-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only show Trusted Verified Build information #426
Conversation
…am authority or trusted signers
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
mappedBySigner[entry.signer] = entry; | ||
}); | ||
|
||
// Get the program authority's entry first, then the trusted signers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to get these already sorted from the API? Would make this easier to implement for other explorers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's fair to ask explorers to sort the results because each one is responsible for deciding what "verified" means to them.
app/utils/verified-builds.tsx
Outdated
...osecInfo, | ||
message, | ||
signer: osecInfo?.signer || '', | ||
verification_status: VerificationStatus.Verified, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this always VerificationStatus.Verified or could it also not be verified? I think this would need to come from the osecInfo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch! Patched!
Verified Build information was susceptible to a "griefing" attack disclosed by security firm Accretion. The vulnerability stemmed from the fact that anyone could overwrite verified build information in the OSec API by providing a more recent verified build information. This allowed malicious actors to overwrite protocol's GitHub repo url in the OSec API.
This has now been patched by OtterSec. The fix requires that program developers write their verified build arguments on-chain using their program authority.
For previously verified programs, their verification information was uploaded by the OSec team. However, to update previously verified information, teams must deploy their verified build information onchain.
For teams using multisig program authorities, we've described a process to prepare this transaction using
solana-verify
v0.4.0
here: https://solana.com/developers/guides/advanced/verified-builds#how-to-verify-your-program-when-its-controlled-by-a-multisig-like-squads