feat: AWS KMS Signer

[d4mr]

PR-Codex overview

This PR adds AWS KMS integration for secure key management, including configuration setup, account creation, and signing operations.

Detailed summary

• Added AWS KMS signer library for secure key management
• Updated package dependencies for AWS SDK and vitest
• Implemented AWS KMS configuration setup and account creation
• Added tests for AWS KMS integration with sign, verify, and transaction functions

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs-v2	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 28, 2024 6:12pm
thirdweb_playground	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 28, 2024 6:12pm
thirdweb-www	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 28, 2024 6:12pm
wallet-ui	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 28, 2024 6:12pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6be76fb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[graphite-app]

Your org requires the Graphite merge queue for merging into main

Add the label “merge-queue” to the PR and Graphite will automatically add it to the merge queue when it’s ready to merge. Or use the label “hotfix” to add to the merge queue as a hot fix.

You must have a Graphite account and log in to Graphite in order to use the merge queue. Sign up using this link.

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@aws-sdk/[email protected]	Transitive: environment, filesystem, network, shell	+73	5.78 MB	aws-sdk-bot
npm/[email protected]	Transitive: environment, filesystem	+20	4.47 MB	odanado

View full report↗︎

[d4mr]

because we don't polyfill Buffer, and we don't expect folks to use AWS KMS on browsers, I have explicitly safeguarded against browser usage

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	43.25 KB (0%)	865 ms (0%)	3.3 s (+1.16% 🔺)	4.2 s
thirdweb (cjs)	92.43 KB (0%)	1.9 s (0%)	8.2 s (+10.72% 🔺)	10.1 s
thirdweb (minimal + tree-shaking)	4.81 KB (0%)	97 ms (0%)	381 ms (+15.39% 🔺)	477 ms
thirdweb/chains (tree-shaking)	492 B (0%)	10 ms (0%)	97 ms (+5.19% 🔺)	107 ms
thirdweb/react (minimal + tree-shaking)	16.06 KB (0%)	322 ms (0%)	724 ms (+97.16% 🔺)	1.1 s

[gregfromstl]

Why viem?

[d4mr]

just used private-key.ts as reference, is there a different import I should do?

[gregfromstl]

What's this prefix?

[d4mr]

This is the required prefix for eth_sign & personal_sign according to spec (EIP191): ethereum/go-ethereum#3731 (comment)
https://docs.walletconnect.com/advanced/multichain/rpc-reference/ethereum-rpc#personal_sign
(sorry for the poor sources, can't find good ones after eth migrated their wikis)

Although this raises another question:
SignableMessage can be string or { raw: Hex | ByteArray }. If a raw SignableMessage is passed along, I am not adding a prefix, because the expectation is that its already processed.

This is based on a large assumption I made around the interface. I am not certain this is the expectation from the interface. What do you think?

(to be clear, signing a message requires this prefix. If you sign without this prefix and try to verifyMessage it will fail)

[gregfromstl]

So this will always hit a live KMS account? And is there any way to keep that address constant?

[d4mr]

Same KMS keyId would get you the same address. One way to enforce this on a test would be to also expose TEST_AWS_KMS_EXPECTED_ADDRESS and verify it matches.