feat(validator): return signed block commitment from SignBlock#2204
Merged
Mirko-von-Leipzig merged 4 commits intoJun 5, 2026
Merged
Conversation
To diagnose block-1 `InvalidSignature` rejections, the block producer needs to distinguish a block-hash mismatch (validator and block producer derive a different commitment from the same proposed block) from a key/algorithm problem. The `SignBlock` RPC now returns a `SignBlockResponse` carrying both the signature and the commitment the validator actually signed. The block producer compares that commitment against its own locally built `header.commitment()` and fails with a distinct `BuildBlockError::BlockCommitmentMismatch` (naming both commitments) before the signature check, so the two failure modes are disambiguated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bobbinth
approved these changes
Jun 4, 2026
Contributor
bobbinth
left a comment
bobbinth
left a comment
There was a problem hiding this comment.
Looks good! Thank you! (I reviewed non-test code)
…rn-signed-commitment
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Block 1 is being rejected by the block producer with
InvalidSignature(
signature.verify(header.commitment(), header.validator_key())). #2203 rules out the validator-key mismatch. The remaining unverified suspect is that the validator and the block producer derive a different block commitment from the sameProposedBlock(e.g. an architecture-dependent difference - the validator runs on ARM, dev/CI on amd64), so the signature is valid for the validator's commitment but not the producer's.Today the
SignBlockresponse carries only the signature, so the producer cannot tell a commitment mismatch from a key/algorithm problem. This PR has the validator return the commitment it actually signed, and the block producer compares it against its own. It is a deliberately small, easily revertible diagnostic, separate from #2203.What
SignBlockResponse { BlockSignature signature; primitives.Digest block_commitment; }, andSignBlocknow returns it.BlockSignatureis left unchanged (it is also embedded in the persistedSignedBlock, where the commitment would be redundant with the header), so the existing conversions are untouched.bin/validator/src/server/sign_block.rs): returns(Signature, Word); the signed commitment is captured from the validated header before it is moved into the persistence step.crates/block-producer/src/validator/mod.rs):sign_blockreturns(Signature, Word).crates/block-producer/src/block_builder/mod.rs): before the signature check, compares the validator's signed commitment against the locally builtheader.commitment()and returns the newBuildBlockError::BlockCommitmentMismatch { validator, block_producer }on divergence. This cleanly separates the cases: commitment mismatch ->BlockCommitmentMismatch; commitment matches but verify fails -> key/algorithm problem (InvalidSignature).A hard error (not
assert!/panic) is used, matching the existingInvalidSignaturestyle: on a real mismatch the signature check would fail anyway, so the explicit error is strictly more informative without crashing the process.Tests
sign_block_returns_signed_commitment(validator server suite) asserts the response carries the commitment of the block the validator signed and that it matches the commitment derived from the same proposed block.Verification
cargo build -p miden-node-proto -p miden-validator -p miden-node-block-producer(regenerates proto).cargo test -p miden-validator --lib: 14 passed, 1 ignored.cargo clippy --locked -p miden-node-proto -p miden-validator -p miden-node-block-producer --all-targets --all-features -- -D warnings: clean.(Note:
mempool::tests::add_transaction_traces_are_correctis flaky under parallel runs - passes in isolation - and is unrelated to this change.)🤖 Generated with Claude Code