GChild key derivation

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ on:
     branches: ["*"]
 
 env:
-  GO_VERSION: "1.24"
+  GO_VERSION: "1.25.5"
 
 jobs:
   test:
@@ -101,8 +101,17 @@ jobs:
           fi
         continue-on-error: true
 
+      - name: Clean SARIF file (remove duplicate tags)
+        if: always()
+        run: |
+          # Remove duplicate tags from SARIF rules to fix validation errors
+          jq '(.runs[]?.tool.driver.rules[]?.properties.tags) |= unique' \
+            govulncheck-results.sarif > govulncheck-results-clean.sarif
+          mv govulncheck-results-clean.sarif govulncheck-results.sarif
+          echo "✅ Cleaned govulncheck SARIF file"
+
       - name: Upload govulncheck results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: govulncheck-results.sarif
@@ -116,8 +125,17 @@ jobs:
           gosec -fmt sarif -out gosec-results.sarif -exclude G304 ./...
         continue-on-error: true
 
+      - name: Clean gosec SARIF file (remove duplicate tags)
+        if: always()
+        run: |
+          # Remove duplicate tags from SARIF rules to fix validation errors
+          jq '(.runs[]?.tool.driver.rules[]?.properties.tags) |= unique' \
+            gosec-results.sarif > gosec-results-clean.sarif
+          mv gosec-results-clean.sarif gosec-results.sarif
+          echo "✅ Cleaned gosec SARIF file"
+
       - name: Upload gosec results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: gosec-results.sarif
@@ -151,7 +169,7 @@ jobs:
         run: go mod download
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
@@ -162,7 +180,7 @@ jobs:
           go build -v ./cmd/mpcium-cli
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{matrix.language}}"
 
@@ -237,7 +255,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload Grype results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: grype-results.sarif

INSTALLATION.md

@@ -56,20 +56,47 @@ Detailed steps can be found in [SETUP.md](SETUP.md).
 
 ---
 
-## chain_code setup (required)
+## chain_code setup (REQUIRED)
 
-Generate one 32-byte hex chain code and set it in all configs:
+### What is chain_code?
+
+The `chain_code` is a cryptographic parameter used for Hierarchical Deterministic (HD) wallet functionality. It enables mpcium to derive child keys from a parent key, allowing you to generate multiple wallet addresses from a single master key.
+
+**Important Requirements:**
+- **All nodes in your MPC cluster MUST use the identical chain_code value**
+- Must be a 32-byte value represented as a 64-character hexadecimal string
+- Should be generated once and stored securely
+- Without a valid chain_code, mpcium nodes will fail to start
+
+### How to generate and configure
+
+Generate one 32-byte hex chain code and set it in all node configurations:
 
 ```bash
-cd /home/carmy/Documents/works/mpcium
+# Navigate to your mpcium directory
+cd /path/to/mpcium
+
+# Generate a random 32-byte chain code and save it
 CC=$(openssl rand -hex 32) && echo "$CC" > .chain_code
+
+# Apply to main config
 sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" config.yaml
+
+# Apply to all node configs
 for n in node0 node1 node2; do
   sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" "$n/config.yaml"
 done
+
+# Verify it was set correctly
+echo "Chain code configured: $CC"
+```
+
+**Example config.yaml entry:**
+```yaml
+chain_code: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
 ```
 
