feat(composer)! avoid holding private key in env var

Cargo.toml

@@ -55,7 +55,9 @@ bytes = "1"
 celestia-tendermint = "0.32.1"
 celestia-types = "0.1.1"
 clap = "4"
-ed25519-consensus = "2.1.0"
+ed25519-consensus = { version = "2.1.0", default-features = false, features = [
+  "std",
+] }
 ethers = "2.0.11"
 futures = "0.3"
 hex = "0.4"

crates/astria-cli/src/commands/sequencer.rs

@@ -1,4 +1,5 @@
 use astria_core::{
+    crypto::SigningKey,
     primitive::v1::asset,
     protocol::transaction::v1alpha1::{
         action::{
@@ -31,10 +32,7 @@ use color_eyre::{
         Context,
     },
 };
-use ed25519_consensus::{
-    SigningKey,
-    VerificationKeyBytes,
-};
+use ed25519_consensus::VerificationKeyBytes;
 use rand::rngs::OsRng;
 
 use crate::cli::sequencer::{

crates/astria-composer/src/executor/builder.rs

@@ -5,17 +5,15 @@ use std::{
 };
 
 use astria_core::{
+    crypto::SigningKey,
     primitive::v1::Address,
     protocol::transaction::v1alpha1::action::SequenceAction,
 };
-use astria_eyre::{
+use astria_eyre::eyre::{
+    self,
     eyre,
-    eyre::{
-        eyre,
-        WrapErr as _,
-    },
+    WrapErr as _,
 };
-use ed25519_consensus::SigningKey;
 use tokio::sync::watch;
 use tokio_util::sync::CancellationToken;
 

crates/astria-composer/src/executor/mod.rs

@@ -10,21 +10,23 @@ use std::{
     time::Duration,
 };
 
-use astria_core::protocol::{
-    abci::AbciErrorCode,
-    transaction::v1alpha1::{
-        action::SequenceAction,
-        SignedTransaction,
-        TransactionParams,
-        UnsignedTransaction,
+use astria_core::{
+    crypto::SigningKey,
+    protocol::{
+        abci::AbciErrorCode,
+        transaction::v1alpha1::{
+            action::SequenceAction,
+            SignedTransaction,
+            TransactionParams,
+            UnsignedTransaction,
+        },
     },
 };
 use astria_eyre::eyre::{
     self,
     eyre,
     WrapErr as _,
 };
-use ed25519_consensus::SigningKey;
 use futures::{
     future::{
         self,

crates/astria-conductor/src/celestia/block_verifier.rs

@@ -268,7 +268,7 @@ mod test {
     ) -> (validators::Response, account::Id, Commit) {
         use rand::rngs::OsRng;
 
-        let signing_key = ed25519_consensus::SigningKey::new(OsRng);
+        let signing_key = astria_core::crypto::SigningKey::new(OsRng);
         let pub_key = tendermint::public_key::PublicKey::from_raw_ed25519(
             signing_key.verification_key().as_ref(),
         )

crates/astria-conductor/tests/blackbox/helpers/mod.rs

@@ -510,12 +510,12 @@ pub fn make_blobs(heights: &[u32]) -> Blobs {
     }
 }
 
-fn signing_key() -> ed25519_consensus::SigningKey {
+fn signing_key() -> astria_core::crypto::SigningKey {
     use rand_chacha::{
         rand_core::SeedableRng as _,
         ChaChaRng,
     };
-    ed25519_consensus::SigningKey::new(ChaChaRng::seed_from_u64(0))
+    astria_core::crypto::SigningKey::new(ChaChaRng::seed_from_u64(0))
 }
 
 fn validator() -> tendermint::validator::Info {

crates/astria-core/Cargo.toml

@@ -31,7 +31,7 @@ pbjson-types = { workspace = true }
 penumbra-ibc = { workspace = true }
 penumbra-proto = { workspace = true }
 prost = { workspace = true }
-rand = { workspace = true, optional = true }
+rand = { workspace = true }
 serde = { workspace = true, features = ["derive"], optional = true }
 sha2 = { workspace = true }
 tendermint = { workspace = true }
@@ -41,13 +41,14 @@ tonic = { workspace = true, optional = true }
 tracing = { workspace = true }
 base64-serde = { workspace = true, optional = true }
 base64 = { workspace = true }
+zeroize = { version = "1.7.0", features = ["zeroize_derive"] }
 
