Validator keys tool currently supports generating of the validator token using a private key that lives on the disk. For security, we're storing keys over HSM and MPC, that is exposed via an API. The API accepts payload to sign and eventually returns a signature.

The private key is never exposed outside of the system so it is not possible to import the private key on the disk for signing purposes. The signing process has to happen remotely, via an API call.

There are different ways of implementing this but one that comes to mind is:

1. The validator keys tool supports some CLI option that produces the payload / digest to sign
2. We take this payload / digest and make the API call to sign via a curl command
3. Once we have the signature, we pass that into the validator tool, into something that finalizes it into the validator token

Thoughts?