feat(signer): sign txs via KMS

[Thegaram]

Purpose or design rationale of this PR

Adds an AWSKMS transaction signer type for the rollup senders (gas_oracle_sender, commit_sender, finalize_sender) so signing keys can live in AWS KMS instead of being mounted as plaintext secrets.

• The service only sends the 32-byte transaction hash to KMS and assembles the Ethereum [R‖S‖V] signature locally (DER decode, EIP-2 low-s normalization, recovery-id derivation via address match), which, unlike the existing web3signer RemoteSigner path, works for every transaction type including EIP-4844 blob transactions, so it covers commit_sender.
• A new aws_kms_signer_config block (key_id, optional region, required signer_address) selects the signer; the configured address is validated at startup against the address derived from the KMS public key (GetPublicKey), AWS credentials resolve via the standard SDK chain (IRSA/instance role/env), and the cached LatestSignerForChainID makes it correct for both L1 (Ethereum) and L2 (Scroll).
• Includes hardened DER/SPKI parsing (OID, bit-length, trailing-byte, and (r,s)∈[1,N-1] range checks), IsHexAddress validation, context propagation into NewTransactionSigner, unit tests covering legacy/dynamic-fee/blob signing plus malformed-input cases, and a README documenting configuration, IAM scoping, and key provisioning (generate-in-HSM vs. import).

Summary by CodeRabbit

Release Notes

• New Features

  • Added AWS Key Management Service (KMS) support for transaction signing, enabling users to leverage AWS infrastructure for secure key management

• Documentation

  • Added comprehensive AWS KMS configuration and setup guide

• Chores

  • Version updated to v4.7.14

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 06032e50-49e1-44df-aaff-a0c8e45bd887

📥 Commits

Reviewing files that changed from the base of the PR and between 1904f82 and 3a22fc9.

⛔ Files ignored due to path filters (1)

• rollup/go.sum is excluded by !**/*.sum

📒 Files selected for processing (10)

• common/version/version.go
• rollup/go.mod
• rollup/internal/config/relayer.go
• rollup/internal/controller/relayer/l2_relayer.go
• rollup/internal/controller/sender/README.md
• rollup/internal/controller/sender/kms_signer.go
• rollup/internal/controller/sender/kms_signer_test.go
• rollup/internal/controller/sender/sender.go
• rollup/internal/controller/sender/transaction_signer.go
• rollup/internal/controller/sender/transaction_signer_test.go

---

📝 Walkthrough

Walkthrough

Adds AWS KMS-backed ECDSA secp256k1 transaction signing to the rollup sender. A new AWSKMSSignerConfig struct is introduced in config, a kmsSigner implementation handles DER signature parsing, EIP-2 low-s normalization, and v-recovery against the derived address, and TransactionSigner is extended with a new AWSKMSSignerType branch. The l2_relayer address resolver is updated accordingly. The version tag is bumped to v4.7.14.

Changes

AWS KMS Signer Integration

Layer / File(s)	Summary
AWSKMSSignerConfig contract and dependency rollup/go.mod, rollup/internal/config/relayer.go	Adds AWSKMSSignerConfig struct (KeyID, optional Region, required SignerAddress) and extends SignerConfig with the new field; adds the aws-sdk-go-v2/service/kms module dependency.
KMS signer core implementation rollup/internal/controller/sender/kms_signer.go	Implements kmsAPI interface, kmsSigner struct, ASN.1/SPKI public key parsing with OID validation, constructor with fast-fail address verification, and sign with EIP-2 low-s enforcement and v-recovery by address matching.
TransactionSigner wiring for AWSKMS rollup/internal/controller/sender/transaction_signer.go, rollup/internal/controller/sender/sender.go	Extends TransactionSigner struct with kmsSigner/kmsTxSigner fields, updates NewTransactionSigner to accept context.Context and instantiate the KMS signer, adds AWSKMSSignerType signing branch in SignTransaction, and updates the sender.go call site.
l2_relayer address resolution for AWSKMS rollup/internal/controller/relayer/l2_relayer.go	Adds AWSKMSSignerType branch in addrFromSignerConfig to validate and convert SignerAddress to common.Address.
KMS signer and TransactionSigner tests rollup/internal/controller/sender/kms_signer_test.go, rollup/internal/controller/sender/transaction_signer_test.go	Adds fakeKMS/rawKMS stubs and tests covering address validation, all tx types (legacy, dynamic fee, blob, high-s normalization), malformed SPKI/DER inputs, invalid signer address, and updates existing tests for the new context parameter.
AWSKMS sender documentation rollup/internal/controller/sender/README.md	Adds signer type matrix, AWSKMS config fields, AWS credential and IAM guidance, key provisioning options, and key rotation procedure.

