Sync vendored ComputeRequest.Hash with confidential-compute: Version only for legacy#2171
Sync vendored ComputeRequest.Hash with confidential-compute: Version only for legacy#2171nadahalli wants to merge 2 commits into
Conversation
confidential-compute #360 made Version conditional in ComputeRequest.Hash (hashed only when Version == ServiceConfidentialComputeVersionLegacy, as it migrates Version out of the hash). The vendored copy here still hashed Version unconditionally. They agree today (version 0.0.6 == legacy), but would diverge the moment the enclave moves past the legacy version, silently breaking relay-DON F+1 verification. Mirror the conditional and vendor the legacy-version const.
|
👋 nadahalli, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
📊 API Diff Results
|
There was a problem hiding this comment.
Pull request overview
This PR updates the vendored ComputeRequest.Hash implementation in chainlink-common to match the behavior in confidential-compute, where the Version field is hashed only for the legacy confidential compute version. This prevents future hash divergence (and resulting signature verification failures) once enclaves move beyond the legacy version.
Changes:
- Added a vendored legacy version constant and made
ComputeRequest.Hashconditionally includeVersiononly when it equals that legacy value. - Updated the test fixture to use the legacy version by default.
- Added a unit test asserting that non-legacy
Versionvalues do not affect the hash, while the legacy version remains bound into the hash.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/capabilities/v2/actions/confidentialrelay/computerequest.go | Conditioned Version hashing on a vendored legacy version constant to stay compatible with confidential-compute. |
| pkg/capabilities/v2/actions/confidentialrelay/computerequest_test.go | Updated sample request to legacy version and added a test to lock in the conditional hashing behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
confidential-compute #360 made Version conditional in ComputeRequest.Hash: it is hashed only when Version == ServiceConfidentialComputeVersionLegacy, as CC migrates Version out of the hash. The vendored copy here still hashed Version unconditionally.
They agree today (version 0.0.6 == legacy), so relay-DON F+1 verification works. But once the enclave moves past the legacy version, CC stops hashing Version while this copy keeps hashing it, so the relay would compute a different ComputeRequest.Hash than the Workflow DON signed and silently reject every valid secrets request.
Mirror the conditional and vendor the legacy-version const. PRIV-433.