[CLI][Ledger] Incorporate key rotation support for Ledger

[alnoki]

Overview

It should now be possible to rotate an account's authentication key to be secured by a Ledger hardware wallet. Implementation steps below, detailed background at bottom.

Implementation roadmap

In Ledger library

• Create a function based on aptos_ledger::sign_message, for example aptos_ledger::sign_bytes, which allows for signing of an arbitrary bytes vector, per Version v0.6.9: SDK upgrade, Ledger Stax UI, Improve Blind Signing behavior LedgerHQ/app-aptos#13 (comment). Not needed as of 0.6.9 C APIs for Ledger

In CLI

• Add new_derivation_path to RotateKey to support rotation to a Ledger, using aptos_ledger::get_public_key as needed for the CLI profile. (Added in [CLI][Framework][Ledger] Add Ledger key rotation and more profile management to CLI, fix/extend associated Framework code #11151)
• Use proposed aptos_ledger::sign_bytes or similar from above to sign a RotationProofChallenge as needed. (Added in [CLI][Framework][Ledger] Add Ledger key rotation and more profile management to CLI, fix/extend associated Framework code #11151)
• Add rename_stale_profile option to RotateKey with accompanying interactive prompt, so that user can optionally rename the CLI profile that is rendered stale after a successful rotation. (e.g. user rotates my-nft-hot-wallet from a private key profile to a Ledger profile, so my-nft-hot-wallet gets renamed to my-nft-hot-wallet-before-rotation, and the new profile gets named my-nft-hardware-wallet). This is useful for record-keeping, and a stale profile is especially useful to have on hand when a user needs to temporarily rotate a Ledger wallet back to a hot wallet in order to publish a package that can not be signed by a Ledger due to its memory constraints. (Addressed with new CLI profile management functions in [CLI][Framework][Ledger] Add Ledger key rotation and more profile management to CLI, fix/extend associated Framework code #11151)
• Update RotateSummary.message to print out new name of the renamed stale profile from RotateKey.rename_stale_profile input. (Addressed with new CLI profile management functions in [CLI][Framework][Ledger] Add Ledger key rotation and more profile management to CLI, fix/extend associated Framework code #11151)

Background

In #11151, I attempted to update the CLI to support key rotation to a Ledger wallet. However, this was blocked by the Ledger's inability to sign an arbitrary message, as required for the RotationProofChallenge. @hardsetting began collaborating with @vldmkr on adding blind signing functionality for the Ledger and I put Ledger key rotation efforts on hold.

Recently, during an in-person discussion with @davidiw, @gedigi, @hariria, and @xbtmatt, I learned about the introduction of rotate_authentication_key_call, so I submitted aptos-labs/developer-docs#367 to demonstrate how the new function could enable key rotation to and from a Ledger hardware wallet without getting blocked by the RotationProofChallenge signing process.

During PR review, @gregnazario left comment aptos-labs/developer-docs#367 (comment), which I interpreted as a suggestion to update the CLI to use rotate_authentication_key_call instead of the existing
rotate_authentication_key.

However, since the existing CLI implementation relies on rotate_authentication_key, CLI rotations result in updates to the OriginatingAddress table, which would not be the case for rotate_authentication_key_call if it were to be incorporated in the CLI unless some kind of reconciliation function were added to the framework. (For example a function like account::ensure_originating_address_for_account, as proposed in #13517).

Even if a followup reconciliation function were to be added, however, it would still complicate the process due to the two-transaction process required when rotating via rotate_authentication_key_call.

While doing this writeup, I stumbled upon LedgerHQ/app-aptos#13 (comment), which indicates to me that arbitrary message signing is probably now available in the Ledger app API, such that a Ledger can indeed sign a RotationProofChallenge.

[alnoki]

Closed per #14084

[AlexNaumov616]

Dear Frends !I need help!
I cannot use the resources of my aptos wallet stored on ledger.I found a transaction in the browser :rotation authentication key call.I remembered that I signed the transaction for the distribution of airdrop.Now the Bad account authentication key error occurs when signing.What should I do?Help please