Merge branch 'develop' into test/scenario

Author: moodmosaic

.github/workflows/ci.yml

@@ -94,6 +94,7 @@ jobs:
     needs:
       - rustfmt
       - check-release
+    secrets: inherit 
     uses: ./.github/workflows/github-release.yml
     with:
       node_tag: ${{ needs.check-release.outputs.node_tag }}

.github/workflows/clarity-js-sdk-pr.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Build the binaries
         id: build
         run: |
-          cargo build
+          cargo build --bin stacks-inspect
       - name: Dump constants JSON
         id: consts-dump
         run: cargo run --bin stacks-inspect -- dump-consts | tee out.json

.github/workflows/core-build-tests.yml

@@ -38,9 +38,9 @@ concurrency:
 run-name: ${{ inputs.node_tag || inputs.signer_tag }}
 
 jobs:
-  ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below. 
+  ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below.
   ##   - If this job isn't approved to run, then the subsequent jobs will also not run - for this reason, we always exit 0
-  ##   - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow.  
+  ##   - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow.
   andon-cord:
     if: |
       inputs.node_tag != '' ||
@@ -65,6 +65,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - andon-cord
+    permissions:
+      id-token: write
+      attestations: write
     strategy:
       ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch
       max-parallel: 10
@@ -135,6 +138,10 @@ jobs:
       inputs.signer_tag != ''
     name: Docker Image (Binary)
     runs-on: ubuntu-latest
+    environment: "Push to Docker"
+    permissions:
+      id-token: write
+      attestations: write
     needs:
       - andon-cord
       - build-binaries
@@ -164,7 +171,6 @@ jobs:
   ## Create the downstream PR for the release branch to master,develop
   create-pr:
     if: |
-      !contains(github.ref, '-rc') &&
       (
         inputs.node_tag != '' ||
         inputs.signer_tag != ''

.github/workflows/github-release.yml

@@ -23,6 +23,9 @@ jobs:
     runs-on: ubuntu-latest
     ## Requires the repo environment "Push to Docker", which will trigger a secondary approval step before running this workflow.
     environment: "Push to Docker"
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       ## Setup Docker for the builds
       - name: Docker setup
@@ -68,3 +71,22 @@ jobs:
             GIT_COMMIT=${{ env.GITHUB_SHA_SHORT }}
             TARGET_CPU=x86-64-v3
           push: ${{ env.DOCKER_PUSH }}
+
+      ## Generate docker image attestation(s)
+      - name: Generate artifact attestation (${{ github.event.repository.name }})
+        id: attest_primary
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          subject-name: |
+            index.docker.io/${{env.docker-org}}/${{ github.event.repository.name }}
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate artifact attestation (stacks-blockchain)
+        id: attest_secondary
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          subject-name: |
+            index.docker.io/${{env.docker-org}}/stacks-blockchain
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: true

.github/workflows/image-build-source.yml

@@ -192,8 +192,14 @@ pub enum SignerEvent<T: SignerEventTrait> {
     /// The `Vec<T>` will contain any signer messages made by the miner.
     MinerMessages(Vec<T>),
     /// The signer messages for other signers and miners to observe
-    /// The u32 is the signer set to which the message belongs (either 0 or 1)
-    SignerMessages(u32, Vec<T>),
+    SignerMessages {
+        /// The signer set to which the message belongs (either 0 or 1)
+        signer_set: u32,
+        /// Each message of type `T` is paired with the `StacksPublicKey` of the slot from which it was retreived
+        messages: Vec<(StacksPublicKey, T)>,
+        /// the time at which this event was received by the signer's event processor
+        received_time: SystemTime,
+    },
     /// A new block proposal validation response from the node
     BlockValidationResponse(BlockValidateResponse),
     /// Status endpoint request
@@ -518,6 +524,7 @@ impl<T: SignerEventTrait> TryFrom<StackerDBChunksEvent> for SignerEvent<T> {
     type Error = EventError;
 
     fn try_from(event: StackerDBChunksEvent) -> Result<Self, Self::Error> {
+        let received_time = SystemTime::now();
         let signer_event = if event.contract_id.name.as_str() == MINERS_NAME
             && event.contract_id.is_boot()
         {
@@ -536,12 +543,21 @@ impl<T: SignerEventTrait> TryFrom<StackerDBChunksEvent> for SignerEvent<T> {
                 return Err(EventError::UnrecognizedStackerDBContract(event.contract_id));
             };
             // signer-XXX-YYY boot contract
-            let signer_messages: Vec<T> = event
+            let messages: Vec<(StacksPublicKey, T)> = event
                 .modified_slots
                 .iter()
-                .filter_map(|chunk| read_next::<T, _>(&mut &chunk.data[..]).ok())
+                .filter_map(|chunk| {
+                    Some((
+                        chunk.recover_pk().ok()?,
+                        read_next::<T, _>(&mut &chunk.data[..]).ok()?,
+                    ))
+                })
                 .collect();
-            SignerEvent::SignerMessages(signer_set, signer_messages)
+            SignerEvent::SignerMessages {
+                signer_set,
+                messages,
+                received_time,
+            }
         } else {
             return Err(EventError::UnrecognizedStackerDBContract(event.contract_id));
         };

