Key Safety
Pre-release
Summary
This is our main release after our security assessment with Trail of Bits. This release include all fixes and changes that were recommended from the draft report that was shown to us. It includes fixes for the following issues:
- Use of unpinned third-party docker image and actions on workflows [TOB-ETHSTAKER-1] #181
- Use of GPG for release signing and verification [TOB-ETHSTAKER-2] #182
- Sensitive files are incorrectly assigned permissions and ownership [TOB-ETHSTAKER-3] #183
- Error-prone path handling [TOB-ETHSTAKER-4] #184
- Emphasize critical warning regarding clipboard clearing [TOB-ETHSTAKER-5] #185
- Terminal buffer is not cleared on iterm2 [TOB-ETHSTAKER-7] #186
- Code Quality Recommendations from ToB #187
- Encryption function random parameters are set at program init [TOB-ETHSTAKER-6] #238
A security issue was discovered during a security review of the ethstaker-deposit-cli project by Trail of Bits. This vulnerability affects users who previously generated multiple keystore files in a single run using staking-deposit-cli (formerly eth2-deposit-cli), ethstaker-deposit-cli, or Wagyu Key Gen. If a malicious actor obtains your keystore files, there is a risk of exposing the private keys. While a small number of leaked keystore files would require significant computing power to exploit, the attack becomes increasingly feasible as more files are compromised from a single tool run.
We strongly recommend using the updated version of ethstaker-deposit-cli to create new validator keys if you want to add more validators to an existing setup or if you are starting from scratch. If you believe your previously generated keystore files were not leaked or exposed to any malicious actor, no further action is necessary. However, if you suspect a large number of keystore files from a single tool run may have been potentially exposed, you should assume the keystore private keys have been compromised.
All changes
What's Changed
- fix: typos in documentation files by @leopardracer in #232
- Bump tomli from 2.0.2 to 2.1.0 by @dependabot in #234
- Bump coverage from 7.6.4 to 7.6.7 by @dependabot in #233
- Bump docker/metadata-action from 5.5.1 to 5.6.1 by @dependabot in #236
- Bump coverage from 7.6.7 to 7.6.8 by @dependabot in #235
New Contributors
- @leopardracer made their first contribution in #232
Full Changelog: v0.5.0...v0.6.0
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
With the GitHub CLI installed, a simple way to verify these assets is to run this command while replacing [filename] with the path to the downloaded asset:
gh attestation verify [filename] --repo eth-educators/ethstaker-deposit-cliThis step requires you to be online. If you want to perform this offline, follow these instructions from GitHub.
Binaries
| System | Architecture | Binary | Checksum |
|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-932a916-windows-amd64.zip | sha256 |
| macOS | x86_64 | ethstaker_deposit-cli-932a916-darwin-amd64.tar.gz | sha256 |
| macOS | aarch64 | ethstaker_deposit-cli-932a916-darwin-arm64.tar.gz | sha256 |
| Linux | x86_64 | ethstaker_deposit-cli-932a916-linux-amd64.tar.gz | sha256 |
| Linux | aarch64 | ethstaker_deposit-cli-932a916-linux-arm64.tar.gz | sha256 |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.6.0 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.6.0 |
Github Package |
License
By downloading and using this software, you agree to the license.