-Start nodes normally (no env export needed):
+Start nodes normally:
 
 ```bash
 cd node0 && mpcium start -n node0

README.md

@@ -133,17 +133,12 @@ The application uses a YAML configuration file (`config.yaml`) with the followin
 - `event_initiator_pubkey`: Public key of the event initiator
 - `max_concurrent_keygen`: Maximum concurrent key generation operations
 
-#### chain_code (required)
-- Mpcium derives child keys using a master chain code.
-- Provide a single 32-byte hex value in `config.yaml` under `chain_code`, and use the same value for all nodes.
-- Example to generate once and set:
-```bash
-CC=$(openssl rand -hex 32)
-sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" config.yaml
-for n in node0 node1 node2; do
-  sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" "$n/config.yaml"
-done
-```
+#### chain_code (REQUIRED)
+- **Required** for Hierarchical Deterministic (HD) wallet functionality to derive child keys
+- Must be a 32-byte hexadecimal string (64 characters)
+- **All nodes MUST use the exact same chain_code value**
+- Generate with: `openssl rand -hex 32`
+- See [INSTALLATION.md](./INSTALLATION.md#chain_code-setup-required) for detailed setup instructions
 
 ## Installation
 

config.prod.yaml.template

@@ -17,7 +17,14 @@ mpc_threshold: 1
 environment: production # Set to production for production environment
 backup_enabled: true
 event_initiator_pubkey: ""
-event_initiator_algorithm: ed25519 # ed25519 or p256 
+event_initiator_algorithm: ed25519 # ed25519 or p256
+
+# Chain Code for HD Wallet Child Key Derivation (REQUIRED)
+# This is used for hierarchical deterministic (HD) wallet functionality to derive child keys.
+# All nodes in the MPC cluster MUST use the same chain_code value.
+# Generate once with: openssl rand -hex 32
+# Store securely and use the same value across all nodes
+chain_code: "" 
 backup_period_seconds: 300 # Seconds
 backup_dir: backups
 max_concurrent_keygen: 2

config.yaml.template

@@ -8,6 +8,13 @@ environment: development
 badger_password: "F))ysJp?E]ol&I;^"
 event_initiator_algorithm: "ed25519"  # or "ed25519", default: ed25519
 event_initiator_pubkey: "event_initiator_pubkey"
+
+# Chain Code for HD Wallet Child Key Derivation (REQUIRED)
+# This is used for hierarchical deterministic (HD) wallet functionality to derive child keys.
+# All nodes in the MPC cluster MUST use the same chain_code value.
+# Generate once with: openssl rand -hex 32
+# Example: chain_code: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
+chain_code: ""
 db_path: "."  
 backup_enabled: true
 backup_period_seconds: 300 # 5 minutes

deployments/systemd/setup-config.sh

@@ -418,6 +418,27 @@ validate_config_credentials() {
     else
         log_info "✓ event_initiator_pubkey configured"
     fi
+
+    # Check for required chain_code
+    if ! grep -q "^chain_code:" "$config_file" || grep -q "^chain_code: *$" "$config_file" || grep -q '^chain_code: ""' "$config_file"; then
+        log_error "❌ chain_code not configured in config.yaml"
+        log_error "   Generate with: openssl rand -hex 32"
+        log_error "   All nodes MUST use the same chain_code value"
+        ((errors++))
+    else
+        # Validate chain_code is 64 hex characters (32 bytes)
+        local chain_code=$(grep "^chain_code:" "$config_file" | sed 's/chain_code: *//g' | sed 's/"//g' | sed "s/'//g" | sed 's/#.*//g' | sed 's/ *$//g')
+        if [[ ${#chain_code} -ne 64 ]]; then
+            log_error "❌ chain_code must be 64 hex characters (32 bytes), got ${#chain_code} characters"
+            log_error "   Generate with: openssl rand -hex 32"
+            ((errors++))
+        elif ! [[ "$chain_code" =~ ^[0-9a-fA-F]{64}$ ]]; then
+            log_error "❌ chain_code must be hexadecimal (0-9, a-f), got invalid characters"
+            ((errors++))
+        else
+            log_info "✓ chain_code configured (${#chain_code} hex chars)"
+        fi
+    fi
 
     # Check for NATS configuration
     local nats_url=$(grep -A 10 "^nats:" "$config_file" | grep "url:" | sed 's/.*url: *//g' | sed 's/"//g' | sed "s/'//g" | sed 's/#.*//g' | sed 's/ *$//g')

e2e/config.test.yaml.template

@@ -11,4 +11,7 @@ nats:
 max_concurrent_keygen: 1
 max_concurrent_signing: 10
 session_warm_up_delay_ms: 500
+
+# Chain Code for HD Wallet Child Key Derivation (REQUIRED)
+# All nodes MUST use the same chain_code value
 chain_code: "{{.CKDChainCode}}"

go.mod

@@ -1,8 +1,6 @@
 module github.com/fystack/mpcium
 
-go 1.23.8
-
-toolchain go1.24.7
+go 1.25.0
 
 require (
 	filippo.io/age v1.2.1