refactor!: Use hash to validate genesis block

[dima74]

Description

• Added genesis.hash config parameter and removed genesis.public_key
• Added genesis field (account id) to genesis.json. It will be authority of genesis transactions
• Genesis transactions will not be signed (actually signed by some random key pair and peers will ignore signatory for genesis transactions and instead check genesis block hash match)
• Replaced kagami genesis sign with kagami genesis prepare which converts genesis.json to genesis.scale (SignedBlock) and outputs genesis hash to stdout
• Genesis domain and account is now added to the World after receiving genesis block (since we now don't know genesis account id at startup but need to use authority of genesis block)

Todo:

• Fix docker-compose. Currently each peer generates genesis block independently, so its time and hash will be different

Deployment changes

1. Add genesis field to genesis.json (genesis account id)
2. Change kagami genesis sign invocation

Before:

kagami genesis sign genesis.json --public-key ... --private-key ... --out-file ...

After:

kagami genesis prepare ... --out-file ...

This will also output genesis hash

3. Provide genesis hash using GENESIS_HASH environment variable to irohad

Linked issue

Closes #4555

Benefits

Checklist

• I've read CONTRIBUTING.md
• I've used the standard signed-off commit format (or will squash just before merging)
• All applicable CI checks pass (or I promised to make them pass later)
• (optional) I've written unit tests for the code changes
• I replied to all comments after code review, marking all implemented changes with thumbs up

[github-actions]

@BAStos525

[Erigara]

So if we still have to use genesis account afaik what benefits do we gain by now also checking hash of genesis block?

[dima74]

So if we still have to use genesis account afaik what benefits do we gain by now also checking hash of genesis block?

As I see kagami genesis sign might be simplified a bit (no genesis key pair needed) if we figure out how to do it. But I don't know how genesis account id can be removed altogether since it is used in genesis.json instructions like Transfer

[mversic]

Suggested change

	Prepare(prepare::Args),
	Generate(generate::Args),
	Prepare(prepare::Args),
	Generate(generate::Args),

do we need both?

[mversic]

I don't like this. Transactions with incorrect signatures might creep into Iroha. I'd rather that you make another SignedTransactionCandidate in data_model::block which will have different implementation, i.e. it will not verify genesis signatures

[dima74]

I agree, but what to do with validate_transaction in executor? It will deserialize SignedTransaction at WASM side, so it will fail for genesis transaction if we keep validate signature during deserialization

One option I can think of is to make SignedTransaction validation #[cfg(not(target_family = "wasm"))]

[mversic]

One option I can think of is to make SignedTransaction validation #[cfg(not(target_family = "wasm"))]

I like this suggestion. Can we say that since data model entities are always provided by the host there is no need to validate them on the wasm side? If so, we can can open a ticket to generalize this approach to all entities, although it seems kinda hacky and I'm not sure if this won't bite us in the ass

[mversic]

Another possibility is to hardcode some public key as genesis and say that every Iroha deployment will have this as genesis account_id. In that case we can remove account from genesis.json. This is more or less how we had it except that kagami wouldn't have to receive private key but it already knows it's value. @Erigara @s8sato ?

[mversic]

let's discuss tomorrow on standup

[Erigara]

We can use the same multihash format but with identity code

[Erigara]

After discussion it was noted that we still want genesis to sign transaction/block in which case my proposal is not relevant.

[s8sato]

The complexity seems to come from trying to strip away the functionality of digital signatures while taking advantage of the transaction processing flow.
There might not have been any problem in the first place: if the privilege comes from block height 0, what is the actual harm even if the genesis account with the correct private key appears after genesis?

[mversic]

what is the actual harm even if the genesis account with the correct private key appears after genesis?

I like this point. Especially if someone has misconfigured the blockchain in genesis.json, for example they haven't transfered ownership

[s8sato]

Yeah, currently custom genesis can grant any privileges to any account. But they agreed anyway. They joined the network while being able to see that genesis block

[mversic]

I don't think we should care about this?

[mversic]

I think we can remove GENESIS_DOMAIN_ID check from this module. Also I think that we can remove this constant alltogether and with it the notion of "genesis" domain

[dima74]

There are checks like "not allowed to register account in genesis domain" in impl Execute for Register<Account>. Should we keep those checks?

[mversic]

I don't think we need to keep those checks. Because if we do, we have to track it in runtime which is complicated. Remove checks and open an issue to discuss

[s8sato]

I agree, after genesis there doesn't seem to be any particular harm in referring a domain named "genesis"

[mversic]

Suggested change

	"genesis": "ed01204164BF554923ECE1FD412D241036D863A6AE430476C898248B8237D77534CFC4@genesis"
	"account": "ed01204164BF554923ECE1FD412D241036D863A6AE430476C898248B8237D77534CFC4@genesis"

let's rename, it looks silly. Sorry, it was my initial suggestion

[mversic]

what was the reason you introduced genesis to all peers? is it because of the integration tests?
On the other hand, I would prefer keeping it as simple as possible because of external users

[mversic]

Suggested change

	genesis_hash: &HashOf<SignedBlock>,
	genesis_hash: HashOf<SignedBlock>,

it's a copy type

[mversic]

Suggested change

	fn genesis_account_and_domain(public_key: PublicKey) -> (Account, Domain) {
	let genesis_account_id =
	AccountId::new(iroha_genesis::GENESIS_DOMAIN_ID.clone(), public_key);
	let genesis_account = Account::new(genesis_account_id).into_account();
	let genesis_domain =
	Domain::new(iroha_genesis::GENESIS_DOMAIN_ID.clone()).build(&genesis_account.id);
	(genesis_account, genesis_domain)
	fn genesis_account_and_domain(public_key: PublicKey) -> (Account, Domain) {
	let genesis_account_id =
	AccountId::new(iroha_genesis::GENESIS_DOMAIN_ID.clone(), public_key);
	let genesis_account = Account::new(genesis_account_id).into_account();
	let genesis_domain =
	Domain::new(iroha_genesis::GENESIS_DOMAIN_ID.clone()).build(&genesis_account.id);
	(genesis_account, genesis_domain)

IMO we should take both from the genesis authority. And remove the GENESIS_DOMAIN_ID

[mversic]

why not just implement From<GenesisBlock> for SignedBlock

[mversic]

why do we need Encode now?

[mversic]

Just to bring attention for other reviewers. This is a bit contentious, but I think it's a good approach.

[mversic]

please put it after chain. Generated json file will look nicer

[dima74]

Discussed with @mversic and decided that currently it is not worth to implement #4555. Originally it was expected that it will simplify things, but looks like there is no good and clean implementation, so will keep current approach with genesis public and private key (note that genesis private key is used only in kagami)