 [features]
 celestia = ["dep:celestia-types"]
 client = ["dep:tonic"]
 serde = ["dep:serde", "dep:pbjson", "dep:base64-serde"]
 server = ["dep:tonic"]
-test-utils = ["dep:rand"]
+test-utils = []
 base64-serde = ["dep:base64-serde"]
 brotli = ["dep:brotli"]
 

crates/astria-core/src/crypto.rs

@@ -0,0 +1,83 @@
+use std::fmt::{
+    self,
+    Debug,
+    Formatter,
+};
+
+use ed25519_consensus::{
+    Signature,
+    SigningKey as Ed25519SigningKey,
+    VerificationKey,
+    // VerificationKeyBytes,
+};
+use rand::{
+    CryptoRng,
+    RngCore,
+};
+use zeroize::{
+    Zeroize,
+    ZeroizeOnDrop,
+};
+
+#[derive(Clone, Zeroize, ZeroizeOnDrop)]
+pub struct SigningKey(Ed25519SigningKey);
+
+impl SigningKey {
+    /// Generates a new signing key.
+    pub fn new<R: RngCore + CryptoRng>(rng: R) -> Self {
+        Self(Ed25519SigningKey::new(rng))
+    }
+
+    /// Creates a signature on `msg` using this key.
+    #[must_use]
+    pub fn sign(&self, msg: &[u8]) -> Signature {
+        self.0.sign(msg)
+    }
+
+    /// Returns the byte encoding of the signing key.
+    #[must_use]
+    pub fn to_bytes(&self) -> [u8; 32] {
+        self.0.to_bytes()
+    }
+
+    /// Returns the byte encoding of the signing key.
+    #[must_use]
+    pub fn as_bytes(&self) -> &[u8; 32] {
+        self.0.as_bytes()
+    }
+
+    /// Returns the verification key associated with this signing key.
+    #[must_use]
+    pub fn verification_key(&self) -> VerificationKey {
+        self.0.verification_key()
+    }
+}
+
+impl Debug for SigningKey {
+    fn fmt(&self, formatter: &mut Formatter) -> fmt::Result {
+        formatter
+            .debug_struct("SigningKey")
+            .field("verification_key", &self.0.verification_key())
+            .finish_non_exhaustive() // avoids printing secret fields
+    }
+}
+
+impl<'a> From<&'a SigningKey> for VerificationKey {
+    fn from(signing_key: &'a SigningKey) -> VerificationKey {
+        signing_key.verification_key()
+    }
+}
+
+impl TryFrom<&[u8]> for SigningKey {
+    type Error = ed25519_consensus::Error;
+
+    fn try_from(slice: &[u8]) -> Result<Self, Self::Error> {
+        Ok(Self(Ed25519SigningKey::try_from(slice)?))
+    }
+}
+
+impl From<[u8; 32]> for SigningKey {
+    fn from(seed: [u8; 32]) -> Self {
+        Self(Ed25519SigningKey::from(seed))
+    }
+}

crates/astria-core/src/lib.rs

@@ -6,6 +6,7 @@ compile_error!(
 #[rustfmt::skip]
 pub mod generated;
 
+pub mod crypto;
 pub mod execution;
 pub mod primitive;
 pub mod protocol;

crates/astria-core/src/protocol/test_utils.rs

@@ -13,6 +13,7 @@ use super::{
     },
 };
 use crate::{
+    crypto::SigningKey,
     primitive::v1::{
         asset::default_native_asset_id,
         derive_merkle_tree_from_rollup_txs,
@@ -49,7 +50,7 @@ pub struct ConfigureSequencerBlock {
     pub chain_id: Option<String>,
     pub height: u32,
     pub proposer_address: Option<tendermint::account::Id>,
-    pub signing_key: Option<ed25519_consensus::SigningKey>,
+    pub signing_key: Option<SigningKey>,
     pub sequence_data: Vec<(RollupId, Vec<u8>)>,
     pub deposits: Vec<Deposit>,
     pub unix_timestamp: UnixTimeStamp,
@@ -81,8 +82,7 @@ impl ConfigureSequencerBlock {
         let block_hash = block_hash.unwrap_or_default();
         let chain_id = chain_id.unwrap_or_else(|| "test".to_string());
 
