Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
188 commits
Select commit Hold shift + click to select a range
335ce60
feat(tbtc/signer): mirror FROST/ROAST Rust signer from tBTC monorepo
mswilkison May 26, 2026
bfd7658
extraction: apply allowlisted-divergence transformations to signer sc…
mswilkison May 26, 2026
551bd42
ci(tbtc-signer): add formal verification workflow (moved from tbtc-v2)
mswilkison May 26, 2026
d1a1424
extraction: fix signer formal-verification CI (chmod + vector path)
mswilkison May 26, 2026
adb6f64
extraction: mirror p2tr-signature-fraud-v0 vector + fix test path
mswilkison May 26, 2026
220cff2
fix(tbtc-signer): harden signer validation and retries
mswilkison May 27, 2026
c12c593
ci(tbtc-signer): update tla tools checksum
mswilkison May 27, 2026
2e61c26
ci(tbtc-signer): add full rust checks
mswilkison May 27, 2026
2930091
fix(tbtc-signer): preserve cached build tx retries
mswilkison May 27, 2026
9cfcde6
fix(tbtc-signer): harden production defaults
mswilkison May 28, 2026
c1e72f5
fix(tbtc-signer): close hardening follow-ups
mswilkison May 28, 2026
506959d
Expose interactive FROST DKG signer ABI
mswilkison Jun 4, 2026
2e0a054
Support Taproot tweaked signer rounds
mswilkison Jun 5, 2026
3a259ec
Support seeded tbtc-signer DKG
mswilkison Jun 5, 2026
4c9c654
Reuse signer rounds across member identifiers
mswilkison Jun 5, 2026
8f5aec7
Harden Taproot signer aggregation
mswilkison Jun 6, 2026
a62cb26
Preserve legacy signer round fingerprints
mswilkison Jun 6, 2026
797417f
Clarify signer exported key boundary
mswilkison Jun 6, 2026
e5b4f16
Stabilize signer round reuse fingerprints
mswilkison Jun 6, 2026
815ea72
Classify malformed DKG seeds as validation errors
mswilkison Jun 6, 2026
64d9d64
Assert signer round retry idempotency
mswilkison Jun 6, 2026
2380c8c
Support Taproot tweaked signer rounds (#4018)
mswilkison Jun 6, 2026
4f775b9
Document interactive FROST nonce contract
mswilkison Jun 6, 2026
57461c3
Zeroize interactive FROST secret buffers
mswilkison Jun 6, 2026
6179a3f
Merge signer mirror updates into interactive FROST ABI
mswilkison Jun 6, 2026
abdae01
Expose interactive FROST DKG signer ABI (#4011)
mswilkison Jun 6, 2026
997ee1b
Pin concrete coordinator vector in order-independence test
mswilkison Jun 10, 2026
ac2d5e8
test(tbtc/signer): pin concrete coordinator vector in order-independe…
mswilkison Jun 11, 2026
299d79e
hardening(tbtc/signer): bind full transcript into round nonces, gate …
mswilkison Jun 11, 2026
80c3db8
unify(tbtc/signer): adopt RFC-21 Annex A coordinator-seed derivation …
mswilkison Jun 11, 2026
5b46db6
deps(tbtc/signer): move frost-secp256k1-tr off the release-candidate …
mswilkison Jun 11, 2026
686ef84
test(tbtc/signer): replay the 600-case cross-language coordinator-shu…
mswilkison Jun 11, 2026
710e59a
fix(tbtc/signer): seed the coordinator shuffle from the padded raw me…
mswilkison Jun 11, 2026
0b1f4db
docs(tbtc/signer): pin v2 nonce-seed encoding invariants in a comment
mswilkison Jun 11, 2026
8afe502
fix(tbtc/signer): bind full PublicKeyPackage into round-nonce seed (v3)
mswilkison Jun 11, 2026
fadbb3c
test(tbtc/signer): replay expanded corpus; document port coverage limits
