From 9109603f0d2406105b5b0ef5d617825c8edc9020 Mon Sep 17 00:00:00 2001 From: Arshavir Ter-Gabrielyan Date: Fri, 13 Mar 2026 17:07:34 +0100 Subject: [PATCH 1/3] first --- .github/actions/release/README.md | 3 +- .github/actions/release/action.yml | 55 +++++++------- .github/actions/release/run.sh | 17 ++--- .github/workflows/canister-tests.yml | 4 - HACKING.md | 2 - README.md | 48 +----------- scripts/make-upgrade-proposal | 75 +++++++++++++++---- .../src/migrations/sync_anchor_indices.rs | 9 +-- src/internet_identity/src/storage.rs | 3 +- 9 files changed, 99 insertions(+), 117 deletions(-) diff --git a/.github/actions/release/README.md b/.github/actions/release/README.md index 8dd199c19e..c64c2cc02f 100644 --- a/.github/actions/release/README.md +++ b/.github/actions/release/README.md @@ -6,14 +6,13 @@ This action creates nice release notes. To try the action locally, run the following: -``` bash +```bash $ # The list of files for which we compute the sha256 $ # (those file must exist, though they don't need to have meaningful content) $ export INPUT_ASSETS='internet_identity_production.wasm.gz internet_identity_dev.wasm.gz internet_identity_test.wasm.gz archive.wasm.gz' -$ export INPUT_PRODUCTION_ASSET=internet_identity_production.wasm.gz $ export RELEASE_TAG=release-2023-08-11 # Does not need to exist # If you want to test the CI links to the sha256sum steps, also provide a valid INPUT_WORKFLOW_JOBS # The easiest way to get example data to use for INPUT_WORKFLOW_JOBS is to grab it from the last release CI run diff --git a/.github/actions/release/action.yml b/.github/actions/release/action.yml index 0fc30181a8..5b97f08401 100644 --- a/.github/actions/release/action.yml +++ b/.github/actions/release/action.yml @@ -1,36 +1,31 @@ -name: 'release notes' -description: 'Prepares release notes, including download links for our artifacts.' +name: "release notes" +description: "Prepares release notes, including download links for our artifacts." inputs: - assets: - description: "Assets to upload" - required: true - default: "" - production_asset: - description: "Name of the production asset" - required: true - default: "" - changelog: - description: "Content of the changelog section" - required: true - default: "" - workflow_jobs: - description: "JSON array of workflow jobs (to generate the links to the workflow runs)" - required: true - default: "" + assets: + description: "Assets to upload" + required: true + default: "" + changelog: + description: "Content of the changelog section" + required: true + default: "" + workflow_jobs: + description: "JSON array of workflow jobs (to generate the links to the workflow runs)" + required: true + default: "" outputs: notes-file: description: The release-notes file value: ${{ steps.release-notes.outputs.notes-file }} runs: - using: 'composite' - steps: - - name: 'Create release notes' - shell: bash - id: release-notes - env: - INPUT_PRODUCTION_ASSET: ${{ inputs.production_asset }} - INPUT_ASSETS: ${{ inputs.assets }} - INPUT_CHANGELOG: ${{ inputs.changelog }} - INPUT_WORKFLOW_JOBS: ${{ inputs.workflow_jobs }} - run: | - ${{ github.action_path }}/run.sh + using: "composite" + steps: + - name: "Create release notes" + shell: bash + id: release-notes + env: + INPUT_ASSETS: ${{ inputs.assets }} + INPUT_CHANGELOG: ${{ inputs.changelog }} + INPUT_WORKFLOW_JOBS: ${{ inputs.workflow_jobs }} + run: | + ${{ github.action_path }}/run.sh diff --git a/.github/actions/release/run.sh b/.github/actions/release/run.sh index 6fd49a5196..b218774721 100755 --- a/.github/actions/release/run.sh +++ b/.github/actions/release/run.sh @@ -5,7 +5,6 @@ set -euo pipefail -PRODUCTION_ASSET=${INPUT_PRODUCTION_ASSET:?No production asset specified} RELEASE_TAG=${RELEASE_TAG:-${GITHUB_REF_NAME:?No value for tag}} # Starting the "intro" section where we display a short intro @@ -14,16 +13,14 @@ cat > "$section_intro" << EOF This is Internet Identity release [$RELEASE_TAG](https://github.com/dfinity/internet-identity/releases/tag/$RELEASE_TAG) for