feat(verify-attestation): RPC attestation and batch signature verification binary

This is another variant of the binary tool for verifying attestation and the signature of a given batch. Unlike the existing tool, this variant does not require you to provide two separate files—one for the attestation and one for the signature. Instead, it automatically fetches both from the RPC node. Unfortunately, after discussing with @popzxc, we found that there is no way to reuse the RPC client because our published crates on crates.io are outdated and do not include the recently merged TEE-specific code changes. To be fixed in the future.
2025-07-21 07:03:56 +02:00 · 2024-08-09 14:50:30 +02:00 · 2024-08-09 14:50:30 +02:00 · 5e4b8901b0
commit 5e4b8901b0
parent 27f35a7432
11 changed files with 2991 additions and 170 deletions
--- a/packages/cargoClippy/default.nix
+++ b/packages/cargoClippy/default.nix
@ -3,6 +3,6 @@
 { teepotCrate }: teepotCrate.craneLib.cargoClippy (
  teepotCrate.commonArgs // {
    pname = "teepot";
-    inherit (teepotCrate) cargoArtifacts NIX_OUTPATH_USED_AS_RANDOM_SEED;
+    inherit (teepotCrate) cargoArtifacts;
  }
 )
--- a/packages/container-verify-era-proof-attestation-sgx/default.nix
+++ b/packages/container-verify-era-proof-attestation-sgx/default.nix
@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+{ dockerTools
+, buildEnv
+, teepot
+, openssl
+, curl
+, nixsgx
+, pkg-config
+}:
+dockerTools.buildLayeredImage {
+  name = "verify-era-proof-attestation";
+
+  config.Entrypoint = [ "${teepot.teepot.verify_era_proof_attestation}/bin/verify-era-proof-attestation" ];
+  config.Env = [ "LD_LIBRARY_PATH=/lib" ];
+  contents = buildEnv {
+    name = "image-root";
+
+    paths = with dockerTools; with nixsgx;[
+      pkg-config
+      openssl.out
+      curl.out
+      sgx-dcap.quote_verify
+      sgx-dcap.default_qpl
+      teepot.teepot.verify_era_proof_attestation
+      usrBinEnv
+      binSh
+      caCertificates
+      fakeNss
+    ];
+    pathsToLink = [ "/bin" "/lib" "/etc" "/share" ];
+  };
+}
--- a/packages/teepot/default.nix
+++ b/packages/teepot/default.nix
@ -3,9 +3,7 @@
 { teepotCrate }: teepotCrate.craneLib.buildPackage (
  teepotCrate.commonArgs // {
    pname = "teepot";
-    inherit (teepotCrate) cargoArtifacts
-      NIX_OUTPATH_USED_AS_RANDOM_SEED;
-
+    inherit (teepotCrate) cargoArtifacts;

    passthru = {
      inherit (teepotCrate) rustPlatform
@ -13,7 +11,6 @@
        commonArgs
        craneLib
        cargoArtifacts;
-      NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
    };

    outputs = [
@ -29,6 +26,7 @@
      "vault_admin"
      "vault_unseal"
      "verify_attestation"
+      "verify_era_proof_attestation"
    ];
    postInstall = ''
      removeReferencesToVendoredSources "$out" "$cargoVendorDir"