Verifying Validator Data
TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.
Our Create Validators and Get Validators endpoints returns validator data, including the following fields:pubkey
, signature
, amount
, deposit_data_root
, withdrawal_credentials
, figment_signature
.
The signature
ensures the validator data is valid
signature
ensures the validator data is validsignature
is a cryptographic "proof of possession". It signs over pubkey
, withdrawal_credentials
, and amount
by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root
and will revert the transaction if unsuccessful.
Purpose of Lines 132–144
When a user deposits ETH to become a validator, they submit a deposit_data object containing:
pubkey
: The validator's public keywithdrawal_credentials
: Information for future fund withdrawalsamount
: The amount of ETH being stakedsignature
: A cryptographic signature proving ownership of the pubkey
These fields are hashed together to form a deposit_data_root
, which is then included in the deposit transaction.
Lines 132–144 verify that the provided deposit_data_root
matches the hash of the submitted deposit_data
. If there's a mismatch, the transaction is reverted. This ensures that only valid and authenticated validator data is accepted, maintaining the security and integrity of the Beacon Chain.
Warning!
The
signature
could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data and signature returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.
The figment_signature
ensures it was generated by Figment
figment_signature
ensures it was generated by FigmentIn addition, Figment provides figment_signature
, a verifiable signature of the validator's pubkey
by a private key held within Figment infra, so you know the validator returned by our API is from Figment.
Here's how you can use this signature to verify the validator authenticity:
Copy Figment's public key and save as a plain text file named signing-pubkey.pem
.
- Holesky
-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----
- Hoodi
-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBEl2CwgLw+AzzfdC4zoFYFSrz7TvW
6xnyd/VViKcEl8dCVnluYVHzoSRju1VslxQtHUZPSTcBm5hhyRjB/vXmmaQApl0k
I7BC+szmt+Ovp8Guxx/pcZ/VnM0DNgpCJTc63BXorfM4nWwruZZ+dLZJv48GKAe/
nxgyqKbGkxTj8zPMIB4=
-----END PUBLIC KEY-----
- Mainnet
-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAOBXqpkA5Mmb3HxPHT0+Iyly3TxrE
GmML1KC8UkSAXV7wrLzLaky4ftwHUAeScj/E5aG5m2spL5QSjbaLtE8l4RsATc2W
RPlFJKpeahI4p3LpvomjZUaBvrDJm/uF6V7SGVBBne0UKq7D6LdV97k/bUqidvR+
AOnYCW1zFbCDYWEXQxQ=
-----END PUBLIC KEY-----
e.g.
echo '-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----' > signing-pubkey.pem
- Grab the
pubkey
from the response of GET /validators, remove0x
, and store it in a file namedpubkey.txt
:echo -n 809ccd6d235280b7892d96853a6281ec3a1b696818f0c869a38208f4beea4dc761726df3615f5214bfca6578bf7b5e96 > pubkey.txt
- Grab the
figment_signature
from the response, remove0x
, and store the binary format in a file namedsignature.bin
:echo 3081880242017976bfe9723ce70b15a7c1e9ba7d34ea701a57f4cd5629f939c31e10debd634911b42a234636445df7c47c2030664539c075edd230a7d5d7088157512f1c4de969024201f14cadfd0b3de90f350deefa48d4a59961ea4b89d3c421d0af6bddbe51c09d3dce76f94635cea9eac824b7c82591656d59fb1527d51d90d08679268260ed118f34 | xxd -r -p > signature.bin
- Verify the signature using OpenSSL:
openssl dgst -sha256 -verify signing-pubkey.pem -signature signature.bin pubkey.txt
- Verify that the decoded signature matches the message. The command below should return "Verified OK"
Updated 4 days ago