commit [$GITHUB_SHA](https://github.com/dfinity/internet-identity/commit/$GITHUB_SHA). EOF -# Starting the "build flavors" section where we add the shas of all input assets +# Starting the artifacts section where we add the shas of all input assets section_build_flavors=$(mktemp) # Start the body with a paragraph and table headers # NOTE: throughout the doc we link to the current release (not to master) because things might # change cat > "$section_build_flavors" <> "$section_build_flavors" - - # Mention production asset in intro section - if [[ "$filename" == "$PRODUCTION_ASSET" ]] - then - shasum -a 256 "$filename" | sed -r "s%^([a-z0-9]+)[[:space:]][[:space:]](.*)$%The sha256 of production asset [\2]($download_link) is [\1]($run_link).%" >> "$section_intro" - fi done <<< "$INPUT_ASSETS" >&2 echo "Creating release notes" diff --git a/.github/workflows/canister-tests.yml b/.github/workflows/canister-tests.yml index f37f7af4c8..a819bf1b3a 100644 --- a/.github/workflows/canister-tests.yml +++ b/.github/workflows/canister-tests.yml @@ -813,12 +813,8 @@ jobs: with: assets: | internet_identity_production.wasm.gz - internet_identity_dev.wasm.gz - internet_identity_test.wasm.gz internet_identity_frontend.wasm.gz archive.wasm.gz - vc_demo_issuer.wasm.gz - production_asset: internet_identity_production.wasm.gz changelog: ${{ steps.changelog.outputs.result }} workflow_jobs: ${{ steps.pipeline-jobs.outputs.result }} diff --git a/HACKING.md b/HACKING.md index 4a3819d7cc..bd683615c2 100644 --- a/HACKING.md +++ b/HACKING.md @@ -6,8 +6,6 @@ This document explains how to build the Wasm module of the Internet Identity can > 💡 The simplest way to build the code is to use the [Docker build][docker-build]. -> 💡 Make sure to read up on the [build features and flavors][features-and-flavors]. - The build requires the following dependencies: - [`dfx`](https://github.com/dfinity/sdk/releases/latest) version 0.10.0 or later diff --git a/README.md b/README.md index b700203b33..1df6bc5966 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,8 @@ For more information, see [What is Internet Identity?](https://internetcomputer. - [Architecture Overview](#architecture-overview) - [Building with Docker](#building-with-docker) - [Integration with Internet Identity](#integration-with-internet-identity) -- [Build Features and Flavors](#build-features-and-flavors) +- [Build Features](#build-features-and-flavors) - [Features](#features) - - [Flavors](#flavors) - [Stable Memory Compatibility](#stable-memory-compatibility) - [Getting Help](#getting-help) - [Links](#links) @@ -114,51 +113,6 @@ The [`using-dev-build`](./demos/using-dev-build) demo shows a documented example If you're interested in the infrastructure of how to get the Internet Identity canister and how to test it within your app, check out [`using-dev-build`](./demos/using-dev-build), which uses the Internet Identity development canister. -## Build Features and Flavors - -The Internet Identity build can be customized to include [features](#features) that are -useful when developing and testing. We provide pre-built [flavors](#flavors) -of Internet Identity that include different sets of features. - -### Features - -These options can be used both when building [with docker](#building-with-docker) and -[without docker][hacking]. The features are enabled by setting the corresponding -environment variable to `1`. Any other string, as well as not setting the -environment variable, will disable the feature. - -For instance: - -```bash -$ II_FETCH_ROOT_KEY=1 dfx build -$ II_DUMMY_CAPTCHA=1 II_DUMMY_AUTH=1 ./scripts/docker-build -``` - -⚠️ These options should only ever be used during development as they effectively poke security holes in Internet Identity - -The features are described below: - - - -| Environment variable | Description | -| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `II_FETCH_ROOT_KEY` | When enabled, this instructs the frontend code to fetch the "root key" from the replica.
