gcp

package
v1.1.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

README

GCP KMS Signer

This package implements signer.Signer using Google Cloud KMS.

It uses KMS for AsymmetricSign operations and caches the public key/address in memory after initialization.

Requirements

  • Google Cloud credentials must be available via Application Default Credentials (ADC), or kms.gcp.credentials_file must be set.
  • The configured KMS key version must be an asymmetric Ed25519 key version.

Configuration

Set evnode.signer.signer_type to kms, set evnode.signer.kms.provider to gcp, and provide at least evnode.signer.kms.gcp.key_name.

Example:

signer:
  signer_type: kms
  kms:
    provider: gcp
    gcp:
      key_name: projects/my-project/locations/global/keyRings/ev-node/cryptoKeys/signer/cryptoKeyVersions/1
      credentials_file: /path/to/service-account.json
      timeout: 10s
      max_retries: 3

Notes

  • kms.gcp.timeout is the timeout per KMS Sign request.
  • kms.gcp.max_retries controls retries for transient KMS/API/network failures.

Documentation

Overview

Package gcp implements a signer.Signer backed by Google Cloud KMS. It delegates signing to a remote KMS key and caches the public key locally.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type KMSClient 

type KMSClient interface {
	AsymmetricSign(ctx context.Context, req *kmspb.AsymmetricSignRequest) (*kmspb.AsymmetricSignResponse, error)
	GetPublicKey(ctx context.Context, req *kmspb.GetPublicKeyRequest) (*kmspb.PublicKey, error)
}

KMSClient is the subset of the Google Cloud KMS client API that KmsSigner needs. This allows mocking in tests.

type KmsSigner 

type KmsSigner struct {
	// contains filtered or unexported fields
}

KmsSigner implements the signer.Signer interface using Google Cloud KMS.

func NewKmsSigner 

func NewKmsSigner(ctx context.Context, keyName string, opts *Options) (*KmsSigner, error)

NewKmsSigner creates a new Signer backed by a Google Cloud KMS Ed25519 key version. It uses Application Default Credentials unless opts.CredentialsFile is provided.

func (*KmsSigner) GetAddress 

func (s *KmsSigner) GetAddress() ([]byte, error)

GetAddress returns the cached address derived from the public key.

func (*KmsSigner) GetPublic 

func (s *KmsSigner) GetPublic() (crypto.PubKey, error)

GetPublic returns the cached public key.

func (*KmsSigner) Sign 

func (s *KmsSigner) Sign(ctx context.Context, message []byte) ([]byte, error)

Sign signs a message using the remote KMS key with configurable timeout and retry with exponential backoff.

type Options 

type Options struct {
	// CredentialsFile is an optional path to a Google credentials JSON file.
	// If empty, Application Default Credentials are used.
	CredentialsFile string
	// Timeout for individual KMS Sign API calls. Default: 1s.
	Timeout time.Duration
	// MaxRetries for transient KMS failures during Sign. Default: 3.
	MaxRetries int
}

Options configures optional KmsSigner behavior.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.