libsigner/src/events.rs

@@ -20,15 +20,15 @@ use std::fmt::Debug;
 use std::io::{Read, Write};
 use std::net::{SocketAddr, TcpStream, ToSocketAddrs};
 use std::sync::mpsc::{channel, Receiver, Sender};
-use std::time::Duration;
+use std::time::{Duration, SystemTime};
 use std::{mem, thread};
 
 use blockstack_lib::chainstate::nakamoto::signer_set::NakamotoSigners;
 use blockstack_lib::chainstate::nakamoto::{NakamotoBlock, NakamotoBlockHeader};
 use blockstack_lib::chainstate::stacks::boot::SIGNERS_NAME;
 use blockstack_lib::chainstate::stacks::events::StackerDBChunksEvent;
 use blockstack_lib::util_lib::boot::boot_code_id;
-use clarity::types::chainstate::{ConsensusHash, StacksBlockId, TrieHash};
+use clarity::types::chainstate::{ConsensusHash, StacksBlockId, StacksPublicKey, TrieHash};
 use clarity::util::hash::Sha512Trunc256Sum;
 use clarity::util::secp256k1::MessageSignature;
 use clarity::vm::types::QualifiedContractIdentifier;
@@ -142,6 +142,13 @@ fn test_simple_signer() {
         chunks.push(chunk_event);
     }
 
+    chunks.sort_by(|ev1, ev2| {
+        ev1.modified_slots[0]
+            .slot_id
+            .partial_cmp(&ev2.modified_slots[0].slot_id)
+            .unwrap()
+    });
+
     let thread_chunks = chunks.clone();
 
     // simulate a node that's trying to push data
@@ -177,23 +184,44 @@ fn test_simple_signer() {
     sleep_ms(5000);
     let accepted_events = running_signer.stop().unwrap();
 
-    chunks.sort_by(|ev1, ev2| {
-        ev1.modified_slots[0]
-            .slot_id
-            .partial_cmp(&ev2.modified_slots[0].slot_id)
-            .unwrap()
-    });
-
     let sent_events: Vec<SignerEvent<SignerMessage>> = chunks
         .iter()
         .map(|chunk| {
             let msg = chunk.modified_slots[0].data.clone();
+            let pubkey = chunk.modified_slots[0]
+                .recover_pk()
+                .expect("Faield to recover public key of slot");
             let signer_message = read_next::<SignerMessage, _>(&mut &msg[..]).unwrap();
-            SignerEvent::SignerMessages(0, vec![signer_message])
+            SignerEvent::SignerMessages {
+                signer_set: 0,
+                messages: vec![(pubkey, signer_message)],
+                received_time: SystemTime::now(),
+            }
         })
         .collect();
 
-    assert_eq!(sent_events, accepted_events);
+    for (sent_event, accepted_event) in sent_events.iter().zip(accepted_events.iter()) {
+        let SignerEvent::SignerMessages {
+            signer_set,
+            messages,
+            received_time,
+        } = sent_event
+        else {
+            panic!("BUG: should not have sent anything but a signer message");
+        };
+        let SignerEvent::SignerMessages {
+            signer_set: accepted_signer_set,
+            messages: accepted_messages,
+            received_time: accepted_time,
+        } = accepted_event
+        else {
+            panic!("BUG: should not have accepted anything but a signer message");
+        };
+
+        assert_eq!(signer_set, accepted_signer_set);
+        assert_eq!(messages, accepted_messages);
+        assert_ne!(received_time, accepted_time);
+    }
     mock_stacks_node.join().unwrap();
 }
 

libsigner/src/tests/mod.rs

@@ -24,6 +24,7 @@
 //! and the `SignerMessage` enum.
 
 use std::fmt::{Debug, Display};
+use std::hash::{Hash, Hasher};
 use std::io::{Read, Write};
 use std::marker::PhantomData;
 use std::net::{SocketAddr, TcpListener, TcpStream};
@@ -573,7 +574,7 @@ pub enum StateMachineUpdateContent {
 }
 
 /// Message for update the Signer State infos
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, Eq, Hash)]
 pub enum StateMachineUpdateMinerState {
     /// There is an active miner
     ActiveMiner {