I’ve put out a small point release, v0.2.1, which should hopefully address all known bugs, including one for another feature in the original release which was buggy so I didn’t announce it:
priv_validator.json import support
If you’ve already registered a key in the genesis.json for an upcoming testnet, such as gaia-9002, you can import it into a YubiHSM2 using the new
tmkms yubihsm keys import command:
$ tmkms yubihsm keys import --path ./priv_validator.json 9002
This will import the Ed25519 key from the
./priv_validator.json file into slot 9002 of the configured YubiHSM2 (you will need to have
tmkms.toml configured in advance).
Secret Connection key mini-post-mortem
A quick aside: the format for SecretConnection keys (i.e.
secret_key under the
[[validator]] section) is now Base64. This means any previously generated keys will not load and are unusable, but that’s ok because any keys generated by a release build were all zeroes! If you see an error like this, please delete the offending key to ensure it’s regenerated:
config error: error loading SecretConnection key from tmkms.key: invalid encoding
The root cause of the issue was a bug in the
subtle-encoding library used to provide constant time encoding/decoding of secret keys. This library contained code gated on a debug assertion (i.e.
debug_assert_eq!) which performed the encoding/decoding operations was compiled out of release builds:
The bug has been fixed, and the CI configuration for this repository has been updated to run tests in release mode. I have confirmed that running the tests in release mode would’ve caught this particular bug: