You need:

  1. a key (either a deterministically derived child, or just the master depending on the privacy required)
  2. a process for receiving something to sign from Service
  3. a process for transmitting the signature to Service

Seems like (2) and (3) should probably just use a relay that the Service suggests when giving you something to sign, perhaps reusing encrypted messaging/DMs.