From f519d73a29669f5fa1fa402b39c8126111351104 Mon Sep 17 00:00:00 2001 From: anhthii Date: Tue, 9 Dec 2025 12:52:59 +0700 Subject: [PATCH 1/3] Update cI --- .github/workflows/ci.yml | 30 ++++++++++++++++++++++++------ go.mod | 4 +--- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d090edb..4575baa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,7 +7,7 @@ on: branches: ["*"] env: - GO_VERSION: "1.24" + GO_VERSION: "1.25.5" jobs: test: @@ -101,8 +101,17 @@ jobs: fi continue-on-error: true + - name: Clean SARIF file (remove duplicate tags) + if: always() + run: | + # Remove duplicate tags from SARIF rules to fix validation errors + jq '(.runs[]?.tool.driver.rules[]?.properties.tags) |= unique' \ + govulncheck-results.sarif > govulncheck-results-clean.sarif + mv govulncheck-results-clean.sarif govulncheck-results.sarif + echo "✅ Cleaned govulncheck SARIF file" + - name: Upload govulncheck results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: govulncheck-results.sarif @@ -116,8 +125,17 @@ jobs: gosec -fmt sarif -out gosec-results.sarif -exclude G304 ./... continue-on-error: true + - name: Clean gosec SARIF file (remove duplicate tags) + if: always() + run: | + # Remove duplicate tags from SARIF rules to fix validation errors + jq '(.runs[]?.tool.driver.rules[]?.properties.tags) |= unique' \ + gosec-results.sarif > gosec-results-clean.sarif + mv gosec-results-clean.sarif gosec-results.sarif + echo "✅ Cleaned gosec SARIF file" + - name: Upload gosec results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: gosec-results.sarif @@ -151,7 +169,7 @@ jobs: run: go mod download - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} queries: +security-and-quality @@ -162,7 +180,7 @@ jobs: go build -v ./cmd/mpcium-cli - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" @@ -237,7 +255,7 @@ jobs: continue-on-error: true - name: Upload Grype results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: grype-results.sarif diff --git a/go.mod b/go.mod index 098e353..3e305f5 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module github.com/fystack/mpcium -go 1.23.8 - -toolchain go1.24.7 +go 1.25.5 require ( filippo.io/age v1.2.1 From 47991fec164c1928c10660947a8bb55a83284d2b Mon Sep 17 00:00:00 2001 From: anhthii Date: Tue, 9 Dec 2025 12:54:58 +0700 Subject: [PATCH 2/3] Udpate chain code instruction --- INSTALLATION.md | 35 +++++++++++++++++++++++++---- README.md | 17 +++++--------- config.prod.yaml.template | 9 +++++++- config.yaml.template | 7 ++++++ deployments/systemd/setup-config.sh | 21 +++++++++++++++++ e2e/config.test.yaml.template | 3 +++ 6 files changed, 76 insertions(+), 16 deletions(-) diff --git a/INSTALLATION.md b/INSTALLATION.md index 212a458..f41d0cf 100644 --- a/INSTALLATION.md +++ b/INSTALLATION.md @@ -56,20 +56,47 @@ Detailed steps can be found in [SETUP.md](SETUP.md). --- -## chain_code setup (required) +## chain_code setup (REQUIRED) -Generate one 32-byte hex chain code and set it in all configs: +### What is chain_code? + +The `chain_code` is a cryptographic parameter used for Hierarchical Deterministic (HD) wallet functionality. It enables mpcium to derive child keys from a parent key, allowing you to generate multiple wallet addresses from a single master key. + +**Important Requirements:** +- **All nodes in your MPC cluster MUST use the identical chain_code value** +- Must be a 32-byte value represented as a 64-character hexadecimal string +- Should be generated once and stored securely +- Without a valid chain_code, mpcium nodes will fail to start + +### How to generate and configure + +Generate one 32-byte hex chain code and set it in all node configurations: ```bash -cd /home/carmy/Documents/works/mpcium +# Navigate to your mpcium directory +cd /path/to/mpcium + +# Generate a random 32-byte chain code and save it CC=$(openssl rand -hex 32) && echo "$CC" > .chain_code + +# Apply to main config sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" config.yaml + +# Apply to all node configs for n in node0 node1 node2; do sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" "$n/config.yaml" done + +# Verify it was set correctly +echo "Chain code configured: $CC" +``` + +**Example config.yaml entry:** +```yaml +chain_code: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2" ``` -Start nodes normally (no env export needed): +Start nodes normally: ```bash cd node0 && mpcium start -n node0 diff --git a/README.md b/README.md index 5a27ea6..5fa615b 100644 --- a/README.md +++ b/README.md @@ -133,17 +133,12 @@ The application uses a YAML configuration file (`config.yaml`) with the followin - `event_initiator_pubkey`: Public key of the event initiator - `max_concurrent_keygen`: Maximum concurrent key generation operations -#### chain_code (required) -- Mpcium derives child keys using a master chain code. -- Provide a single 32-byte hex value in `config.yaml` under `chain_code`, and use the same value for all nodes. -- Example to generate once and set: -```bash -CC=$(openssl rand -hex 32) -sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" config.yaml -for n in node0 node1 node2; do - sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" "$n/config.yaml" -done -``` +#### chain_code (REQUIRED) +- **Required** for Hierarchical Deterministic (HD) wallet functionality to derive child keys +- Must be a 32-byte hexadecimal string (64 characters) +- **All nodes MUST use the exact same chain_code value** +- Generate with: `openssl rand -hex 32` +- See [INSTALLATION.md](./INSTALLATION.md#chain_code-setup-required) for detailed setup instructions ## Installation diff --git a/config.prod.yaml.template b/config.prod.yaml.template index e91f9e9..0f406d4 100644 --- a/config.prod.yaml.template +++ b/config.prod.yaml.template @@ -17,7 +17,14 @@ mpc_threshold: 1 environment: production # Set to production for production environment backup_enabled: true event_initiator_pubkey: "" -event_initiator_algorithm: ed25519 # ed25519 or p256 +event_initiator_algorithm: ed25519 # ed25519 or p256 + +# Chain Code for HD Wallet Child Key Derivation (REQUIRED) +# This is used for hierarchical deterministic (HD) wallet functionality to derive child keys. +# All nodes in the MPC cluster MUST use the same chain_code value. +# Generate once with: openssl rand -hex 32 +# Store securely and use the same value across all nodes +chain_code: "" backup_period_seconds: 300 # Seconds backup_dir: backups max_concurrent_keygen: 2 diff --git a/config.yaml.template b/config.yaml.template index d9f6e60..f99bcc8 100644 --- a/config.yaml.template +++ b/config.yaml.template @@ -8,6 +8,13 @@ environment: development badger_password: "F))ysJp?E]ol&I;^" event_initiator_algorithm: "ed25519" # or "ed25519", default: ed25519 event_initiator_pubkey: "event_initiator_pubkey" + +# Chain Code for HD Wallet Child Key Derivation (REQUIRED) +# This is used for hierarchical deterministic (HD) wallet functionality to derive child keys. +# All nodes in the MPC cluster MUST use the same chain_code value. +# Generate once with: openssl rand -hex 32 +# Example: chain_code: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2" +chain_code: "" db_path: "." backup_enabled: true backup_period_seconds: 300 # 5 minutes diff --git a/deployments/systemd/setup-config.sh b/deployments/systemd/setup-config.sh index 30041f5..2e6415e 100755 --- a/deployments/systemd/setup-config.sh +++ b/deployments/systemd/setup-config.sh @@ -418,6 +418,27 @@ validate_config_credentials() { else log_info "✓ event_initiator_pubkey configured" fi + + # Check for required chain_code + if ! grep -q "^chain_code:" "$config_file" || grep -q "^chain_code: *$" "$config_file" || grep -q '^chain_code: ""' "$config_file"; then + log_error "❌ chain_code not configured in config.yaml" + log_error " Generate with: openssl rand -hex 32" + log_error " All nodes MUST use the same chain_code value" + ((errors++)) + else + # Validate chain_code is 64 hex characters (32 bytes) + local chain_code=$(grep "^chain_code:" "$config_file" | sed 's/chain_code: *//g' | sed 's/"//g' | sed "s/'//g" | sed 's/#.*//g' | sed 's/ *$//g') + if [[ ${#chain_code} -ne 64 ]]; then + log_error "❌ chain_code must be 64 hex characters (32 bytes), got ${#chain_code} characters" + log_error " Generate with: openssl rand -hex 32" + ((errors++)) + elif ! [[ "$chain_code" =~ ^[0-9a-fA-F]{64}$ ]]; then + log_error "❌ chain_code must be hexadecimal (0-9, a-f), got invalid characters" + ((errors++)) + else + log_info "✓ chain_code configured (${#chain_code} hex chars)" + fi + fi # Check for NATS configuration local nats_url=$(grep -A 10 "^nats:" "$config_file" | grep "url:" | sed 's/.*url: *//g' | sed 's/"//g' | sed "s/'//g" | sed 's/#.*//g' | sed 's/ *$//g') diff --git a/e2e/config.test.yaml.template b/e2e/config.test.yaml.template index dfe434a..910ae6c 100644 --- a/e2e/config.test.yaml.template +++ b/e2e/config.test.yaml.template @@ -11,4 +11,7 @@ nats: max_concurrent_keygen: 1 max_concurrent_signing: 10 session_warm_up_delay_ms: 500 + +# Chain Code for HD Wallet Child Key Derivation (REQUIRED) +# All nodes MUST use the same chain_code value chain_code: "{{.CKDChainCode}}" From f353bb5d5138a6cf12a90d2382800ad2725009f3 Mon Sep 17 00:00:00 2001 From: anhthii Date: Tue, 9 Dec 2025 14:03:57 +0700 Subject: [PATCH 3/3] Update go version --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 3e305f5..cf8dc21 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/fystack/mpcium -go 1.25.5 +go 1.25.0 require ( filippo.io/age v1.2.1