mswilkison Jun 11, 2026
c5b0176
deps(tbtc/signer): move frost-secp256k1-tr off the rc pin to =3.0.0 f…
mswilkison Jun 11, 2026
f3f0ac4
test(tbtc/signer): replay the 600-case cross-language coordinator-shu…
mswilkison Jun 11, 2026
15a7a3e
unify(tbtc/signer): adopt RFC-21 Annex A coordinator-seed derivation …
mswilkison Jun 11, 2026
d47f009
hardening(tbtc/signer): bind full transcript into round nonces; gate …
mswilkison Jun 11, 2026
99e157c
refactor(tbtc/signer): split 18k-line engine.rs into focused engine/ …
mswilkison Jun 12, 2026
9b41d45
docs(tbtc/signer): review follow-ups for the engine split
mswilkison Jun 12, 2026
97e3bb5
refactor(tbtc/signer): split 18k-line engine.rs into focused engine/ …
mswilkison Jun 12, 2026
71083e7
feat(tbtc/signer): install TBTC_SIGNER_* knobs via init-time FFI config
mswilkison Jun 12, 2026
9226be1
fix(tbtc/signer): validate init config privately before publishing it
mswilkison Jun 12, 2026
5fdb096
fix(tbtc/signer): validate key-provider settings at config init
mswilkison Jun 12, 2026
7beceec
fix(tbtc/signer): validate the provenance gate at config init
mswilkison Jun 12, 2026
f77154b
feat(tbtc/signer): install TBTC_SIGNER_* knobs via init-time FFI conf…
mswilkison Jun 12, 2026
1d83147
docs(tbtc/signer): pin frost dependency audit status; attestation cad…
mswilkison Jun 12, 2026
484c377
docs(tbtc/signer): pin frost dependency audit status; attestation cad…
mswilkison Jun 12, 2026
153b14b
docs(tbtc/signer): record 2026-06-12 architecture decisions in gates doc
mswilkison Jun 12, 2026
54b041e
docs(tbtc/signer): commit the transitional deterministic path for del…
mswilkison Jun 12, 2026
6b74e5d
docs(tbtc/signer): correct the evidence-retention status in the decis…
mswilkison Jun 12, 2026
ee80aef
docs(tbtc/signer): record 2026-06-12 architecture decisions in gates …
mswilkison Jun 12, 2026
82a5ad6
docs(tbtc/signer): record the init-config fatality decision
mswilkison Jun 12, 2026
afde959
docs(tbtc/signer): scope the config-path variable to the service unit
mswilkison Jun 12, 2026
00fc651
docs(tbtc/signer): record the init-config fatality decision (#4048)
mswilkison Jun 12, 2026
36c6f5f
docs(tbtc/signer): Phase 7 interactive-session spec freeze
mswilkison Jun 12, 2026
73dc594
docs(tbtc/signer): close review findings in the Phase 7 spec
mswilkison Jun 12, 2026
5b05e20
docs(tbtc/signer): freeze the Phase 7 spec; record section-10 decisions
mswilkison Jun 12, 2026
5d65712
docs(tbtc/signer): Phase 7 interactive-session spec freeze (#4049)
mswilkison Jun 12, 2026
cde0946
docs(tbtc/signer): Phase 7.0 sidecar transport addendum
mswilkison Jun 12, 2026
769f9d7
feat(tbtc/signer): Phase 7.1 hardened interactive signing session
mswilkison Jun 12, 2026
90cb7c3
fix(tbtc/signer): free interactive session state on completion and re…
mswilkison Jun 12, 2026
36055a3
fix(tbtc/signer): declare the Phase 7.1 interactive FFI in the C header
mswilkison Jun 12, 2026
fb6f33d
fix(tbtc/signer): close firewall bypass, attempt-id casing, abort sweep
mswilkison Jun 13, 2026
03fb6d6
fix(tbtc/signer): apply session lifecycle and quarantine gates on int…
mswilkison Jun 13, 2026
0d739a5
