gcp

package

v1.1.0-rc.1 Latest Latest Go to latest Published: Mar 31, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/evstack/ev-node

Links

Open Source Insights

README ¶

GCP KMS Signer

This package implements signer.Signer using Google Cloud KMS.

It uses KMS for AsymmetricSign operations and caches the public key/address in memory after initialization.

Requirements

Google Cloud credentials must be available via Application Default Credentials (ADC), or kms.gcp.credentials_file must be set.
The configured KMS key version must be an asymmetric Ed25519 key version.

Configuration

Set evnode.signer.signer_type to kms, set evnode.signer.kms.provider to gcp, and provide at least evnode.signer.kms.gcp.key_name.

Example:

signer:
  signer_type: kms
  kms:
    provider: gcp
    gcp:
      key_name: projects/my-project/locations/global/keyRings/ev-node/cryptoKeys/signer/cryptoKeyVersions/1
      credentials_file: /path/to/service-account.json
      timeout: 10s
      max_retries: 3

Notes

kms.gcp.timeout is the timeout per KMS Sign request.
kms.gcp.max_retries controls retries for transient KMS/API/network failures.

Documentation ¶

Overview ¶

Package gcp implements a signer.Signer backed by Google Cloud KMS. It delegates signing to a remote KMS key and caches the public key locally.

Index ¶

type KMSClient
type KmsSigner
- func NewKmsSigner(ctx context.Context, keyName string, opts *Options) (*KmsSigner, error)
type Options

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type KMSClient ¶

type KMSClient interface {
	AsymmetricSign(ctx context.Context, req *kmspb.AsymmetricSignRequest) (*kmspb.AsymmetricSignResponse, error)
	GetPublicKey(ctx context.Context, req *kmspb.GetPublicKeyRequest) (*kmspb.PublicKey, error)
}

KMSClient is the subset of the Google Cloud KMS client API that KmsSigner needs. This allows mocking in tests.

type KmsSigner ¶

type KmsSigner struct {
	// contains filtered or unexported fields
}

KmsSigner implements the signer.Signer interface using Google Cloud KMS.

func NewKmsSigner ¶

func NewKmsSigner(ctx context.Context, keyName string, opts *Options) (*KmsSigner, error)

NewKmsSigner creates a new Signer backed by a Google Cloud KMS Ed25519 key version. It uses Application Default Credentials unless opts.CredentialsFile is provided.

func (*KmsSigner) GetAddress ¶

func (s *KmsSigner) GetAddress() ([]byte, error)

GetAddress returns the cached address derived from the public key.

func (*KmsSigner) GetPublic ¶

func (s *KmsSigner) GetPublic() (crypto.PubKey, error)

GetPublic returns the cached public key.

func (*KmsSigner) Sign ¶

func (s *KmsSigner) Sign(ctx context.Context, message []byte) ([]byte, error)

Sign signs a message using the remote KMS key with configurable timeout and retry with exponential backoff.

type Options ¶

type Options struct {
	// CredentialsFile is an optional path to a Google credentials JSON file.
	// If empty, Application Default Credentials are used.
	CredentialsFile string
	// Timeout for individual KMS Sign API calls. Default: 1s.
	Timeout time.Duration
	// MaxRetries for transient KMS failures during Sign. Default: 3.
	MaxRetries int
}

Options configures optional KmsSigner behavior.

Source Files ¶

View all Source files

signer.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL