Verifying Validator Data
TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.
The Validator API returns validator data, including the following fields:pubkey
, signature
, amount
, deposit_data_root
, withdrawal_credentials
, figment_signature
.
The signature
ensures the validator data is valid
signature
ensures the validator data is validsignature
is a cryptographic "proof of possession". It signs over pubkey
, withdrawal_credentials
, and amount
by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root
and will revert the transaction if unsuccessful.
The signature
could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.
The figment_signature
ensures it was generated by Figment
figment_signature
ensures it was generated by FigmentIn addition to this, Figment provides figment_signature
, a verifiable signature of the validator's pubkey
by a private key held within Figment infra, so you know the validator returned by our API is from Figment.
Here's how you can use this signature to verify the validator authenticity:
- Get Figment's public key and save as a plain text file named
public-key.pem
. Ask a Figment Customer Success rep. - Save the validator's public key as plain text in a file named
message.txt
. It's returned in the/validators
response (pubkey
underattributes
) - Save the signature as plain text in a file named
signature.hex
. It's returned in the/validators
response (figment_signature
underattributes
) - Decode the file by running:
xxd -r -p < signature.hex > signature.bin
- Verify that the decoded signature matches the message. The command below should return "Verified OK"
openssl dgst -sha256 -verify public-key.pem -signature signature.bin message.txt
Updated 9 months ago