Add stellar contract verify command#2586
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Hi @fnando, we just submitted a proposal for the Contract Source Verification Service RFP and it mentioned your draft PR. It’s great that SEP-58 core verification logic is now embedded directly in While designing our tech architecture document for the RFP, we noticed retroactive verification is a mandatory requirement for the upcoming verification service, but contracts deployed before At the moment, In your notable bits, you mention that the user can supply a local file or URL via It is the responsibility of the verifier to flag these verification results as having their build environment provided by the user submitting the verification and not recorded on-chain in WASM metadata. Does this suggestion makes sense and do you plan to add support for user-supplied build environment + source identification parameters while finalizing this draft? |
|
@saimeunt Yes, the scenario makes sense, but I don't think it should live under The way I see it, the verification service is the one responsible for receiving and storing everything needed to build the contract (source code, OS distro, build options, etc.). For that reason I'd keep the SEP-58 path in the CLI strictly tied to the immutable, on-chain The real distinction isn't whether the build image is custom (an on-chain metadata can reference a custom image too, and that's equally hard to trust without auditing the image). It's chain of custody: on-chain fields are immutable and tied to the deployer, while user-supplied fields have no such provenance. That's exactly the case you raised; it's the verifier's responsibility to flag those results as "build environment provided by the submitter, not recorded on-chain." I'd put all of that under out-of-band verification: the registry works with developers to verify contracts and covers everything SEP-58 doesn't (private source, pre-SEP-58 contracts1, etc.). The registry marks the contract verified, and it's ultimately up to users to trust the registry's findings, so the more verification services a developer goes through, the higher the trust. Footnotes
|
|
A verification service doesn't need to use the cli to verify with data not in the wasm meta. It should use the docker image directly. |
|
@fnando @leighmcculloch Thanks for your answers, I agree Verifiers will use their own logic built on top of the |
3 participants
main. This PR's base iscontract-build-verifiable, so once #2585 merges, GitHub will automatically retarget this one tomain.What
Adds a new
stellar contract verifysubcommand that takes a contract id (--id, fetched from the network) or a local WASM (--wasm), reads the SEP-58 build metadata embedded in it (bldimg, source identification, build flags), re-runs the recorded build inside the recorded container image, and byte-compares the result against the original to confirm the WASM is reproducible.Notable bits:
source_repo+source_rev) and tarballs (tarball_url+tarball_sha256). For WASMs that record onlytarball_sha256, the user can supply a local file or URL via--tarball-url.gix(with rustls TLS) instead of shelling out togit, so the command has no runtime dependency on a system git binary and there's a single retrieval channel to gate on.bldimg, and unconditionally for any tarball source (tarballs are never default-trusted).--trustskips it; the prompt overrides--quietso it can't be silenced by accident. The default trust list is the stellar/stellar-cli image.--tarball-sha256), and the trust-prompt flow; they live in the existing integration tier.Why
#2585 makes it possible to produce a verifiable build; this PR is the other half — a way to check a deployed contract against its claimed source. Together they close the SEP-58 loop end-to-end in the CLI.
Known limitations
N/A