Permit validator voting across an airgap #3985
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 task
cratelyn
added
C-enhancement
|
Nit: the docs at https://guide.penumbra.zone/main/pcli/governance.html#voting-as-a-validator should be updated to reflect this change. Also, when we do land this, please squash-merge so that it's cherry-pickable. Important as we move toward stable testnets! |
Thanks for the nit @conorsch :)
plaidfinch
added a commit
that referenced
this pull request
Mar 12, 2024
author plaidfinch <finch@plaidfinch.net> 1710279332 -0400 committer finch <finch@plaidfinch.net> 1710280707 -0400 Permit validator voting across an airgap (#3985) This addresses the first changeset described in #3813, permitting validator definitions and votes to be signed separately and those signatures to be broadcast from a potentially-unrelated penumbra account. This is a breaking change to the CLI for all workflows that use the `validator vote` subcommand, because it redefines that command to `validator vote cast` in order to make room for `validator vote sign`. It is purely a client-side change, and as such is not consensus-breaking. - [X] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label. Delete unused import Make formatting a bit nicer, set validator vote sign to offline Allow initializing a separate governance subkey Add a validator command to emit the governance key Use the governance subkey correctly when present, in SoftKMS mode Use the governance key, if configured, in the validator template Fix mistake where the governance key was overzealously used It should only be used to sign *votes*, not *definitions*! Fix bug loading wrong config file path in dkg deal for governance keys
plaidfinch
added a commit
that referenced
this pull request
Mar 12, 2024
author plaidfinch <finch@plaidfinch.net> 1710279332 -0400 committer finch <finch@plaidfinch.net> 1710280707 -0400 Permit validator voting across an airgap (#3985) This addresses the first changeset described in #3813, permitting validator definitions and votes to be signed separately and those signatures to be broadcast from a potentially-unrelated penumbra account. This is a breaking change to the CLI for all workflows that use the `validator vote` subcommand, because it redefines that command to `validator vote cast` in order to make room for `validator vote sign`. It is purely a client-side change, and as such is not consensus-breaking. - [X] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label. Delete unused import Make formatting a bit nicer, set validator vote sign to offline Allow initializing a separate governance subkey Add a validator command to emit the governance key Use the governance subkey correctly when present, in SoftKMS mode Use the governance key, if configured, in the validator template Fix mistake where the governance key was overzealously used It should only be used to sign *votes*, not *definitions*! Fix bug loading wrong config file path in dkg deal for governance keys
plaidfinch
added a commit
that referenced
this pull request
Mar 13, 2024
author plaidfinch <finch@plaidfinch.net> 1710279332 -0400 committer finch <finch@plaidfinch.net> 1710280707 -0400 Permit validator voting across an airgap (#3985) This addresses the first changeset described in #3813, permitting validator definitions and votes to be signed separately and those signatures to be broadcast from a potentially-unrelated penumbra account. This is a breaking change to the CLI for all workflows that use the `validator vote` subcommand, because it redefines that command to `validator vote cast` in order to make room for `validator vote sign`. It is purely a client-side change, and as such is not consensus-breaking. - [X] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label. Delete unused import Make formatting a bit nicer, set validator vote sign to offline Allow initializing a separate governance subkey Add a validator command to emit the governance key Use the governance subkey correctly when present, in SoftKMS mode Use the governance key, if configured, in the validator template Fix mistake where the governance key was overzealously used It should only be used to sign *votes*, not *definitions*! Fix bug loading wrong config file path in dkg deal for governance keys
plaidfinch
added a commit
that referenced
this pull request
Mar 15, 2024
## Describe your changes These changes are meant to be stacked on top of #3985, which implements the first set of three change sets defined in #3813. The changes in this PR separate out a distinct governance subkey, which can be initialized after main initialization in `pcli` by using `pcli init validator-governance-subkey {soft-kms, threshold}`. This command will edit in place the existing configuration file to add a section describing the custody of a separate governance key, which may be custodied differently than the main key. These changes support soft-kms and threshold custody for governance key. The generated distinct governance key will then, after initialization, be used instead of the key implied by the spend key, when signing and casting validator votes. Subsequently, when generating a validator definition template, this key is the one inserted into the template, and it can be fetched directly using the `pcli validator governance-key` command. Being merely client-side, this set of changes does not break consensus. ## Issue ticket number and link #3813 ## Checklist before requesting a review - [X] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label.
Closed
14 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe your changes
This addresses the first changeset described in #3813, permitting validator definitions and votes to be signed separately and those signatures to be broadcast from a potentially-unrelated penumbra account.
This is a breaking change to the CLI for all workflows that use the
validator votesubcommand, because it redefines that command tovalidator vote castin order to make room forvalidator vote sign. It is purely a client-side change, and as such is not consensus-breaking.Issue ticket number and link
#3813
Checklist before requesting a review