-
Notifications
You must be signed in to change notification settings - Fork 5
Rotate Finalizer Keys
This document is a step by step guide to switching out your active on-chain finalizer keys. You may register as many finalizer keys as you would like.
Next we will create a new finalizer key, add it to nodoes' configuration, and register the key. In this example we are creating one key, you may create many keys.
Keys may be output to console (--to-console
) or to file (--file
).
spring-util bls create key --to-console > producer-name.finalizer.key
The output will look like this
Private key: PVT_BLS_9-9ziZZzZcZZoiz-ZZzUtz9ZZ9u9Zo9aS9BZ-o9iznZfzUZU
Public key: PUB_BLS_SvLa9z9kZoT9bzZZZ-Zezlrst9Zb-Z9zZV9olZazZbZvzZzk9r9ZZZzzarUVzbZZ9Z9ZUzf9iZZ9P_kzZZzGLtezL-Z9zZ9zzZb9ZitZctzvSZ9G9SUszzcZzlZu-GsZnZ9I9Z
Proof of Possession: SIG_BLS_ZPZZbZIZukZksBbZ9Z9Zfysz9zZsy9z9S9V99Z-9rZZe99vZUzZPZZlzZszZiiZVzT9ZZZZBi99Z9kZzZ9zZPzzbZ99ZZzZP9zZrU-ZZuiZZzZUvZ9ZPzZbZ_yZi9ZZZ-yZPcZZe9SZZPz9Tc9ZaZ999voB99L9PzZ99I9Zu9Zo9ZZZzTtVZbcZ-Zck_ZZUZZtfTZGszUzzBTZZGrnIZ9Z9Z9zPznyZLZIavGzZunreVZ9zZZt_ZlZS9ZZIz9yUZa9Z9-Z
Create an additional configuration. You should have multiple signature-provider
configurations with different BLS keys. One entry will match your currently used BLS key.
Formate
signature-provider = PUBLIC_KEY=KEY:PRIVATE_KEY
For example
signature-provider = PUB_BLS_SvLa9q9kEoT9bqEEE-Eeqlrst9Eb-E9qEV9olEaqEbEvqEqk9r9EEEqqarUVqbEE9E9EUqf9iEE9P_kqEEqGLteqL-E9qE9qqEb9EitEctqvSE9G9SUsqqcEqlEu-GsEnE9I9E=KEY:PVT_BLS_9-9qiEEqEcEEoiq-EEqUtq9EE9u9Eo9aS9BE-o9iqnEfqUEU
signature-provider = PUB_BLS_SvLa9z9kZoT9bzZZZ-Zezlrst9Zb-Z9zZV9olZazZbZvzZzk9r9ZZZzzarUVzbZZ9Z9ZUzf9iZZ9P_kzZZzGLtezL-Z9zZ9zzZb9ZitZctzvSZ9G9SUszzcZzlZu-GsZnZ9I9Z=KEY:PVT_BLS_9-9ziZZzZcZZoiz-ZZzUtz9ZZ9u9Zo9aS9BZ-o9iznZfzUZU
Retart nodeos instance to load the key.
Check your existing finalizer keys
cleos get table --limit 100 eosio eosio finkeys | jq .rows[] | jq 'select (.finalizer_name=="producert-name")'
You should not see your newly created key. Lets register the new key.
cleos push action eosio regfinkey '{"finalizer_name":"producer-name", \
"finalizer_key":"PUB_BLS_SvLa9z9kZoT9bzZZZ-Zezlrst9Zb-Z9zZV9olZazZbZvzZzk9r9ZZZzzarUVzbZZ9Z9ZUzf9iZZ9P_kzZZzGLtezL-Z9zZ9zzZb9ZitZctzvSZ9G9SUszzcZzlZu-GsZnZ9I9Z", \
"proof_of_possession":"SIG_BLS_ZPZZbZIZukZksBbZ9Z9Zfysz9zZsy9z9S9V99Z-9rZZe99vZUzZPZZlzZszZiiZVzT9ZZZZBi99Z9kZzZ9zZPzzbZ99ZZzZP9zZrU-ZZuiZZzZUvZ9ZPzZbZ_yZi9ZZZ-yZPcZZe9SZZPz9Tc9ZaZ999voB99L9PzZ99I9Zu9Zo9ZZZzTtVZbcZ-Zck_ZZUZZtfTZGszUzzBTZZGrnIZ9Z9Z9zPznyZLZIavGzZunreVZ9zZZt_ZlZS9ZZIz9yUZa9Z9-Z"}' \
-p producer-name
Recheck your existing finalizer keys , now the key should be listed
cleos get table --limit 100 eosio eosio finkeys | jq .rows[] | jq 'select (.finalizer_name=="producert-name")'
Use cleos to find your current finalizer key. Make a note of the key, so we can verify it changes at the end of this key rotation.
cleos get table --limit 100 eosio eosio finalizers | jq .rows[] | jq 'select (.finalizer_name=="producer_name")'.active_key_binary
Rotate to the new key with the actfinkey
action.
cleos push action eosio actfinkey '{"finalizer_name":"producer-name", \
"finalizer_key":"PUB_BLS_SvLa9z9kZoT9bzZZZ-Zezlrst9Zb-Z9zZV9olZazZbZvzZzk9r9ZZZzzarUVzbZZ9Z9ZUzf9iZZ9P_kzZZzGLtezL-Z9zZ9zzZb9ZitZctzvSZ9G9SUszzcZzlZu-GsZnZ9I9Z"}' \
-p producer-name
The key has been rotated and the value should change.
cleos get table --limit 100 eosio eosio finalizers | jq .rows[] | jq 'select (.finalizer_name=="producer_name")'.active_key_binary
Check your nodeos logs for a message indicating the Finalizer Policy has changed.
grep -i "finalizer policy" my.log
Should see two log lines like this
info 2024-06-04T18:17:04.133 nodeos block_header_state.cpp:185 finish_next ] Finalizer policy generation change: 1 -> 2
info 2024-06-04T18:17:04.133 nodeos block_header_state.cpp:187 finish_next ] New finalizer policy becoming active in block 00002e8d6c84a48932f1b99930c3d3074c7891a6d3fa176959c4b40f5969ba6f: {"generation":2,"threshold":3,"finalizers":[{"description":"producer1","weight":1,"public_key":"PUB_BLS_..."},{"description":"producer2","weight":1,"public_key":"PUB_BLS_..."},{"description":"producer3","weight":1,"public_key":"PUB_BLS_..."}]}