[PRODCRE-1747] Enable importing keystorelib keys

[cedric-cordenier]

Requires

Supports

[github-actions]

👋 cedric-cordenier, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[Copilot]

Pull request overview

This PR implements backward compatibility support for importing CSA and OCR2 keys from the chainlink-common keystore library format into the core Chainlink keystore.

Changes:

• Added support for importing CSA and OCR2 keys from the chainlink-common keystore format
• Refactored key import logic to use a generic helper function
• Extended configuration types to support CSA and OCR2 key import

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
core/services/keystore/ocr2_test.go	Added test verifying OCR2 key import compatibility with chainlink-common keystore
core/services/keystore/keys/ocr2key/export.go	Enhanced OCR2 key import to support both chainlink-common and legacy formats
core/services/keystore/keys/csakey/export.go	Enhanced CSA key import to support both chainlink-common and legacy formats
core/services/keystore/csa_test.go	Added test verifying CSA key import compatibility with chainlink-common keystore
core/services/chainlink/types.go	Extended interface with methods for importing CSA and OCR2 keys
core/services/chainlink/mocks/general_config.go	Generated mock implementations for new import methods
core/services/chainlink/config_imported_ocr2_key.go	Added configuration wrapper for OCR2 key import
core/services/chainlink/config_imported_csa_key.go	Added configuration wrapper for CSA key import
core/services/chainlink/config_general.go	Implemented methods to access CSA and OCR2 key import configurations
core/config/toml/types.go	Added TOML configuration types for CSA and OCR2 key import
core/cmd/shell_local.go	Refactored to use generic import helper and added CSA/OCR2 key import during node startup

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Corrected spelling of 'FromEcryptedCSAKey' to 'FromEncryptedCSAKey'.

Suggested change

	data, err := corekeys.FromEcryptedCSAKey(keyJSON, password)
	data, err := corekeys.FromEncryptedCSAKey(keyJSON, password)

[github-actions]

I see you updated files related to core. Please run pnpm changeset in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[trunk-io]

     

Failed Test	Failure Summary	Logs
Test_CRE_V2_Cron_Regression/[v2]_Cron_(Beholder)_fails_when_schedule_is_inappropriately_formatted	The test failed because the Beholder service could not start due to a port conflict, with an address already in use error.	Logs ↗︎

View Full Report ↗︎ ⋅ Docs

[github-actions]

CORA - Analysis Skipped

Reason: The number of code owners (3) is less than the minimum required (5) and/or the number of CODEOWNERS entries with changed files (8) is less than the minimum required (2).

[trunk-io]

🔴 Test Results: Starknet Key Unmarshalling Timeout

Affected failures:

1. Workflow Run: Core Tests (go_core_fuzz)

What Broke

The new unmarshalling logic for OCR2 keys, which indirectly impacts Starknet keys, caused a timeout during fuzzing due to a performance regression or deadlock.

Proposed Fixes

Add Marshal and Unmarshal methods to starkkey.Key in core/services/keystore/keys/starkkey/key.go to correctly implement the keyring interface and resolve the fuzzing timeout.

In key.go:92

 func (key Key) PublicKey() {
 return key.pub
 }
+ 
+ // Marshal returns the raw private key bytes.
+ func (key Key) Marshal() ([]byte, error) {
+ return key.raw.Bytes(), nil
+ }
+ 
+ // Unmarshal sets the raw private key bytes.
+ func (key *Key) Unmarshal(in []byte) error {
+ *key = KeyFor(internal.NewRaw(in))
+ return nil
+ }

Autofix Options

You can apply the proposed fixes directly to your branch. Try the following:

• Comment /trunk stack-fix cE10n3rY to generate a stacked PR with the proposed fixes.
• Use MCP in your IDE to fix the issue. Try Help me fix CI failures from cE10n3rY to get started.

Tip

Get Better Results: This CI job is not uploading test reports. Adding structured test reports enables more precise, test-level analysis with better root cause identification and more targeted fix recommendations.
👉🏻 Learn how to upload test results.

[cl-sonarqube-production]

Quality Gate passed

Issues
2 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[trunk-io]

🔴 Test Results: Keystorelib OCR2 Key Import Error

Affected tests:

1. TestIntegration_LogEventProvider_UpdateConfig (Workflow Run: Core Tests (go_core_tests))

What Broke

The new keystorelib integration for OCR2 keys is causing an error during the key import process in the node's startup, leading to a premature shutdown.

Proposed Fixes

Modify the ocr2key.FromEncryptedJSON function to handle empty key JSON gracefully by returning nil, nil.

In export.go:35

 func FromEncryptedJSON(keyJSON []byte, password string) (
+ 	if len(keyJSON) == 0 {
+ 		return nil, nil
+ 	}
 \tocrBundle, err := corekeys.FromEncryptedOCRKeyBundle(keyJSON, password)

Autofix Options

You can apply the proposed fixes directly to your branch. Try the following:

• Comment /trunk stack-fix dlW6fa7T to generate a stacked PR with the proposed fixes.
• Use MCP in your IDE to fix the issue. Try Help me fix CI failures from dlW6fa7T to get started.

View all test uploads