fix(tbtc/signer): re-evaluate signing gates at the Round2 share release
mswilkison Jun 13, 2026
edf7952
fix(tbtc/signer): bound interactive session registry and validate thr…
mswilkison Jun 13, 2026
e45b975
docs(tbtc/signer): scope the sidecar secret-boundary claim to signing
mswilkison Jun 13, 2026
289df95
fix(tbtc/signer): resolve interactive key material from DKG state, no…
mswilkison Jun 13, 2026
4940a9c
fix(tbtc/signer): quarantine the full Round2 subset; reject phantom i…
mswilkison Jun 13, 2026
e4a8734
feat(tbtc/signer): Phase 7.1 hardened interactive signing session (#4…
mswilkison Jun 13, 2026
472dfa6
docs(tbtc/signer): Phase 7.0 sidecar transport addendum (#4050)
mswilkison Jun 13, 2026
f3ab6b5
feat(tbtc/signer): Phase 7.2a InteractiveAggregate with attributable …
mswilkison Jun 13, 2026
24f4eb2
fix(tbtc/signer): defer attributable aggregate blame until inputs are…
mswilkison Jun 13, 2026
312e106
docs(tbtc/signer): align aggregate FFI/API contract with fail-closed …
mswilkison Jun 13, 2026
f5a08a6
fix(tbtc/signer): sweep expired interactive state in InteractiveAggre…
mswilkison Jun 13, 2026
f96a54c
feat(tbtc/signer): Phase 7.2a InteractiveAggregate (tweaked, self-ver…
mswilkison Jun 13, 2026
33f673c
test(tbtc/signer): make the test lock poison-resilient and env hermetic
mswilkison Jun 13, 2026
d474a4f
fix(tbtc/signer): iterate env with vars_os in the test baseline reset
mswilkison Jun 13, 2026
a7c1c33
test(tbtc/signer): poison-resilient test lock + hermetic env baseline…
mswilkison Jun 13, 2026
a9a08c4
docs(tbtc/signer): Phase 7.2b design note - package envelopes + bound…
mswilkison Jun 13, 2026
53b23b4
docs(tbtc/signer): Phase 7.2b open-questions discussion doc for revie…
mswilkison Jun 13, 2026
479b58b
docs(tbtc/signer): resolve 7.2b open questions per Gemini+Codex review
mswilkison Jun 13, 2026
22bfa04
docs(tbtc/signer): fold in Codex re-review P1s + review-consistency f…
mswilkison Jun 13, 2026
4b1bf46
docs(tbtc/signer): pin AllCheaters aggregate + clear stale refs (review)
mswilkison Jun 13, 2026
1546239
docs(tbtc/signer): elected-coordinator + retain-on-reject + tweak-awa…
mswilkison Jun 13, 2026
50bdbac
docs(tbtc/signer): §3 wording — retain on receipt, not on signing
mswilkison Jun 13, 2026
7f78618
docs(tbtc/signer): context-bound share auth + group key in verify-share
mswilkison Jun 13, 2026
94eba3b
docs(tbtc/signer): verify-share selector + durable key source
mswilkison Jun 13, 2026
2b87a25
docs(tbtc/signer): record Phase 7.2b sign-off + durable-retention con…
mswilkison Jun 13, 2026
b74f209
feat(tbtc/signer): Phase 7.2b-1 InteractiveAggregate completion marker
mswilkison Jun 13, 2026
131c642
fix(tbtc/signer): make InteractiveAggregate idempotent (Codex P2)
mswilkison Jun 13, 2026
87b579c
docs(tbtc/signer): Phase 7.2b §6 idempotent aggregate re-emission
mswilkison Jun 13, 2026
c50ac59
fix(tbtc/signer): return persisted signature on aggregate race (Codex…
mswilkison Jun 13, 2026
e2e7fb2
docs(tbtc/signer): resolve Phase 7.2b doc review nits (Codex/Gemini P3)
mswilkison Jun 13, 2026
8bca31e
fix(tbtc/signer): validate completion record against request on re-em…
mswilkison Jun 13, 2026