-        let signing_key =
-            signing_key.unwrap_or_else(|| ed25519_consensus::SigningKey::new(rand::rngs::OsRng));
+        let signing_key = signing_key.unwrap_or_else(|| SigningKey::new(rand::rngs::OsRng));
 
         let proposer_address = proposer_address.unwrap_or_else(|| {
             let public_key: tendermint::crypto::ed25519::VerificationKey =

crates/astria-core/src/protocol/transaction/v1alpha1/mod.rs

@@ -1,6 +1,5 @@
 use ed25519_consensus::{
     Signature,
-    SigningKey,
     VerificationKey,
 };
 use prost::{
@@ -9,6 +8,7 @@ use prost::{
 };
 
 use super::raw;
+use crate::crypto::SigningKey;
 
 pub mod action;
 pub use action::Action;

crates/astria-sequencer-client/src/tests/http.rs

@@ -1,4 +1,5 @@
 use astria_core::{
+    crypto::SigningKey,
     primitive::v1::{
         asset::default_native_asset_id,
         Address,
@@ -10,7 +11,6 @@ use astria_core::{
         UnsignedTransaction,
     },
 };
-use ed25519_consensus::SigningKey;
 use hex_literal::hex;
 use serde_json::json;
 use tendermint::{

crates/astria-sequencer-relayer/Cargo.toml

@@ -20,7 +20,6 @@ http = "0.2.9"
 k256 = "0.13.3"
 pin-project-lite = "0.2"
 serde_path_to_error = "0.1.13"
-zeroize = { version = "1.6.0", features = ["zeroize_derive"] }
 
 axum = { workspace = true }
 base64 = { workspace = true }

crates/astria-sequencer-relayer/src/validator.rs

@@ -1,36 +1,34 @@
 use std::path::Path;
 
+use astria_core::crypto::SigningKey;
 use astria_eyre::eyre::{
     self,
     bail,
     WrapErr as _,
 };
-use ed25519_consensus::{
-    SigningKey,
-    VerificationKey,
-};
+use ed25519_consensus::VerificationKey;
 use tendermint::account;
 use tendermint_config::PrivValidatorKey;
 use tracing::instrument;
-use zeroize::{
-    Zeroize,
-    ZeroizeOnDrop,
-};
 
 /// `Validator` holds the ed25519 keys to sign and verify tendermint
 /// messages. It also contains its address (`AccountId`) in the tendermint network.
-#[derive(Clone, Debug, Zeroize, ZeroizeOnDrop)]
+#[derive(Clone, Debug)]
 pub(crate) struct Validator {
     /// The tendermint validator account address; defined as
     /// Sha256(verification_key)[..20].
-    #[zeroize(skip)]
     pub(crate) address: account::Id,
 
     /// The ed25519 signing key of this validator.
+    // allow: this entire struct is due to get removed as part of
+    // https://github.com/astriaorg/astria/issues/1010
+    #[allow(dead_code)]
     pub(crate) signing_key: SigningKey,
 
-    #[zeroize(skip)]
     /// The ed25519 verification key of this validator.
+    // allow: this entire struct is due to get removed as part of
+    // https://github.com/astriaorg/astria/issues/1010
+    #[allow(dead_code)]
     pub(crate) verification_key: VerificationKey,
 }
 
@@ -55,7 +53,7 @@ impl Validator {
         let Some(tendermint_signing_key) = priv_key.ed25519_signing_key().cloned() else {
             bail!("deserialized private key was not ed25519");
         };
-        let signing_key = tendermint_signing_key.try_into().wrap_err(
+        let signing_key = tendermint_signing_key.as_bytes().try_into().wrap_err(
             "failed constructing ed25519 signing key from deserialized tendermint private key",
         )?;
         let Some(tendermint_verification_key) = pub_key.ed25519() else {

crates/astria-sequencer-relayer/tests/blackbox/helpers/test_sequencer_relayer.rs

@@ -13,14 +13,16 @@ use std::{
 };
 
 use assert_json_diff::assert_json_include;
-use astria_core::primitive::v1::RollupId;
+use astria_core::{
+    crypto::SigningKey,
+    primitive::v1::RollupId,
+};
 use astria_grpc_mock::MockGuard as GrpcMockGuard;
 use astria_sequencer_relayer::{
     config::Config,
     SequencerRelayer,
     ShutdownHandle,
 };
-use ed25519_consensus::SigningKey;
 use futures::TryFutureExt;
 use itertools::Itertools;
 use once_cell::sync::Lazy;
@@ -637,6 +639,7 @@ impl TestSequencerRelayerConfig {
             .ed25519_signing_key()
             .cloned()
             .unwrap()
+            .as_bytes()
             .try_into()
             .unwrap();