Signer auth

[852Kerfunkle]

Would be nice if signers started with --require-authentication were supported.

Presumably (but I haven't really looked at the details) one would need to add an auth private key (preferably referencing a file, so it can be generated service-side and only the pubkey exported) to the config and supply a signature along with requests to the signer.

[852Kerfunkle]

Had a look and it's not quite clear how the signature is supposed to be included in the sign request.

If anyone has a hint, I'd be happy to make a PR

[nicolasochem]

Here's a hint: https://github.com/midl-dev/tezos-serverless-signer-apps/blob/main/consensus-kms-signer/signer/tezos-kms-client.mjs#L94-L99

1. append prefix bytes 040101
2. append the public key hash of the signer, in bytes, without prefix
3. append the message being signed, in bytes, without prefix
4. sign these appended bytes from 1. 2. and 3. with the authorized key
5. add the resulting signature string (in base58 format, prefixed, for example spsig...) as an authentication header in the signature request.

Note that in order to support any kind of authorized key type (tz1, tz2...) 4. and 5. will likely require adding pytezos as a requirement to TRD. That's quite heavy. However, this is very much needed on my end.

@852Kerfunkle are you still around? Are you still happy to make a PR?