web3signer
• address validator db location for web3signer due to not having subfolder for type Complex ways to manage validator client database path #13391
• persistent db for public keys

Future Discussions

• supporting mutiple web3signers? prysm currently supports 1signer to 1 vc
• TLS support for web3signer

Tracking Changes

As web 3 signer changes we need to track issues and when we should resolve them. I am creating this Issue to track major changes in the future for web3signer.

Items to watch

• web3signer changing flag name for key import
• removal of network flag

[james-prysm]

cli WIP

[james-prysm]

Working on Web3signer object mapping right now

[james-prysm]

continuing on cli work

[james-prysm]

we have merged in the sign implementation pr because it was a bit large, there are some areas to refactor as part of the cli, seeing what we can include for mvp

[james-prysm]

address validator db location for web3signer due to not having subfolder for type

the validator client creates a folder in the default folder location Users//Library/Eth2Validators/prysm-wallet-v2 based on key manager type ( example imported,local,direct type creates the direct folder) but since web3signer doesn't have a location it will use the root folder by default, just something to be aware of for the future.

[rauljordan]

Hi @james-prysm where are we on this tracking issue so far? You've made so much progress since then and I feel like we're very close to closing

[james-prysm]

@rauljordan this issue was jsut overall tracking of the web3signer feature including any items that were potentially not covered. a big thing is just tracking future items, for example, the inbuilt TLS support that was asked about as well as multiple signer support. I listed those things as things we don't cover at the moment but haven't had many users ask about this. I'd think it'd mostly be used by institutions though. Let me know if you have an opinion on whether we keep this issue arround for tracking or track it else where.

[james-prysm]

add changes regarding Consensys/web3signer#726 for Deneb hard fork
-ethereum/beacon-APIs#302 related pr

[bert2002]

Anyone planning to work on TLS support for web3signer ? 😄

[james-prysm]

Anyone planning to work on TLS support for web3signer ? 😄

@bert2002 i have a PR up but team is leaning towards just requiring a reverse proxy from the user side instead of implementing it as flags.

[bert2002]

Anyone planning to work on TLS support for web3signer ? 😄

@bert2002 i have a PR up but team is leaning towards just requiring a reverse proxy from the user side instead of implementing it as flags.

Mhmm I see the point, but it requires to run and maintain one more piece of software. Maybe even slow down the connection.

[james-prysm]

support deneb ethereum/remote-signing-api#2

[james-prysm]

blob signing removed from web3signer in #13169