[c-881][Ledger] add support for multisig with eip712 signautures

[dbrajovic]

Description

Closes: #XXXX

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title
• added ! to the type prefix if API or client breaking change
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• followed the guidelines for building modules
• included the necessary unit and integration tests
• added a changelog entry to CHANGELOG.md
• included comments for documenting Go code
• updated the relevant documentation or specification
• reviewed "Files changed" and left comments if necessary
• run make lint and make test
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed ! in the type prefix if API or client breaking change
• confirmed all author checklist items have been addressed
• reviewed state machine logic
• reviewed API design and naming
• reviewed documentation is accurate
• reviewed tests and test coverage
• manually tested (if applicable)

Summary by CodeRabbit

• New Features

  • Dynamic registration for custom sign mode handlers.
  • Support for the new EIP712_V2 signing mode.

• Chores

  • Upgraded Go toolchain to 1.23.9 across modules.
  • Updated core dependencies including gRPC, Protocol Buffers, OpenTelemetry, and various crypto/network libraries.

[linear]

C-881 Properly implement Ledger multisig within cosmos-sdk

[github-actions]

@dbrajovic your pull request is missing a changelog!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c448e1c9-955a-4f0d-b558-9e6bdeacd00d

📥 Commits

Reviewing files that changed from the base of the PR and between 0e54211 and 257c626.

📒 Files selected for processing (1)

• x/auth/signing/verify.go

🚧 Files skipped from review as they are similar to previous changes (1)

• x/auth/signing/verify.go

---

📝 Walkthrough

Walkthrough

Bumps Go toolchain to 1.23.9 and updates numerous dependencies across multiple module go.mod files; adds HandlerMap.AddSignModeHandler for dynamic sign-mode registration; and adds EIP712_V2 sign-mode mappings in both API↔internal translation functions.

Changes

Cohort / File(s)	Summary
Go Module Updates x/circuit/go.mod, x/evidence/go.mod, x/feegrant/go.mod, x/nft/go.mod, x/upgrade/go.mod	Bump Go version to 1.23.9 and update dependencies: github.com/stretchr/testify → v1.11.1, google.golang.org/grpc → v1.75.0, google.golang.org/protobuf → v1.36.8, OpenTelemetry → v1.38.0, multiple golang.org/x/* modules, and many indirect deps.
HandlerMap Enhancement x/tx/signing/handler_map.go	Add public method AddSignModeHandler(mode signingv1beta1.SignMode, handler SignModeHandler) to append modes and register sign-mode handlers dynamically.
Sign Mode Mapping x/auth/signing/verify.go	Extend API↔internal sign-mode translation to handle SIGN_MODE_EIP712_V2 in both APISignModeToInternal and internalSignModeToAPI.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble lines and hop with glee,

bumped the toolchain, set versions free.
I tuck new modes inside the map,
EIP712_V2 finds its lap.
Hooray — a carrot for each dependency! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'multisig with eip712 signatures' but the actual changeset focuses on adding EIP712_V2 sign mode support across multiple modules and dependency updates, without concrete multisig implementation details.	Revise the title to accurately reflect the main changes: consider 'Add EIP712_V2 sign mode support and update Go dependencies' or similar that captures both the sign mode addition and the version bumps across modules.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch c-881/ledger-multisig

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	google.golang.org/​grpc@​v1.62.1
	google.golang.org/​genproto/​googleapis/​api@​v0.0.0-20250106144421-5f5ef82da422 ⏵ v0.0.0-20240123012728-ef4313101c80
	github.com/​rs/​zerolog@​v1.29.1
	gotest.tools/​v3@​v3.4.0
	github.com/​spf13/​cobra@​v1.8.0
	cosmossdk.io/​x/​upgrade@​v0.0.0-20230614103911-b3da8bb4e801
	github.com/​otiai10/​copy@​v1.11.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches in golang github.com/hashicorp/go-getter CVE: GHSA-q64h-39hv-4cf7 HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches (CRITICAL) Affected versions: >= 1.5.9 < 1.7.4 Patched version: 1.7.4 From: ? → golang/cosmossdk.io/x/upgrade@v0.0.0-20230614103911-b3da8bb4e801 → golang/github.com/hashicorp/go-getter@v1.7.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/hashicorp/go-getter@v1.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang golang.org/x/crypto CVE: GHSA-v778-237x-gjrc Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto (CRITICAL) Affected versions: < 0.31.0 Patched version: 0.31.0 From: ? → golang/cosmossdk.io/errors@v1.0.1 → golang/cosmossdk.io/core@v0.11.0 → golang/github.com/spf13/viper@v1.19.0 → golang/cosmossdk.io/x/upgrade@v0.0.0-20230614103911-b3da8bb4e801 → golang/cosmossdk.io/x/evidence@v0.1.1 → golang/cosmossdk.io/x/upgrade@v0.1.4 → golang/github.com/cosmos/cosmos-sdk@v0.50.6 → golang/github.com/cosmos/cosmos-sdk@v0.50.6 → golang/github.com/hashicorp/go-getter@v1.7.4 → golang/cosmossdk.io/core@v0.11.1 → golang/github.com/cosmos/cosmos-sdk@v0.50.8 → golang/github.com/cosmos/gogoproto@v1.7.0 → golang/cosmossdk.io/store@v1.1.1 → golang/cosmossdk.io/x/circuit@v0.1.1 → golang/cosmossdk.io/client/v2@v2.0.0-beta.5.0.20241121152743-3dad36d9a29e → golang/github.com/grpc-ecosystem/grpc-gateway@v1.16.0 → golang/github.com/grpc-ecosystem/grpc-gateway@v1.16.0 → golang/golang.org/x/crypto@v0.26.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/golang.org/x/crypto@v0.26.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@x/tx/signing/handler_map.go`:
- Around line 62-64: The AddSignModeHandler method on HandlerMap mutates shared
state unsafely; add a sync.RWMutex field to HandlerMap and protect writes in
AddSignModeHandler (use Lock/Unlock) and reads in GetSignBytes() and
SupportedModes() (use RLock/RUnlock), change AddSignModeHandler to validate
inputs (non-nil handler, matching SignMode type), detect and return an error on
duplicate registration instead of panicking, and update callers/tests to handle
the error; leave NewHandlerMap initialization logic intact to register handlers
at startup.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 269f5aeb-afa7-4510-bd29-346ea5bfc759

