Fix remote signing

packages/beacon-node/test/unit/network/fork.test.ts

@@ -18,20 +18,23 @@ function getForkConfig({
       seq: ForkSeq.phase0,
       epoch: phase0,
       version: Buffer.from([0, 0, 0, 0]),
+      prevVersion: Buffer.from([0, 0, 0, 0]),
       prevForkName: ForkName.phase0,
     },
     altair: {
       name: ForkName.altair,
       seq: ForkSeq.altair,
       epoch: altair,
       version: Buffer.from([0, 0, 0, 1]),
+      prevVersion: Buffer.from([0, 0, 0, 0]),
       prevForkName: ForkName.phase0,
     },
     bellatrix: {
       name: ForkName.bellatrix,
       seq: ForkSeq.bellatrix,
       epoch: bellatrix,
       version: Buffer.from([0, 0, 0, 2]),
+      prevVersion: Buffer.from([0, 0, 0, 1]),
       prevForkName: ForkName.altair,
     },
   };

packages/config/src/forkConfig/index.ts

@@ -12,20 +12,23 @@ export function createIForkConfig(config: IChainConfig): IForkConfig {
     epoch: GENESIS_EPOCH,
     version: config.GENESIS_FORK_VERSION,
     // Will never be used
+    prevVersion: config.GENESIS_FORK_VERSION,
     prevForkName: ForkName.phase0,
   };
   const altair = {
     name: ForkName.altair,
     seq: ForkSeq.altair,
     epoch: config.ALTAIR_FORK_EPOCH,
     version: config.ALTAIR_FORK_VERSION,
+    prevVersion: phase0.version,
     prevForkName: ForkName.phase0,
   };
   const bellatrix = {
     name: ForkName.bellatrix,
     seq: ForkSeq.bellatrix,
     epoch: config.BELLATRIX_FORK_EPOCH,
     version: config.BELLATRIX_FORK_VERSION,
+    prevVersion: altair.prevVersion,
     prevForkName: ForkName.altair,
   };
 

packages/config/src/forkConfig/types.ts

@@ -7,6 +7,7 @@ export interface IForkInfo {
   seq: ForkSeq;
   epoch: Epoch;
   version: Version;
+  prevVersion: Version;
   prevForkName: ForkName;
 }
 

packages/validator/src/services/validatorStore.ts

@@ -37,7 +37,7 @@ import {BitArray, fromHexString, toHexString} from "@chainsafe/ssz";
 import {routes} from "@lodestar/api";
 import {ISlashingProtection} from "../slashingProtection/index.js";
 import {PubkeyHex} from "../types.js";
-import {externalSignerPostSignature} from "../util/externalSignerClient.js";
+import {externalSignerPostSignature, Web3SignerForkInfo, SignableMessage} from "../util/externalSignerClient.js";
 import {Metrics} from "../metrics.js";
 import {IndicesService} from "./indices.js";
 import {DoppelgangerService} from "./doppelgangerService.js";
@@ -90,7 +90,8 @@ export class ValidatorStore {
     private readonly metrics: Metrics | null,
     initialSigners: Signer[],
     private readonly suggestedFeeRecipient: string,
-    private readonly gasLimit: number
+    private readonly gasLimit: number,
+    private readonly genesisValidatorRoot: Root
   ) {
     for (const signer of initialSigners) {
       this.addSigner(signer);
@@ -195,7 +196,19 @@ export class ValidatorStore {
       this.metrics?.slashingProtectionBlockError.inc();
       throw e;
     }
-    const signature = await this.getSignature(pubkey, signingRoot);
+
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "BLOCK_V2",
+        data: {
+          version: this.config.getForkInfo(blindedOrFull.slot).name,
+          block: blindedOrFull,
+        },
+      },
+      forkInfo: this.getForkInfo(currentSlot),
+    };
+
+    const signature = await this.getSignature(pubkey, signingRoot, signableMessage);
 
     return {message: blindedOrFull, signature} as allForks.FullOrBlindedSignedBeaconBlock;
   }
@@ -205,7 +218,17 @@ export class ValidatorStore {
     const randaoDomain = this.config.getDomain(slot, DOMAIN_RANDAO);
     const randaoSigningRoot = computeSigningRoot(ssz.Epoch, epoch, randaoDomain);
 
