Add command to reduce security of web3signer keys

Author: yorickdowne

web3signer.yml

@@ -7,6 +7,23 @@ x-logging: &logging
       tag: '{{.ImageName}}|{{.Name}}|{{.ImageFullID}}|{{.FullID}}'
 
 services:
+  reduce-key-security:
+    restart: "no"
+    build:
+      context: ./web3signer
+      args:
+        - DOCKER_TAG=${W3S_DOCKER_TAG:-latest}
+        - DOCKER_REPO=${W3S_DOCKER_REPO:-consensys/web3signer}
+      dockerfile: Dockerfile.convert
+    image: w3s-converter:local
+    pull_policy: never
+    volumes:
+      - web3signer-keys:/var/lib/web3signer
+    environment:
+      - NETWORK=${NETWORK}
+    entrypoint:
+      - convert-keys.sh
+
   w3s-init:
     restart: "no"
     build:

web3signer/Dockerfile.convert

@@ -0,0 +1,30 @@
+# hadolint global ignore=DL3008
+FROM eclipse-temurin:21-jdk-noble AS builder
+
+ARG BUILD_TARGET=main
+ARG SRC_REPO=https://github.com/usmansaleem/v4keystore_converter
+ARG SRC_DIR=converter
+WORKDIR /usr/src
+
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates git
+
+RUN bash -eo pipefail <<'EOF'
+  git clone "$SRC_REPO" "$SRC_DIR"
+  cd "$SRC_DIR"
+  git config advice.detachedHead false
+  git fetch --all --tags
+  CLEANED=$(echo "$BUILD_TARGET" | sed 's/\$\$(/$(/g')
+  TARGET=$(eval echo "$CLEANED")
+  git checkout "$TARGET"
+  git submodule update --init --recursive --jobs $(nproc)
+  ./gradlew installDist
+EOF
+
+FROM eclipse-temurin:25-jre-noble
+
+COPY --from=builder /usr/src/converter/converter/build/install/converter/ /opt/converter/
+COPY ./convert-keys.sh /usr/local/bin/
+
+USER 10000:10000
+
+ENTRYPOINT ["/opt/converter/bin/converter"]

web3signer/convert-keys.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+base_dir=/var/lib/web3signer
+mkdir -p "${base_dir}"/converted-keys
+mkdir -p "${base_dir}"/keys-backup
+
+if ! find "${base_dir}"/keys -type f -name '*.password' -print -quit | grep -q .; then
+  echo "No key files found in ${base_dir}/keys. Aborting."
+  exit 0
+fi
+
+if [[ -d "${base_dir}"/converted-keys ]] && find "${base_dir}"/converted-keys -type f -name '*.json' -print -quit | grep -q .; then
+  echo "Keys have already been converted. Aborting."
+  exit 0
+fi
+
+if [[ "${NETWORK}" =~ ^(mainnet|gnosis)$ ]]; then
+  echo "Reducing key security on mainnet is not recommended. If you need to do so, please do so manually."
+  echo "Aborting"
+  exit 0
+fi
+
+while true; do
+  echo "This function will reduce the security of validator keys loaded into Web3signer."
+  echo "Web3signer startup time for thousands of keys will reduce to seconds."
+  read -rp "Are you sure you want to convert keystores to lower security? (No/yes) " yn
+  case "${yn}" in
+    [Yy][Ee][Ss]) break;;
+    *) echo "Aborting, no changes made"; exit 0;;
+  esac
+done
+
+cp -p "${base_dir}"/keys/* "${base_dir}"/keys-backup/
+
+for file in "${base_dir}"/keys-backup/*.password; do
+  [ -e "$file" ] || continue
+  cp -- "$file" "${file%.password}.txt"
+done
+
+/opt/converter/bin/converter --src="${base_dir}"/keys-backup --password-src="${base_dir}"/keys-backup --dest="${base_dir}"/converted-keys
+cp "${base_dir}"/converted-keys/*.json "${base_dir}"/keys/
+
+echo "Restart Web3signer to use the converted keys"