Merge pull request #653 from input-output-hk/jpraynaud/621-decommission-unverified-signer-registration

Decommission signer registration with declarative PoolId

Author: jpraynaud

.github/workflows/actions/build-upload-mithril-artifact/action.yml

@@ -4,7 +4,7 @@ inputs:
   build-args:
     description: Arguments to pass to 'cargo build'
     required: false
-    default: ''
+    default: '-p mithril-aggregator -p mithril-client -p mithril-common -p mithril-signer -p mithril-stm'
 runs:
   using: "composite"
   steps:
@@ -14,10 +14,10 @@ runs:
         pip3 install toml
         python3 ./.github/workflows/scripts/edit-cargo-toml-version.py -l $(echo ${{ github.sha }} | cut -c1-7)
 
-    - name: Cargo build
+    - name: Cargo build - Distribution
       shell: bash
       run: cargo build --release ${{ inputs.build-args }}
-
+        
     - name: Publish Mithril Distribution (${{ runner.os }}-${{ runner.arch }})
       uses: actions/upload-artifact@v3
       with:

.github/workflows/ci.yml

@@ -31,6 +31,11 @@ jobs:
           cache-version: ${{ secrets.CACHE_VERSION }}
           cargo-tools: cargo-deb
 
+      # We separate the build in 2 steps as we want to avoid side effects with Rust feature unification.
+      - name: Cargo build - Tooling
+        shell: bash
+        run: cargo build --release --workspace --exclude mithril-aggregator --exclude mithril-client --exclude mithril-signer --exclude mithril-stm
+
       - name: Build Mithril workspace & publish artifacts
         uses: ./.github/workflows/actions/build-upload-mithril-artifact
 

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "mithrildemo"
-version = "0.1.0"
+version = "0.1.1"
 authors = { workspace = true }
 edition = { workspace = true }
 documentation = { workspace = true }
@@ -10,14 +10,23 @@ repository = { workspace = true }
 
 [dependencies]
 base64 = "0.13.0"
+blake2 = "0.10.4"
 clap = { version = "4.0.18", features = ["derive"] }
 hex = "0.4.3"
 log = "0.4.14"
-mithril-common = { path = "../../mithril-common", features = ["allow_skip_signer_certification"] }
+mithril-common = { path = "../../mithril-common" }
 rand_chacha = "0.3.1"
 rand_core   = "0.6.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 
+[target.'cfg(not(windows))'.dependencies]
+# non-windows: use default rug backend
+mithril-stm = { path = "../../mithril-stm" }
+
+[target.'cfg(windows)'.dependencies]
+# Windows doesn't support rug backend, fallback to num-integer
+mithril-stm = { path = "../../mithril-stm", default-features = false, features = ["num-integer-backend"] }
+
 [features]
-portable = ["mithril-common/portable"]
+portable = ["mithril-common/portable", "mithril-stm/portable"]

demo/protocol-demo/Cargo.toml

@@ -7,11 +7,12 @@ use std::fs;
 use std::io::Write;
 use std::path;
 
-use mithril_common::crypto_helper::{
-    key_decode_hex, key_encode_hex, ProtocolClerk, ProtocolInitializerNotCertified,
-    ProtocolKeyRegistrationNotCertified, ProtocolMultiSignature, ProtocolParameters,
-    ProtocolPartyId, ProtocolSigner, ProtocolSignerVerificationKey, ProtocolSingleSignature,
-    ProtocolStake,
+use mithril_common::crypto_helper::{key_decode_hex, key_encode_hex};
+
+use crate::types::{
+    ProtocolClerk, ProtocolInitializerNotCertified, ProtocolKeyRegistrationNotCertified,
+    ProtocolMultiSignature, ProtocolParameters, ProtocolPartyId, ProtocolSigner,
+    ProtocolSignerVerificationKey, ProtocolSingleSignature, ProtocolStake,
 };
 
 /// Player artifacts

demo/protocol-demo/src/demonstrator.rs

@@ -1,4 +1,5 @@
 mod demonstrator;
+mod types;
 
 use crate::demonstrator::{Demonstrator, ProtocolDemonstrator};
 use clap::Parser;