The Internet Computer (https://ic0.app) uses a private key to sign responses. This private key not being available locally, the (local) replica generates its own. This option effectively tells the Internet Identity frontend to fetch the public key from the replica it connects to. When this option is _not_ enabled, the Internet Identity frontend code will use the (hard coded) public key of the Internet Computer. | -| `II_DUMMY_CAPTCHA` | When enabled, the CAPTCHA challenge (sent by the canister code to the frontend code) is always the known string `"a"`. This is useful for automated testing. | -| `II_DUMMY_AUTH` | When enabled, the frontend code will use a known, stable private key for registering anchors and authenticating. This means that all anchors will have the same public key(s). In particular this bypasses the WebAuthn flows (TouchID, Windows Hello, etc), which simplifies automated testing. | -| `II_DEV_CSP` | When enabled, the content security policy is weakend to allow connections to II using HTTP and allow II to connect via http in order to facilitate development. | - -### Flavors - -We offer some pre-built Wasm modules that contain flavors, i.e. sets of features targeting a particular use case. Flavors can be downloaded from the table below for the latest release or from the [release page](https://github.com/dfinity/internet-identity/releases) for a particular release. - -| Flavor | Description | | -| ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------------------------------------------------------------------------------------------------------------: | -| Production | This is the production build deployed to https://identity.internetcomputer.org. Includes none of the build features. | [💾](https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_production.wasm.gz) | -| Test | This flavor is used by Internet Identity's test suite. It fully supports authentication but uses a known CAPTCHA value for test automation. Includes the following features:
| [💾](https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_test.wasm.gz) | -| Development | This flavor contains a version of Internet Identity that effectively performs no checks. It can be useful for external developers who want to integrate Internet Identity in their project and care about the general Internet Identity authentication flow, without wanting to deal with authentication and, in particular, WebAuthentication. Includes the following features:

See the [`using-dev-build`](demos/using-dev-build/README.md) project for an example on how to use this flavor. | [💾](https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz) | - ## Stable Memory Compatibility Internet Identity requires data in stable memory to have a specific layout in order to be upgradeable. The layout has been changed multiple times in the past. This is why II stable memory is versioned and each version of II is only compatible to some stable memory versions. diff --git a/scripts/make-upgrade-proposal b/scripts/make-upgrade-proposal index 3973ed867e..05f49a08d7 100755 --- a/scripts/make-upgrade-proposal +++ b/scripts/make-upgrade-proposal @@ -48,7 +48,7 @@ fi NOT_MOCKED_COMMANDS=( echo printf - wait_for_release_text_change + update_release_text wait_for_archive_canister_hash download_wasms request_verification_command @@ -284,13 +284,64 @@ wait_for_release() { done } -wait_for_release_text_change() { - echo "Go to the release page" - echo "Change title to release-YYYY-MM-DD: (Friendly and explanatory title)" - echo "Add a paragraph after the first one summarizing the upgrade changes" +update_release_text() { + if ! command -v gh &>/dev/null; then + echo "Error: 'gh' CLI is required for this step. Install from https://cli.github.com/" >&2 + exit 1 + fi + + # Prompt for a friendly title + read -rp "Enter a friendly title for this release (e.g. 