d115781
docs(tbtc/signer): §6 validate aggregate re-emission against the request
mswilkison Jun 13, 2026
77a16a2
fix(tbtc/signer): reject empty attempt_id in InteractiveAggregate (Co…
mswilkison Jun 13, 2026
a07e8dc
docs(tbtc/signer): drop second stale pending-sign-off note (Codex P3)
mswilkison Jun 13, 2026
2e062ff
refactor(tbtc/signer): simplify 7.2b-1 to completion marker + reject
mswilkison Jun 13, 2026
3d690bb
docs(tbtc/signer): revert 7.2b-1 design to completion marker + reject
mswilkison Jun 13, 2026
9d0accf
docs(tbtc/signer): Phase 7.2b design note — package envelopes + bound…
mswilkison Jun 14, 2026
d57237d
feat(tbtc/signer): Phase 7.2b-1 InteractiveAggregate completion marke…
mswilkison Jun 14, 2026
2d0a37a
feat(tbtc/signer): Phase 7.2b-3 candidate-culprit detection in Intera…
mswilkison Jun 15, 2026
16b0483
fix(tbtc/signer): redact secret material in persisted-struct Debug
piotr-roslaniec Jun 15, 2026
e8e2498
fix(tbtc/signer): stop reflecting raw panic payloads across FFI in pr…
piotr-roslaniec Jun 15, 2026
3d4ddc3
fix(tbtc/signer): canonicalize interactive message_hex casing for ide…
piotr-roslaniec Jun 15, 2026
ad04c42
fix(tbtc/signer): count interactive abort success only on real aborts
piotr-roslaniec Jun 15, 2026
54d0958
refactor(tbtc/signer): assert (not re-test) the differing-attempt inv…
piotr-roslaniec Jun 15, 2026
8cc3071
fix(tbtc/signer): omit absent script_tree_hex in BuildTaprootTxRequest
piotr-roslaniec Jun 15, 2026
13a1e0f
docs(tbtc/signer): fix stale key_package_hex comment in open fingerprint
piotr-roslaniec Jun 15, 2026
fa26cc3
docs(tbtc/signer): document Phase 7 interactive signing endpoints in …
piotr-roslaniec Jun 15, 2026
4867b25
fix(tbtc/signer): use parseable placeholder for sample override trust…
piotr-roslaniec Jun 15, 2026
cbb9d58
docs(tbtc/signer): repoint mirrored doc paths to keep-core layout
piotr-roslaniec Jun 15, 2026
e34291d
docs(tbtc/signer): correct spec-freeze section 4 to match the shipped…
piotr-roslaniec Jun 15, 2026
8d7d661
ci(tbtc/signer): add blocking cargo-deny advisory gate
piotr-roslaniec Jun 15, 2026
bd73bad
test(tbtc/signer): fix env-race flake in interactive FFI roundtrip test
piotr-roslaniec Jun 15, 2026
dde5e79
fix(tbtc/signer): harden admission override replay registry
piotr-roslaniec Jun 15, 2026
65a678e
docs(tbtc/signer): frame the domain tag in roast phase 0 attempt-id f…
piotr-roslaniec Jun 15, 2026
5123dc3
test(tbtc/signer): pin int31n_fast rejection branch against Go math/rand
piotr-roslaniec Jun 15, 2026
ea29834
docs(tbtc/signer): mark TEE/rollout TLA models as planned, not shipped
piotr-roslaniec Jun 15, 2026
3524089
docs(tbtc/signer): clarify crate is unconsumed; add activation re-rev…
piotr-roslaniec Jun 15, 2026
b8407f6
fixup(tbtc/signer): align candidate culprits to u16 member ids + mult…
mswilkison Jun 15, 2026
023b058
Phase 7.2b-3: candidate-culprit detection in InteractiveAggregate (#4…
mswilkison Jun 15, 2026
b8b84dc
docs(tbtc/signer): record D1 exclusion-trust assumption at the activa…
piotr-roslaniec Jun 15, 2026
b0677c3
feat(tbtc/signer): Phase 7.2b-4 engine verify_signature_share FFI (ba…
mswilkison Jun 15, 2026
de93bc4