demo/protocol-demo/src/main.rs

@@ -0,0 +1,40 @@
+use mithril_stm::key_reg::KeyReg;
+use mithril_stm::stm::{
+    Stake, StmAggrSig, StmClerk, StmInitializer, StmParameters, StmSig, StmSigner,
+    StmVerificationKeyPoP,
+};
+
+use blake2::{digest::consts::U32, Blake2b};
+
+// Protocol types alias
+type D = Blake2b<U32>;
+
+/// The id of a mithril party.
+pub type ProtocolPartyId = String;
+
+/// Alias of [MithrilStm:Stake](type@mithril_stm::stm::Stake).
+pub type ProtocolStake = Stake;
+
+/// Alias of [MithrilStm::StmParameters](struct@mithril_stm::stm::StmParameters).
+pub type ProtocolParameters = StmParameters;
+
+/// Alias of [MithrilStm:StmSigner](struct@mithril_stm::stm::StmSigner).
+pub type ProtocolSigner = StmSigner<D>;
+
+/// Alias of [MithrilStm:StmClerk](struct@mithril_stm::stm::StmClerk).
+pub type ProtocolClerk = StmClerk<D>;
+
+/// Alias of [MithrilStm:StmInitializer](struct@mithril_stm::stm::StmInitializer).
+pub type ProtocolInitializerNotCertified = StmInitializer;
+
+/// Alias of [MithrilStm:KeyReg](struct@mithril_stm::key_reg::KeyReg). (Test only)
+pub type ProtocolKeyRegistrationNotCertified = KeyReg;
+
+/// Alias of [MithrilStm:StmSig](struct@mithril_stm::stm::StmSig).
+pub type ProtocolSingleSignature = StmSig;
+
+/// Alias of [MithrilStm:StmAggrSig](struct@mithril_stm::stm::StmAggrSig).
+pub type ProtocolMultiSignature = StmAggrSig<D>;
+
+/// Alias of [MithrilStm:StmVerificationKeyPoP](type@mithril_stm::stm::StmVerificationKeyPoP).
+pub type ProtocolSignerVerificationKey = StmVerificationKeyPoP;

demo/protocol-demo/src/types.rs

@@ -5,6 +5,10 @@ authors:
 tags: [cardano, poolId, operational-certificate, kes-keys, mithril-keys, hybrid-mode]
 ---
 
+**Update 2022/12/19**: The signer registration with **declarative** PoolId has been decommissioned.
+
+**Update 2022/11/30**: The signer registration with **declarative** PoolId has been deprecated and the **certified** PoolId is now the stable mode.
+
 ### The way the Mithril nodes handle the Certification of the SPOs is evolving
 
 **PR**: `New STM registration procedure` [#433](https://github.com/input-output-hk/mithril/pull/433)

docs/blog/2022-10-11-keys-certification-badge/index.md

@@ -182,7 +182,7 @@ Here is a list of the available parameters:
 | `db_directory` | `--db-directory` | - | `DB_DIRECTORY` | Directory to snapshot from the **Cardano Node** | `/db` | - | :heavy_check_mark: |
 | `network` | - | - | `NETWORK` | Cardano network | - | `testnet` or `mainnet` or `devnet` | :heavy_check_mark: |
 `network_magic` | - | - | `NETWORK_MAGIC` | Cardano Network Magic number (for `testnet` and `devnet`) | - | `1097911063` or `42` | - |
-| `party_id` | - | - | `PARTY_ID` | Party Id of the signer, usually the `Pool Id` of the SPO | - | `pool1pxaqe80sqpde7902er5kf6v0c7y0sv6d5g676766v2h829fvs3x` | - | Mandatory in `Pool Id Declaration Mode`  where the owner is not verified (soon to be deprecated)
+| `party_id` | - | - | `PARTY_ID` | Party Id of the signer, usually the `Pool Id` of the SPO | - | `pool1pxaqe80sqpde7902er5kf6v0c7y0sv6d5g676766v2h829fvs3x` | - | Mandatory in `Pool Id Declaration Mode`  where the owner is not verified (decommissioned, only available when built with `allow_skip_signer_certification` feature, for test only)
 | `run_interval` | - | - | `RUN_INTERVAL` | Interval between two runtime cycles in ms | - | `60000` | :heavy_check_mark: |
 | `aggregator_endpoint` | - | - | `AGGREGATOR_ENDPOINT` | Aggregator node endpoint | - | `https://aggregator.pre-release-preview.api.mithril.network/aggregator` | :heavy_check_mark: |
 | `data_stores_directory` | - | - | `DATA_STORES_DIRECTORY` | Directory to store signer data (Stakes, Protocol initializers, ...) | - | `./mithril-signer/stores` | :heavy_check_mark: |

docs/root/manual/developer-docs/nodes/mithril-signer.md

@@ -35,10 +35,8 @@ For more information about the **Mithril Protocol**, please refer to the [About
 ## What you'll need
 
 * Operating a **Cardano Node** as a **Stake Pool**:
-  * **Stable**:
-    * The Cardano `Operational Certificate` file of the pool
-    * The Cardano `KES Secret Key` file of the pool
-  * **Deprecated**: The Cardano `Pool Id` in a `BECH32` format such as `pool1frevxe70aqw2ce58c0muyesnahl88nfjjsp25h85jwakzgd2g2l`
+  * The Cardano `Operational Certificate` file of the pool
+  * The Cardano `KES Secret Key` file of the pool
 
 * Access to the file system of a `relay` **Cardano Node** running on the `testnet`:
   * Read rights on the `Database` folder (`--database-path` setting of the **Cardano Node**)
@@ -54,30 +52,15 @@ For more information about the **Mithril Protocol**, please refer to the [About
 