'Passkey improvements and bug fixes'): " friendly_title + if [ -z "$friendly_title" ]; then + echo "Error: Title cannot be empty" >&2 + exit 1 + fi + + local new_title="${TAG_NAME}: ${friendly_title}" + + # Fetch current release body (auto-generated by CI with Backend/Frontend sections) + local current_body + current_body=$(gh release view "$TAG_NAME" --repo dfinity/internet-identity --json body -q '.body') + + # Find the previous release tag to generate a summary + local prev_tag + prev_tag=$(git tag -l "release-*" | sort -V | grep -B1 "^${TAG_NAME}\$" | head -1) + if [ -z "$prev_tag" ] || [ "$prev_tag" = "$TAG_NAME" ]; then + prev_tag=$(git tag -l "release-*" | sort -V | tail -2 | head -1) + fi + + # Build a summary paragraph from commit subjects + local summary_lines + summary_lines=$(git log --format='- %s' --no-merges "${prev_tag}..${TAG_NAME}" | head -15) + + local summary + summary=$(printf '%s\n\n%s\n\n%s' \ + '## Summary' \ + "This release includes changes since \`${prev_tag}\`:" \ + "$summary_lines") + + # Insert the summary paragraph after the first blank line in the body + local new_body + new_body=$(awk -v summary="$summary" ' + !inserted && /^[[:space:]]*$/ { + print "" + print summary + inserted=1 + next + } + { print } + ' <<< "$current_body") + + # Update the release on GitHub + gh release edit "$TAG_NAME" \ + --repo dfinity/internet-identity \ + --title "$new_title" \ + --notes "$new_body" + echo "" - echo "The What's Changed section is now auto-split into Backend/Frontend sections by CI." - echo "Release page: https://github.com/dfinity/internet-identity/releases/tag/$TAG_NAME" + echo "Release updated successfully!" + echo "Title: $new_title" + echo "Please review: https://github.com/dfinity/internet-identity/releases/tag/$TAG_NAME" } wait_for_archive_canister_hash() { @@ -419,8 +470,7 @@ run_didc_command_for_ii_init() { local SUBCOMMAND="$1" shift local ARGS=("$@") - local OPTS="-d ./src/internet_identity/internet_identity.did -t '(opt InternetIdentityInit)'" - didc "$SUBCOMMAND" $OPTS "${ARGS[@]}" + didc "$SUBCOMMAND" -d ./src/internet_identity/internet_identity.did -t '(opt InternetIdentityInit)' "${ARGS[@]}" } didc_encode_ii_init() { @@ -442,8 +492,7 @@ run_didc_command_for_frontend_init() { local SUBCOMMAND="$1" shift local ARGS=("$@") - local OPTS="-d ./src/internet_identity_frontend/internet_identity_frontend.did -t 'InternetIdentityFrontendInit'" - didc "$SUBCOMMAND" $OPTS "${ARGS[@]}" + didc "$SUBCOMMAND" -d ./src/internet_identity_frontend/internet_identity_frontend.did -t '(InternetIdentityFrontendInit)' "${ARGS[@]}" } didc_encode_frontend_init() { @@ -511,7 +560,7 @@ EOF Run the following command to verify the frontend upgrade argument hash: \`\`\` -didc encode -d ./src/internet_identity_frontend/internet_identity_frontend.did -t 'InternetIdentityFrontendInit' '${FRONTEND_ARGUMENTS}' | xxd -r -p | sha256sum +didc encode -d ./src/internet_identity_frontend/internet_identity_frontend.did -t '(InternetIdentityFrontendInit)' '${FRONTEND_ARGUMENTS}' | xxd -r -p | sha256sum \`\`\` The output should match the argument hash. @@ -737,7 +786,7 @@ confirm_cmd git tag -f $TAG_NAME record "Release commit" git rev-parse $TAG_NAME record "New tag pushed" git push origin $TAG_NAME confirm_cmd wait_for_release -confirm_manual "Edit release page title and text" wait_for_release_text_change +confirm_manual "Review release page update" update_release_text if should_upgrade_backend "$UPGRADE_TYPE"; then confirm_manual "Add archive canister if needed" wait_for_archive_canister_hash diff --git a/src/internet_identity/src/migrations/sync_anchor_indices.rs b/src/internet_identity/src/migrations/sync_anchor_indices.rs index 12ccf90e45..554dc0b719 100644 --- a/src/internet_identity/src/migrations/sync_anchor_indices.rs +++ b/src/internet_identity/src/migrations/sync_anchor_indices.rs @@ -83,11 +83,10 @@ impl Storage { // anchors within this entire batch failed to migrate. let mut batch_did_not_fail_completely = false; - // This is where the index migration happens. For each anchor in the batch, - // force-sync its indices with empty previous data so that all current entries - // get added to the indices (even if the StorableAnchor already existed). + // force-sync the passkey pubkey index with empty previous data so that all current + // entries get added to that index (even if the StorableAnchor already existed). for anchor_number in begin..=end { - match self.force_sync_all_indices(anchor_number) { + match self.force_sync_passkey_pubkey_index(anchor_number) { Ok(_) => {} Err(StorageError::AnchorNotFound { .. }) => { ic_cdk::println!