verifying remote signing / web3signer

[franjoespejo]

Problem description

Lodestar already implements the w3signer standard https://chainsafe.github.io/lodestar/run/validator-management/external-signer

The standard assumes the w3s trusts the validator client, since there is no way for the w3s to verify the payload to be signed.

Solution description

The proposal to fix that is: ethereum/remote-signing-api#10

Nimbus has implemented this: https://nimbus.guide/web3signer.html#verifying-web3signer, it is specially useful for diva which distributes the w3s signatures.

[nflaig]

I am curious what's the expected / best UX for this, in the Nimbus docs it is noted that you have to set an extra flag

You can instruct Nimbus to use the verifying Web3Signer protocol by either supplying the --verifying-web3-signer command-line option

but I don't think this should be required as you could determine based on /api/v1/eth2/sign/{pubkey} if for that specific pubkey / remote signer proofs should be provided or not (based on block_properties).

I am wondering if it's useful to enforce to only send verified message via such a flag but on the other hand it's the w3s that needs to enforce it and reject requests without proofs.

[nflaig]

@franjoespejo something else to consider, the keymanager api allows to manage remote signer keys, should consider updating that as well