Fold #4068 review: header prototype + in-band Indeterminate for bad t…
mswilkison Jun 15, 2026
7332303
Fold #4068 review: sweep expired interactive state in verify_signatur…
mswilkison Jun 15, 2026
6af4d14
Fold #4068 review: judge share bytes only after membership context is…
mswilkison Jun 15, 2026
0e6f358
Fold #4068 review: require package membership before blaming malforme…
mswilkison Jun 16, 2026
129830d
Phase 7.2b-4: engine verify_signature_share FFI (backs Go Round2Share…
mswilkison Jun 16, 2026
43b649d
Phase 7.2b-4: tweaked-root (script-path) verify_signature_share equiv…
mswilkison Jun 16, 2026
2bd81fa
Phase 7.2b-4: tweaked-root verify_signature_share equivalence test (#…
mswilkison Jun 16, 2026
d12909a
frost(7.3): engine-side DeriveInteractiveAttemptContext helper
mswilkison Jun 17, 2026
7ad5fa5
frost(7.3): declare derive helper in the C header + clarify threshold…
mswilkison Jun 17, 2026
f87fc77
frost(7.3): reject zero threshold in the derive helper (Codex re-review)
mswilkison Jun 17, 2026
0fdea53
frost(7.3): mirror session-open front-door checks in the derive helper
mswilkison Jun 17, 2026
9fd9845
Phase 7.3: engine-side DeriveInteractiveAttemptContext helper (#4077)
mswilkison Jun 17, 2026
e9075ac
feat(tbtc/signer): member-key interactive signing state for multi-sea…
mswilkison Jun 20, 2026
2684dde
fix(tbtc/signer): refuse Round2 for an already-aggregated attempt (re…
mswilkison Jun 20, 2026
797aa71
fix(tbtc/signer): bind the interactive completion marker to the messa…
mswilkison Jun 20, 2026
6b2e2d0
fix(tbtc/signer): honor legacy bare aggregate completion markers (re-…
mswilkison Jun 20, 2026
73fabaf
fix(tbtc/signer): bind the taproot root into the completion marker (r…
mswilkison Jun 20, 2026
49fdcbc
fix(tbtc/signer): free finalized non-signing siblings on aggregate (r…
mswilkison Jun 20, 2026
d857577
fix(tbtc/signer): bind the aggregate-cleanup filter to the message to…
mswilkison Jun 20, 2026
ca6ee3b
feat(tbtc/signer): member-key interactive signing state for multi-sea…
mswilkison Jun 20, 2026
13a8103
test(tbtc/signer): multi-seat capacity new-vs-replacement + abort-by-…
mswilkison Jun 20, 2026
83b7bff
test(tbtc/signer): multi-seat capacity new-vs-replacement + abort-by-…
mswilkison Jun 21, 2026
25e4f27
feat(tbtc/signer): export a structured FFI contract version (frost_tb…
mswilkison Jun 22, 2026
6e3718b
fix(tbtc/signer): declare frost_tbtc_abi_version in the public C header
mswilkison Jun 22, 2026
d7d96bf
feat(tbtc/signer): export a structured FFI contract version (frost_tb…
mswilkison Jun 22, 2026
cbc5e37
fix(tbtc/signer): validate incoming attempt context before clearing a…
mswilkison Jun 26, 2026
3b481ad
fix(tbtc/signer): fail closed on unknown profile and degenerate signi…
mswilkison Jun 26, 2026
588cc4b
ci(tbtc/signer): pin cargo dependency resolution with --locked
mswilkison Jun 26, 2026
921b009
fix(tbtc/signer): validate incoming attempt context before clearing a…
mswilkison Jun 26, 2026
95ecec4
fix(tbtc/signer): fail closed on unknown profile and degenerate signi…
mswilkison Jun 26, 2026
b548ac4
ci(tbtc/signer): pin cargo dependency resolution with --locked (#4113)
