v0.4.1

Summary

This release adds support for new solana-cargo-build-sbf versions via new 2.0.* and 2.1.* Dockerfiles. Also adds full support for cargo build args in export-pda-tx.

Changelog

• fixed support for writing cargo args on-chain via solana-verify export-pda-tx
• Added support for programs built solana toolkit versions:
  • v2.0.16
  • v2.0.17
  • v2.0.18
  • v2.0.19
  • v2.0.20
  • v2.0.21
  • v2.0.22
  • v2.1.1
  • v2.1.2
  • v2.1.3
  • v2.1.4
  • v2.1.5
  • v2.1.6
  • v2.1.7
  • v2.1.8
  • v2.1.9

v0.4.0

Summary

This release improves consistency with updated OSec API behavior to avoid "griefing" attack disclosed by security firm Accretion. The OSec API previously allowed anyone to override a program's verification info with a clone of the program's repository, which could mislead users about protocol information.

This has now been patched, but now the API requires that all program verifications be written to a PDA onchain first, before remote verification starts. Verification status of programs is now tagged with the address of the key that uploaded the verification information, under /status-all/<program-id> (for example kGYz2q2WUYCXhKpgUF4AMR3seDA9eg8sbirP5dhbyhy).

Explorers and other applications can now decide which verification is "canonical" based on the address of the uploader. We recommend that applications trust PDAs uploaded by the program's authority and PDAs uploaded by OtterSec's signer 9VWiUUhgNoRwTH5NVehYJEDwcotwYX3VgW4MChiHPAqU.

Changelog

• changed solana-verify verify-from-repo --remote to skip local build first, and go straight to writing the verification data onchain, then submitting a job to the OSec API
• added compute unit fees globally, used to achieve better landing rates (solana-verify verify-from-repo --compute-unit-price)
• added solana-verify remote submit-job --program-id <program id> --uploader <uploader> now submits a remote job for using only the PDA written by the uploader
• added solana-verify remote get-job --job-id <job-id> gets the job status of a given job id
• added solana-verify remote get-status --program-id <program id> gets the verification statuses by signer for a program ID
• added solana-verify export-pda-tx --encoding base58/base64 --compute-unit-price 0 will now give you a base58/base64 transaction that you can use to write verification PDA from squads multisig
• improved error messages for solana-verify verify-from-repo --remote to encourage multisig users to use solana-verify submit-job when they need to verify a specific uploader's verification arguments.

v0.3.1

New features

• list-program-pdas lists all build information submitted for a program, requires custom RPC Url, useful for debugging remote verification, which expects the program authority or OTTER SIGNER
• get-program-pda gets the build information submitted by a specific signer (ie whatever is in ~/.config/solana) or explicitly specified by -s <address>
• verify-from-repo has -k flag to specify keypair to write build information onchain after successful verification

Fixes

• verify-from-repo 's skip prompt flag -y now skips ALL prompts

v0.2.4

Merge pull request #30 from Ellipsis-Labs/jarry/ubuntu-bug

Jarry/ubuntu bug

v0.2.3

• Fix bug in commit hash
• Make it easier to verify and build anchor programs

v0.2.2

• Updated CLI to infer lib/pkg names when possible
• Better handling around container cleanup

v0.2.1

Merge pull request #27 from Ellipsis-Labs/jxiao/clean-up-args-add-sig…

v0.2.0

• Migrate CLI to mostly use std::process::Command

v0.1.9

What's Changed

• add verify from repo url feature by @throwbackjams in #20

Full Changelog: v0.1.8...v0.1.9

v0.1.8

Full Changelog: v0.1.7...v0.1.8