Version Bump

Layer / File(s)	Summary
Version tag update common/version/version.go	Updates tag from v4.7.13 to v4.7.14.

Sequence Diagram(s)

sequenceDiagram
  participant NewSender
  participant NewTransactionSigner
  participant newKMSSigner
  participant kmsAPI
  participant SignTransaction

  NewSender->>NewTransactionSigner: ctx, signerConfig(AWSKMS), chainID
  NewTransactionSigner->>newKMSSigner: ctx, AWSKMSSignerConfig
  newKMSSigner->>kmsAPI: GetPublicKey(KeyID)
  kmsAPI-->>newKMSSigner: DER SPKI public key bytes
  newKMSSigner->>newKMSSigner: parse secp256k1 pubkey, derive address
  newKMSSigner->>newKMSSigner: validate == SignerAddress
  newKMSSigner-->>NewTransactionSigner: kmsSigner
  NewTransactionSigner-->>NewSender: TransactionSigner{kmsSigner, kmsTxSigner}

  Note over SignTransaction: At signing time
  SignTransaction->>SignTransaction: hash = kmsTxSigner.Hash(tx)
  SignTransaction->>newKMSSigner: sign(hash)
  newKMSSigner->>kmsAPI: Sign(KeyID, hash, EcdsaSha256)
  kmsAPI-->>newKMSSigner: DER(r, s)
  newKMSSigner->>newKMSSigner: low-s normalization, recover v
  newKMSSigner-->>SignTransaction: [R||S||V]
  SignTransaction->>SignTransaction: tx.WithSignature(kmsTxSigner, sig)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• scroll-tech/scroll#1548: Also bumps the tag variable in common/version/version.go to a new release value.
• scroll-tech/scroll#1614: Updates the same common/version/version.go tag constant in the same file.
• scroll-tech/scroll#1603: Changes the same common/version/version.go tag constant alongside other rollup adjustments.

Suggested labels

bump-version

Suggested reviewers

• omerfirmak
• georgehao
• jonastheis

🐰 A key lives in the cloud, not in a file,
KMS keeps the secret safe all the while.
Low-s enforced, v recovered with care,
Blob tx signed with secp256k1 flair!
Hoppy hops for v4.7.14 — we're there! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 21.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(signer): sign txs via KMS' follows conventional commits format and clearly describes the main feature addition of AWS KMS-based transaction signing.
Description check	✅ Passed	The PR description comprehensively covers purpose, design rationale, and implementation details; includes necessary version/breaking-change template sections (checked implicitly through the description context).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-signer-kms-auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 55.71429% with 62 lines in your changes missing coverage. Please review.
✅ Project coverage is 35.43%. Comparing base (1904f82) to head (3a22fc9).

Files with missing lines	Patch %	Lines
rollup/internal/controller/sender/kms_signer.go	66.03%	27 Missing and 9 partials ⚠️
...p/internal/controller/sender/transaction_signer.go	28.00%	16 Missing and 2 partials ⚠️
rollup/internal/controller/relayer/l2_relayer.go	0.00%	8 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #1808      +/-   ##
===========================================
+ Coverage    35.31%   35.43%   +0.12%     
===========================================
  Files          260      261       +1     
  Lines        22426    22564     +138     
===========================================
+ Hits          7920     7996      +76     
- Misses       13677    13728      +51     
- Partials       829      840      +11     

Flag	Coverage Δ
rollup	35.48% <55.71%> (+0.37%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.