-    return await this.getSignature(pubkey, randaoSigningRoot);
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "RANDAO_REVEAL",
+        data: {
+          epoch,
+        },
+      },
+      forkInfo: this.getForkInfo(slot),
+    };
+
+    return await this.getSignature(pubkey, randaoSigningRoot, signableMessage);
   }
 
   async signAttestation(
@@ -239,10 +262,18 @@ export class ValidatorStore {
       throw e;
     }
 
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "ATTESTATION",
+        data: attestationData,
+      },
+      forkInfo: this.getForkInfo(attestationData.slot),
+    };
+
     return {
       aggregationBits: BitArray.fromSingleBit(duty.committeeLength, duty.validatorCommitteeIndex),
       data: attestationData,
-      signature: await this.getSignature(duty.pubkey, signingRoot),
+      signature: await this.getSignature(duty.pubkey, signingRoot, signableMessage),
     };
   }
 
@@ -262,9 +293,17 @@ export class ValidatorStore {
     const domain = this.config.getDomain(duty.slot, DOMAIN_AGGREGATE_AND_PROOF);
     const signingRoot = computeSigningRoot(ssz.phase0.AggregateAndProof, aggregateAndProof, domain);
 
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "AGGREGATE_AND_PROOF",
+        data: aggregateAndProof,
+      },
+      forkInfo: this.getForkInfo(aggregateAndProof.aggregate.data.slot),
+    };
+
     return {
       message: aggregateAndProof,
-      signature: await this.getSignature(duty.pubkey, signingRoot),
+      signature: await this.getSignature(duty.pubkey, signingRoot, signableMessage),
     };
   }
 
@@ -277,11 +316,22 @@ export class ValidatorStore {
     const domain = this.config.getDomain(slot, DOMAIN_SYNC_COMMITTEE);
     const signingRoot = computeSigningRoot(ssz.Root, beaconBlockRoot, domain);
 
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "SYNC_COMMITTEE_MESSAGE",
+        data: {
+          beaconBlockRoot,
+          slot,
+        },
+      },
+      forkInfo: this.getForkInfo(slot),
+    };
+
     return {
       slot,
       validatorIndex,
       beaconBlockRoot,
-      signature: await this.getSignature(pubkey, signingRoot),
+      signature: await this.getSignature(pubkey, signingRoot, signableMessage),
     };
   }
 
@@ -299,17 +349,35 @@ export class ValidatorStore {
     const domain = this.config.getDomain(contribution.slot, DOMAIN_CONTRIBUTION_AND_PROOF);
     const signingRoot = computeSigningRoot(ssz.altair.ContributionAndProof, contributionAndProof, domain);
 
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "SYNC_COMMITTEE_CONTRIBUTION_AND_PROOF",
+        data: contributionAndProof,
+      },
+      forkInfo: this.getForkInfo(contributionAndProof.contribution.slot),
+    };
+
     return {
       message: contributionAndProof,
-      signature: await this.getSignature(duty.pubkey, signingRoot),
+      signature: await this.getSignature(duty.pubkey, signingRoot, signableMessage),
     };
   }
 
   async signAttestationSelectionProof(pubkey: BLSPubkeyMaybeHex, slot: Slot): Promise<BLSSignature> {
     const domain = this.config.getDomain(slot, DOMAIN_SELECTION_PROOF);
     const signingRoot = computeSigningRoot(ssz.Slot, slot, domain);
 