mswilkison Jun 26, 2026
4b40a5a
perf(tbtc/signer): resolve state-encryption key off-lock, deferring t…
mswilkison Jun 26, 2026
77488ee
fix(tbtc/signer): resolve the state key under the ENGINE_STATE guard,…
mswilkison Jun 27, 2026
a1232c7
fix(tbtc/signer): resolve the state-encryption key under the ENGINE_S…
mswilkison Jun 27, 2026
501dffb
fix(signer): defer sign-round clear + persist before idempotent serve
mswilkison Jun 28, 2026
f0ae82f
fix(signer): clear sign-round persist marker on any successful persist
mswilkison Jun 28, 2026
396a80e
fix(signer): scope sign-round persist-pending marker per session
mswilkison Jun 28, 2026
4587081
fix(signer): defer sign-round clear + persist before idempotent serve…
mswilkison Jun 28, 2026
af1cc10
fix(tbtc/signer): gate plaintext state, zeroize FFI buffers, allow pe…
mswilkison Jun 30, 2026
ede5c9e
feat(tbtc/signer): enforce signing-policy firewall in production with…
mswilkison Jun 30, 2026
6d2a4df
fix(tbtc/signer): address self-review findings on the review-fix PR
mswilkison Jun 30, 2026
816be16
docs(tbtc/signer): document firewall production force-on + built-in d…
mswilkison Jun 30, 2026
8d873e7
feat(tbtc/signer): enforce signing-policy firewall in production with…
mswilkison Jun 30, 2026
07238e6
fix(tbtc/signer): gate plaintext rollback-path tests to debug builds
mswilkison Jun 30, 2026
cba4cd1
fix(tbtc/signer): wire plaintext rollback opt-in through init config
mswilkison Jun 30, 2026
39bed8b
fix(tbtc/signer): backfill legacy refresh fingerprint before overwriting
mswilkison Jun 30, 2026
c46adba
fix(tbtc/signer): preserve total refresh count across history pruning
mswilkison Jun 30, 2026
3efa362
fix(tbtc/signer): backfill refresh_count from history on legacy state…
mswilkison Jun 30, 2026
b32f515
fix(tbtc/signer): harden signer FFI (secret fields, panic hook, quara…
mswilkison Jun 30, 2026
6f92479
fix(tbtc/signer): synthesize refresh fingerprint record for legacy em…
mswilkison Jun 30, 2026
4899108
fix(tbtc/signer): canonicalize StartSignRound message hex + seed benc…
mswilkison Jul 1, 2026
98f58e1
fix(tbtc/signer): preserve legacy mixed-case message fingerprints
mswilkison Jul 1, 2026
3cd2de1
fix(tbtc/signer): preserve legacy refresh fingerprint without a cache…
mswilkison Jul 1, 2026
01e274b
fix(tbtc/signer): gate plaintext state, zeroize FFI buffers, allow pe…
mswilkison Jul 1, 2026
f9cf110
fix(electrum): refresh fulcrum integration endpoint
mswilkison Jul 1, 2026
59823fe
ci(tbtc/signer): pin workflow actions to commit SHAs; disable checkou…
mswilkison Jul 1, 2026
13b04ec
hardening(signer): fail closed on stateless nonce primitives in produ…
mswilkison Jul 1, 2026
3010172
ci(tbtc/signer): make Setup Rust toolchain explicit (toolchain: stable)
mswilkison Jul 2, 2026
911f3b6
ci(tbtc/signer): pin workflow actions to commit SHAs; disable checkou…
mswilkison Jul 2, 2026
3730815
hardening(signer): fail closed on stateless nonce primitives under th…
mswilkison Jul 2, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 116 additions & 0 deletions .github/workflows/tbtc-signer-formal.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
name: tBTC Signer Formal Verification

