feat: init gnokms tool with gnokey backend

contribs/gnodev/pkg/dev/node.go

@@ -661,12 +661,12 @@ func (n *Node) genesisTxResultHandler(ctx sdk.Context, tx std.Tx, res sdk.Result
 
 func newNodeConfig(tmc *tmcfg.Config, chainid, chaindomain string, appstate gnoland.GnoGenesisState) *gnoland.InMemoryNodeConfig {
 	// Create Mocked Identity
-	pv := gnoland.NewMockedPrivValidator()
+	pv := bft.NewMockPV()
 	genesis := gnoland.NewDefaultGenesisConfig(chainid, chaindomain)
 	genesis.AppState = appstate
 
 	// Add self as validator
-	self := pv.GetPubKey()
+	self, _ := pv.PubKey()
 	genesis.Validators = []bft.GenesisValidator{
 		{
 			Address: self.Address(),

contribs/gnokms/Makefile

@@ -0,0 +1,18 @@
+rundep := go run -modfile ../../misc/devdeps/go.mod
+golangci_lint := $(rundep) github.com/golangci/golangci-lint/cmd/golangci-lint
+
+
+.PHONY: install
+install:
+	go install .
+
+.PHONY: build
+build:
+	go build -o build/gnokms .
+
+lint:
+	$(golangci_lint) --config ../../.github/golangci.yml run ./...
+
+test:
+	go test $(GOTEST_FLAGS) -v ./...
+

contribs/gnokms/README.md

@@ -0,0 +1,115 @@
+# gnokms
+
+`gnokms` is a simple Key Management System (KMS) designed to securely manage signing keys for [gnoland](../../gno.land/cmd/gnoland) (TM2) validator nodes. Rather than storing a key in plain text on disk, a validator can run a `gnokms` server in a separate process or on a separate machine, delegating the responsibility of securely storing the signing key and using it for remote signing.
+
+`gnokms` also aims to provide several backends, including a local [gnokey](../../gno.land/cmd/gnokey) instance, a remote HSM, or a cloud-based KMS service.
+
+Both TCP and Unix domain socket connections are supported for communication between the validator and the `gnokms` server. TCP connections are encrypted and can be mutually authenticated using Ed25519 keypairs and an authorized keys whitelist on both sides.
+
+### Flowchart
+
+```text
+                                                            ┌─────────────────────┐
+                                                            │                     │
+                                              ┌─────────────┤ Cloud-based backend │
+                                              │             │                     │
+                                              │             └─────────────────────┘
+                                              │
+                                              │
+                                              │
+┌───────────────────┐                 ┌───────┴───────┐     ┌─────────────────────┐
+│                   │                 │               │     │                     │
+│ gnoland validator │◄─── UDS/TCP ───►│ gnokms server ├─────┤    gnokey backend   │
+│                   │                 │               │     │                     │
+└───────────────────┘                 └───────┬───────┘     └─────────────────────┘
+                                              │
+                                              │
+                                              │
+                                              │             ┌─────────────────────┐
+                                              │             │                     │
+                                              └─────────────┤     HSM backend     │
+                                                            │                     │
+                                                            └─────────────────────┘
+```
+
+## Getting Started
+
+### Using `gnokms` with a gnoland validator
+
+**Note:** The only supported backend for now is [gnokey](../../gno.land/cmd/gnokey), so the following instructions will use it.
+
+1. Generate a signing key using [gnokey](../../gno.land/cmd/gnokey) if you do not already have one.
+2. Start a `gnokms` server with the [gnokey](../../gno.land/cmd/gnokey) backend using:
+
+```shell
+$ gnokms gnokey '<key_name>' -listeners '<listen_address>'`
+# <key_name> is the name of the key generated in step 1.
+# <listen_address> is the address on which the server should listen (e.g., 'tcp://127.0.0.1:26659' or 'unix:///tmp/gnokms.sock').
+```
+
+3. Set the `gnokms` server address in the gnoland validator config using:
+
+```shell
+$ gnoland config set priv_validator.remote_signer.server_address '<gnokms_server_address>'
+Updated configuration saved at gnoland-data/config/config.toml
+```
+
+### Genesis
+
+When launching the `gnokms` server (e.g. step 2 from the previous section), it should display JSON containing validator information that is compatible with a genesis file. Example:
+
+```shell
+$ gnokms gnokey test1
+Enter password to decrypt the key
+2025-02-21T14:57:54.636+0100 INFO  Genesis validator info:
+{
+  "address": "g1jg8mtutu9khhfwc4nxmuhcpftf0pajdhfvsqf5",
+  "pub_key": {
+    "@type": "/tm.PubKeySecp256k1",
+    "value": "A+FhNtsXHjLfSJk1lB8FbiL4mGPjc50Kt81J7EKDnJ2y"
+  },
+  "power": "10",
+  "name": "gnokms_remote_signer"
+}
+```
+
+If you need to manually edit a genesis file to include these infos, you can copy and paste them and potentially modify the default power and name.
+
+### Mutual TCP Authentication
+
+In the case of a TCP connection, the connection is encrypted. It can also be mutually authenticated to ensure an additional level of security (recommended outside of a testing or development context).
+
+1. Generate a random keypair and an empty whitelist on the server side using:
+
+```shell
+$ gnokms auth generate
+Generated auth keys file at path: "/Users/aeddi/Library/Application Support/gnokms/auth_keys.json"
+```
+
+2. Note the public key of the `gnokms` server displayed by the command:
+
+```
+$ gnokms auth identity
+Server public key: "<gnokms_public_key>"
+```
+
+3. On the client side, add the `gnokms` server’s key to the validator’s whitelist using:
+
+```shell
+$ gnoland config set priv_validator.remote_signer.tcp_authorized_keys '<gnokms_public_key>'
+Updated configuration saved at gnoland-data/config/config.toml
+```
+
+4. Note the validator’s public key displayed by the command:
+
+```shell
+$ gnoland secrets get node_id.pub_key
+"<validator_public_key>"
+```
+
+5. On the server side, add the node’s key to the `gnokms` server whitelist using:
+
+```shell
+$ gnokms auth authorized add '<validator_public_key>'
+Public key "<validator_public_key>" added to the authorized keys list.
+```

contribs/gnokms/go.mod

@@ -0,0 +1,42 @@
+module github.com/gnolang/gno/contribs/gnokms
+
+go 1.23.6
+
+replace github.com/gnolang/gno => ../..
+
+require (
+	github.com/gnolang/gno v0.0.0-00010101000000-000000000000
+	github.com/google/uuid v1.6.0
+	github.com/stretchr/testify v1.10.0
+	go.uber.org/zap v1.27.0
+)
+
+require (
+	github.com/btcsuite/btcd/btcec/v2 v2.3.4 // indirect
+	github.com/btcsuite/btcd/btcutil v1.1.6 // indirect
+	github.com/cosmos/ledger-cosmos-go v0.14.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/libp2p/go-buffer-pool v0.1.0 // indirect
+	github.com/peterbourgon/ff/v3 v3.4.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/zondax/hid v0.9.2 // indirect
+	github.com/zondax/ledger-go v0.14.3 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap/exp v0.3.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
+	google.golang.org/grpc v1.69.4 // indirect
+	google.golang.org/protobuf v1.36.3 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)