📥 Commits

Reviewing files that changed from the base of the PR and between c294279 and 11e1050.

⛔ Files ignored due to path filters (5)

• x/circuit/go.sum is excluded by !**/*.sum
• x/evidence/go.sum is excluded by !**/*.sum
• x/feegrant/go.sum is excluded by !**/*.sum
• x/nft/go.sum is excluded by !**/*.sum
• x/upgrade/go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• x/circuit/go.mod
• x/evidence/go.mod
• x/feegrant/go.mod
• x/nft/go.mod
• x/tx/signing/handler_map.go
• x/upgrade/go.mod

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

x/auth/signing/verify.go (1)

28-42: ⚠️ Potential issue | 🟠 Major

Missing symmetric case in APISignModeToInternal for EIP712_V2.

The new SignMode_SIGN_MODE_EIP712_V2 was added to internalSignModeToAPI but the corresponding case is missing from APISignModeToInternal. This asymmetry will cause incoming transactions using EIP712_V2 to fail with "unsupported sign mode" when converting from the protobuf API representation to the internal SDK type.

🐛 Proposed fix to add symmetric conversion

 func APISignModeToInternal(mode signingv1beta1.SignMode) (signing.SignMode, error) {
 	switch mode {
 	case signingv1beta1.SignMode_SIGN_MODE_DIRECT:
 		return signing.SignMode_SIGN_MODE_DIRECT, nil
 	case signingv1beta1.SignMode_SIGN_MODE_LEGACY_AMINO_JSON:
 		return signing.SignMode_SIGN_MODE_LEGACY_AMINO_JSON, nil
 	case signingv1beta1.SignMode_SIGN_MODE_TEXTUAL:
 		return signing.SignMode_SIGN_MODE_TEXTUAL, nil
 	case signingv1beta1.SignMode_SIGN_MODE_DIRECT_AUX:
 		return signing.SignMode_SIGN_MODE_DIRECT_AUX, nil
+	case signingv1beta1.SignMode_SIGN_MODE_EIP712_V2:
+		return signing.SignMode_SIGN_MODE_EIP712_V2, nil
 	default:
 		return signing.SignMode_SIGN_MODE_UNSPECIFIED, fmt.Errorf("unsupported sign mode %s", mode)
 	}
 }

Also applies to: 55-56

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@x/auth/signing/verify.go` around lines 28 - 42, APISignModeToInternal is
missing a case for signingv1beta1.SignMode_SIGN_MODE_EIP712_V2, causing
conversion failures for EIP712_V2; add a symmetric case in APISignModeToInternal
that returns signing.SignMode_SIGN_MODE_EIP712_V2 (mirroring
internalSignModeToAPI), so the function handles the new sign mode and avoids the
"unsupported sign mode" error when converting from the protobuf API
representation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@x/auth/signing/verify.go`:
- Around line 28-42: APISignModeToInternal is missing a case for
signingv1beta1.SignMode_SIGN_MODE_EIP712_V2, causing conversion failures for
EIP712_V2; add a symmetric case in APISignModeToInternal that returns
signing.SignMode_SIGN_MODE_EIP712_V2 (mirroring internalSignModeToAPI), so the
function handles the new sign mode and avoids the "unsupported sign mode" error
when converting from the protobuf API representation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 210b188f-46a1-4f1f-9231-dda16ada69e0

📥 Commits

Reviewing files that changed from the base of the PR and between 11e1050 and 0e54211.

📒 Files selected for processing (1)

• x/auth/signing/verify.go