-    return await this.getSignature(pubkey, signingRoot);
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "AGGREGATION_SLOT",
+        data: {
+          slot: String(slot),
+        },
+      },
+      forkInfo: this.getForkInfo(slot),
+    };
+
+    return await this.getSignature(pubkey, signingRoot, signableMessage);
   }
 
   async signSyncCommitteeSelectionProof(
@@ -325,7 +393,18 @@ export class ValidatorStore {
 
     const signingRoot = computeSigningRoot(ssz.altair.SyncAggregatorSelectionData, signingData, domain);
 
-    return await this.getSignature(pubkey, signingRoot);
+    const singableRequest: SignableMessage = {
+      singablePayload: {
+        type: "SYNC_COMMITTEE_SELECTION_PROOF",
+        data: {
+          slot,
+          subcommitteeIndex: String(subcommitteeIndex),
+        },
+      },
+      forkInfo: this.getForkInfo(slot),
+    };
+
+    return await this.getSignature(pubkey, signingRoot, singableRequest);
   }
 
   async signVoluntaryExit(
@@ -338,9 +417,16 @@ export class ValidatorStore {
     const voluntaryExit: phase0.VoluntaryExit = {epoch: exitEpoch, validatorIndex};
     const signingRoot = computeSigningRoot(ssz.phase0.VoluntaryExit, voluntaryExit, domain);
 
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "VOLUNTARY_EXIT",
+        data: voluntaryExit,
+      },
+    };
+
     return {
       message: voluntaryExit,
-      signature: await this.getSignature(pubkey, signingRoot),
+      signature: await this.getSignature(pubkey, signingRoot, signableMessage),
     };
   }
 
@@ -364,13 +450,23 @@ export class ValidatorStore {
     };
     const domain = computeDomain(DOMAIN_APPLICATION_BUILDER, this.config.GENESIS_FORK_VERSION, ZERO_HASH);
     const signingRoot = computeSigningRoot(ssz.bellatrix.ValidatorRegistrationV1, validatorRegistation, domain);
+    const signableMessage: SignableMessage = {
+      singablePayload: {
+        type: "VALIDATOR_REGISTRATION",
+        data: validatorRegistation,
+      },
+    };
     return {
       message: validatorRegistation,
-      signature: await this.getSignature(pubkey, signingRoot),
+      signature: await this.getSignature(pubkey, signingRoot, signableMessage),
     };
   }
 
-  private async getSignature(pubkey: BLSPubkeyMaybeHex, signingRoot: Uint8Array): Promise<BLSSignature> {
+  private async getSignature(
+    pubkey: BLSPubkeyMaybeHex,
+    signingRoot: Uint8Array,
+    signableMessage: SignableMessage
+  ): Promise<BLSSignature> {
     // TODO: Refactor indexing to not have to run toHexString() on the pubkey every time
     const pubkeyHex = typeof pubkey === "string" ? pubkey : toHexString(pubkey);
 
@@ -390,7 +486,12 @@ export class ValidatorStore {
       case SignerType.Remote: {
         const timer = this.metrics?.remoteSignTime.startTimer();
         try {
-          const signatureHex = await externalSignerPostSignature(signer.url, pubkeyHex, toHexString(signingRoot));
+          const signatureHex = await externalSignerPostSignature(
+            signer.url,
+            pubkeyHex,
+            toHexString(signingRoot),
+            signableMessage
+          );
           return fromHexString(signatureHex);
         } catch (e) {
           this.metrics?.remoteSignErrors.inc();
@@ -420,6 +521,18 @@ export class ValidatorStore {
       throw new Error(`Doppelganger state for key ${pubkeyHex} is not safe`);
     }
   }
+
+  private getForkInfo(slot: Slot): Web3SignerForkInfo {
+    const forkInfo = this.config.getForkInfo(slot);
+    return {
+      fork: {
+        previousVersion: forkInfo.prevVersion,
+        currentVersion: forkInfo.version,
+        epoch: forkInfo.epoch,
+      },
+      genesisValidatorRoot: this.genesisValidatorRoot,
+    };
+  }
 }
 
 function getSignerPubkeyHex(signer: Signer): PubkeyHex {