op-node: Fix OPB-07 (#3547)

* op-node: Fix OPB-07

Fixes Sigma Prime audit issue OPB-07: Private Key Stored Without Encryption. This PR requires reading the sequencer private key from an environment variable rather than a file on disk.

Fixes ENG-2616

* fix devnet

* delete superfluous file
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

op-node/flags/p2p_flags.go

@@ -194,9 +194,8 @@ var (
 	}
 	SequencerP2PKeyFlag = cli.StringFlag{
 		Name:     "p2p.sequencer.key",
-		Usage:     "File path of hex-encoded private key for signing off on p2p application messages as sequencer.",
+		Usage:    "Hex-encoded private key for signing off on p2p application messages as sequencer.",
 		Required: false,
-		TakesFile: true,
 		Value:    "",
 		EnvVar:   p2pEnv("SEQUENCER_KEY"),
 	}

op-node/p2p/signer.go

@@ -82,12 +82,11 @@ type SignerSetup interface {
 
 // LoadSignerSetup loads a configuration for a Signer to be set up later
 func LoadSignerSetup(ctx *cli.Context) (SignerSetup, error) {
-	keyFile := ctx.GlobalString(flags.SequencerP2PKeyFlag.Name)
-	if keyFile != "" {
+	key := ctx.GlobalString(flags.SequencerP2PKeyFlag.Name)
+	if key != "" {
 		// Mnemonics are bad because they leak *all* keys when they leak.
 		// Unencrypted keys from file are bad because they are easy to leak (and we are not checking file permissions).
-		// TODO: load from encrypted keystore
-		priv, err := crypto.LoadECDSA(keyFile)
+		priv, err := crypto.HexToECDSA(key)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read batch submitter key: %w", err)
 		}

ops-bedrock/docker-compose.yml

@@ -51,7 +51,7 @@ services:
       --sequencer.enabled
       --sequencer.l1-confs=0
       --verifier.l1-confs=0
-      --p2p.sequencer.key=/config/p2p-sequencer-key.txt
+      --p2p.sequencer.key=8b3a350cf5c34c9194ca85829a2df0ec3153be0318b5e2d3348e872092edffba
       --rollup.config=/rollup.json
       --rpc.addr=0.0.0.0
       --rpc.port=8545

ops-bedrock/p2p-sequencer-key.txt

-8b3a350cf5c34c9194ca85829a2df0ec3153be0318b5e2d3348e872092edffba