("Marking {} as ", anchor_number); @@ -417,7 +416,7 @@ mod sync_anchor_indices_tests { reset_migration_state(); storage.sync_anchor_indices(0, BATCH_SIZE); - // After the fix (force_sync_all_indices), the indices must be fully populated. + // After the fix (force_sync_passkey_pubkey_index), the indices must be fully populated. assert_eq!( storage .lookup_anchor_with_passkey_pubkey_hash_memory diff --git a/src/internet_identity/src/storage.rs b/src/internet_identity/src/storage.rs index cdf5324d34..c42a1f92dd 100644 --- a/src/internet_identity/src/storage.rs +++ b/src/internet_identity/src/storage.rs @@ -146,7 +146,6 @@ mod tests; /// * version 1-8: no longer supported /// * version 9: 4KB anchors, candid anchor record layout, persistent state in virtual memory, /// with memory manager (from 2nd page on), archive entries buffer in stable memory -/// * version 10: passkey pubkey hash index key type changed from [u8; 32] to Principal const SUPPORTED_LAYOUT_VERSIONS: RangeInclusive = 9..=9; const DEFAULT_ENTRY_SIZE: u16 = 4096; @@ -713,7 +712,7 @@ impl Storage { /// and syncing indices with empty previous data. This is intended for data migrations /// where the `StorableAnchor` already exists in `stable_anchor_memory` but the index /// was not yet populated. - pub(crate) fn force_sync_all_indices( + pub(crate) fn force_sync_passkey_pubkey_index( &mut self, anchor_number: AnchorNumber, ) -> Result<(), StorageError> { From e1c7cde98561f4640329a27ef8f22ccf4c3083bd Mon Sep 17 00:00:00 2001 From: Arshavir Ter-Gabrielyan Date: Fri, 13 Mar 2026 17:25:31 +0100 Subject: [PATCH 2/3] save --- scripts/make-upgrade-proposal | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/make-upgrade-proposal b/scripts/make-upgrade-proposal index 05f49a08d7..8a6ad47294 100755 --- a/scripts/make-upgrade-proposal +++ b/scripts/make-upgrade-proposal @@ -515,6 +515,9 @@ prepare_proposal_argument() { echo "You need at least the didc from 2024-07-29 https://github.com/dfinity/candid/releases/tag/2024-07-29" if should_upgrade_backend "$upgrade_type"; then + echo "" + echo "=== Filling init arguments for BACKEND canister (InternetIdentityInit) ===" + echo "" didc_assist_ii_init > args.txt didc_encode_ii_init args.txt > dfx_arg.bin # DFX raw arguments are encoded differently than ic-admin's --arg values (mainnet_arg.bin). @@ -522,6 +525,9 @@ prepare_proposal_argument() { fi if should_upgrade_frontend "$upgrade_type"; then + echo "" + echo "=== Filling init arguments for FRONTEND canister (InternetIdentityFrontendInit) ===" + echo "" didc_assist_frontend_init > frontend_args.txt didc_encode_frontend_init frontend_args.txt > dfx_frontend_arg.bin xxd -r -p dfx_frontend_arg.bin > mainnet_frontend_arg.bin From 0352964afeee0703864e89b3d40555e2611f1134 Mon Sep 17 00:00:00 2001 From: Arshavir Ter-Gabrielyan Date: Fri, 13 Mar 2026 17:27:41 +0100 Subject: [PATCH 3/3] Fix README text --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 1df6bc5966..f4edc0c31b 100644 --- a/README.md +++ b/README.md @@ -30,8 +30,6 @@ For more information, see [What is Internet Identity?](https://internetcomputer. - [Architecture Overview](#architecture-overview) - [Building with Docker](#building-with-docker) - [Integration with Internet Identity](#integration-with-internet-identity) -- [Build Features](#build-features-and-flavors) - - [Features](#features) - [Stable Memory Compatibility](#stable-memory-compatibility) - [Getting Help](#getting-help) - [Links](#links) @@ -101,9 +99,7 @@ $ ./scripts/docker-build The [`Dockerfile`](./Dockerfile) specifies build instructions for Internet Identity. Building the `Dockerfile` will result in a scratch container that contains the Wasm module at `/internet_identity.wasm.gz`. -> 💡 The build can be customized with [build features](#build-features-and-flavors). - -We recommend using the [`docker-build`](./scripts/docker-build) script. It simplifies the usage of [build features](#build-features-and-flavors) and extracts the Wasm module from the final scratch container. +We recommend using the [`docker-build`](./scripts/docker-build) script. It extracts the Wasm module from the final scratch container. > 💡 You can find instructions for building the code without Docker in the [HACKING] document.