 ## Mithril Keys Certification
 
-:::danger
-
-The cryptographic certification of the Mithril keys is an experimental feature. We strongly recommend that you first setup a Mithril Signer node in the stable mode. Once you are able to sign in the stable mode is a good time to start experimenting with the keys certification.
-
-Your feedback is very important, so feel free to contact us on the #moria channel on the IOG [Discord server](https://discord.gg/5kaErDKDRq), or to file an issue on GitHub.
-
-:::
 
-### Stable mode: Certify your Pool Id
+### Certify your Pool Id
 
-In this mode, you declare your Cardano `Operational Certificate` file and `KES Secret Key` file which allows to:
+You must declare your Cardano `Operational Certificate` file and `KES Secret Key` file which allows to:
 
 * Compute automatically the `PoolId`
 * Verify that you are the owner of the `PoolId`, and thus of the associated stakes used by Mithril protocol
 * Verify that you are the owner of the Mithril `Signer Secret Key`, and thus allowed to contribute to the multi-signatures and certificate production of the Mithril network
 
-This mode is displayed with a specific **Stable** mention in this document.
-
-### Deprecated mode: Declare your Pool Id
-
-In this mode, the Cardano `Pool Id` that you specify is not strictly verified. It is associated to Cardano stakes based on your declaration. This mode is deprecated and replaced by the certification mode above.
-
-This mode is presented in the setup of this document with a specific **Deprecated** mention.
-
 ## Building your own executable
 
 ### Download source
@@ -164,7 +147,7 @@ sudo mv mithril-signer /opt/mithril
 * `User=cardano`:
 Replace this value with the correct user. We assume that the user used to run the **Cardano Node** is `cardano`. The **Mithril Signer** must imperatively run with the same user.
 
-* **Stable mode**: in the `/opt/mithril/mithril-signer/service.env` env file:
+* In the `/opt/mithril/mithril-signer/service.env` env file:
   * `KES_SECRET_KEY_PATH=/cardano/keys/kes.skey`: replace `/cardano/keys/kes.skey` with the path to your Cardano `KES Secret Key` file
   * `OPERATIONAL_CERTIFICATE_PATH=/cardano/cert/opcert.cert`: replace `/cardano/cert/opcert.cert` with the path to your Cardano `Operational Certificate` file
   * `DB_DIRECTORY=/cardano/db`: replace `/cardano/db` with the path to the database folder of the **Cardano Node** (the one in `--database-path`)
@@ -173,20 +156,10 @@ Replace this value with the correct user. We assume that the user used to run th
   * `DATA_STORES_DIRECTORY=/opt/mithril/stores`: replace with the path to a folder where the **Mithril Signer** will store its data (`/opt/mithril/stores` e.g.)
   * `STORE_RETENTION_LIMIT`: if set, this will limit the number of records in some internal stores (5 is a good fit).
 
-* **Deprecated mode**: in the `/opt/mithril/mithril-signer/service.env` env file:
-  * `PARTY_ID=YOUR_POOL_ID_BECH32`: replace `YOUR_POOL_ID_BECH32` with your BECH32 `Pool Id`
-  * `DB_DIRECTORY=/cardano/db`: replace `/cardano/db` with the path to the database folder of the **Cardano Node** (the one in `--database-path`)
-  * `CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket`: replace with the path to the IPC file (`CARDANO_NODE_SOCKET_PATH` env var)
-  * `CARDANO_CLI_PATH=/app/bin/cardano-cli`: replace with the path to the `cardano-cli` executable
-  * `DATA_STORES_DIRECTORY=/opt/mithril/stores`: replace with the path to a folder where the **Mithril Signer** will store its data (`/opt/mithril/stores` e.g.)
-  * `STORE_RETENTION_LIMIT`: if set, this will limit the number of records in some internal stores (5 is a good fit).
-
 :::
 
 First create an env file that will be used by the service:
 
-* **Stable mode**:
-
 ```bash
 sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
 KES_SECRET_KEY_PATH=**YOUR_KES_SECRET_KEY_PATH**
@@ -202,22 +175,6 @@ STORE_RETENTION_LIMIT=5
 EOF'
 ```
 
-* **Deprecated mode**:
-
-```bash
-sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
-PARTY_ID=**YOUR_POOL_ID_BECH32**
-NETWORK=**YOUR_CARDANO_NETWORK**
-AGGREGATOR_ENDPOINT=**YOUR_AGGREGATOR_ENDPOINT**
-RUN_INTERVAL=60000
-DB_DIRECTORY=/cardano/db
-CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
-CARDANO_CLI_PATH=/app/bin/cardano-cli
-DATA_STORES_DIRECTORY=/opt/mithril/stores
-STORE_RETENTION_LIMIT=5
-EOF'
-```
-
 Then we will create a `/etc/systemd/system/mithril-signer.service` description file for our service
 
 ```bash