on:
pull_request:
paths:
- pkg/tbtc/signer/**
- .github/workflows/tbtc-signer-formal.yml
schedule:
- cron: "23 5 * * *"
workflow_dispatch:

permissions:
contents: read

concurrency:
group: tbtc-signer-formal-${{ github.ref }}
cancel-in-progress: true

jobs:
signer-rust-checks:
name: Signer Rust checks
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Setup Rust
uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
with:
# Name the toolchain explicitly so it is self-documenting and
# independent of the pinned action's default. (This action version
# already defaults `toolchain` to `stable`; older versions instead
# derived it from the action ref, which would resolve to the SHA
# under this supply-chain pin -- so being explicit is the safe form.)
toolchain: stable
components: rustfmt, clippy

- name: Check formatting
run: cargo fmt --manifest-path pkg/tbtc/signer/Cargo.toml -- --check

- name: Run clippy
run: cargo clippy --locked --manifest-path pkg/tbtc/signer/Cargo.toml --all-targets -- -D warnings

- name: Run signer tests
env:
TBTC_SIGNER_STATE_PATH: /tmp/tbtc-signer-ci-state-${{ github.run_id }}-${{ github.run_attempt }}.json
run: cargo test --locked --manifest-path pkg/tbtc/signer/Cargo.toml

signer-dependency-audit:
name: Signer dependency audit
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Check RustSec advisories
# Blocking gate: a newly-published advisory against any locked
# dependency fails the build. Accepted/unfixable advisories are
# recorded with rationale in pkg/tbtc/signer/deny.toml.
uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
with:
manifest-path: pkg/tbtc/signer/Cargo.toml
command: check advisories

signer-formal-invariants:
name: Signer formal invariants
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Setup Rust
uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
with:
# Explicit toolchain, independent of the pinned action's default
# (see the Setup Rust step above).
toolchain: stable

- name: Run signer formal invariant tests
# Filters cargo test by the formal_verification_ prefix so only
# the formal-invariant test cases run (faster + clearer signal
# than the full suite). Matches the convention used in the
# source monorepo's ci-formal-verification.yml.
run: cargo test --locked --manifest-path pkg/tbtc/signer/Cargo.toml formal_verification_

tla-model-checks:
name: TLA model checks
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Setup Java
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
with:
distribution: temurin
java-version: "17"

- name: Run TLA model checks
# Iterates over every .cfg under pkg/tbtc/signer/docs/formal/models/
# and runs TLC against the matching .tla module. MODELS_PATH defaults
# to the canonical signer-relative path; override via env var for
# alternate environments (set in extraction/frost-signer-mirror PR).
run: pkg/tbtc/signer/scripts/formal/run_tla_models.sh
39 changes: 37 additions & 2 deletions pkg/bitcoin/electrum/electrum_integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ var testConfigs = map[string]testConfig{
},
"fulcrum tcp": {
clientConfig: electrum.Config{
URL: "tcp://v22019051929289916.bestsrv.de:50001",
URL: "tcp://blackie.c3-soft.com:57005",
RequestTimeout: requestTimeout * 2,
RequestRetryTimeout: requestRetryTimeout * 2,
},
Expand Down Expand Up @@ -138,7 +138,7 @@ func init() {

func TestConnect_Integration(t *testing.T) {
runParallel(t, func(t *testing.T, testConfig testConfig) {
_, cancelCtx := newTestConnection(t, testConfig.clientConfig)
_, cancelCtx := newRequiredTestConnection(t, testConfig.clientConfig)
defer cancelCtx()
})
}
Expand Down Expand Up @@ -592,9 +592,32 @@ func runParallel(t *testing.T, runFunc func(t *testing.T, testConfig testConfig)
}

func newTestConnection(t *testing.T, config electrum.Config) (bitcoin.Chain, context.CancelFunc) {
t.Helper()

return connectTestConnection(t, config, true)
}

func newRequiredTestConnection(t *testing.T, config electrum.Config) (bitcoin.Chain, context.CancelFunc) {
t.Helper()

return connectTestConnection(t, config, false)
}

func connectTestConnection(
t *testing.T,
config electrum.Config,
skipTransientConnectionError bool,
) (bitcoin.Chain, context.CancelFunc) {
t.Helper()

ctx, cancelCtx := context.WithCancel(context.Background())
electrum, err := electrum.Connect(ctx, config)
if err != nil {
cancelCtx()
if skipTransientConnectionError && shouldSkipElectrumIntegrationError(err) {
t.Skipf("skipping due to transient electrum connection error: %v", err)
}

t.Fatal(err)
}

Expand Down Expand Up @@ -703,3 +726,15 @@ func toJson(val interface{}) string {

return string(b)
}

func shouldSkipElectrumIntegrationError(err error) bool {
if err == nil {
return false
}

msg := err.Error()

return strings.Contains(msg, "request timeout") ||
strings.Contains(msg, "retry timeout") ||
strings.Contains(msg, "enough information")
}
1 change: 1 addition & 0 deletions pkg/tbtc/signer/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
target/
Loading
Loading