Verifying our validator data

TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.


The Validator API returns validator data, including the following fields:pubkey, signature, amount , deposit_data_root, withdrawal_credentials, figment_signature.

The signature ensures the validator data is valid

signatureis a cryptographic "proof of possession". It signs over pubkey, withdrawal_credentials, and amount by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root and will revert the transaction if unsuccessful.

The signature could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.

The figment_signature ensures it was generated by Figment

In addition to this, Figment provides figment_signature, a verifiable signature of the validator's pubkey by a private key held within Figment infra, so you know the validator returned by our API is from Figment.

Here's how you can use this signature to verify the validator authenticity:

  1. Get Figment's public key and save as a plain text file named public-key.pem. Make sure the newline is not included in the file:
    1. echo -n $FIGMENT_PUBLIC_KEY >  public.key.pem
      
    2. . Public key for each network:
      1. -----BEGIN PUBLIC KEY-----
        MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA8fZT/uOlVSmcyEu4sJxvL6yn+VTk
        CjhSSIoeGAPSmp96KPLcL1X+CgFU/Qia5OdV/rWm9BWyFyr36lZKM/AImpsAnvfz
        YrkXkwTzcwCWVG8ZEG4bsrPQqPunhohbE0YHgxVgoXhnkjsiruLELGDaYHSPpqUt
        yPdqJFg4jmjpPzzwH+E=
        -----END PUBLIC KEY-----
        
        -----BEGIN PUBLIC KEY-----
        MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
        czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
        YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
        hknTCfe4R4T5e5Ql4g8=
        -----END PUBLIC KEY-----
        
        -----BEGIN PUBLIC KEY-----
        MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAOBXqpkA5Mmb3HxPHT0+Iyly3TxrE
        GmML1KC8UkSAXV7wrLzLaky4ftwHUAeScj/E5aG5m2spL5QSjbaLtE8l4RsATc2W
        RPlFJKpeahI4p3LpvomjZUaBvrDJm/uF6V7SGVBBne0UKq7D6LdV97k/bUqidvR+
        AOnYCW1zFbCDYWEXQxQ=
        -----END PUBLIC KEY-----
        
  2. Save the validator's public key as plain text in a file named message.txt. It's returned in the /validators response (pubkey under attributes):
  3. echo -n $VALIDATOR_PUBKEY > message.txt
    
  4. Save the signature as plain text in a file named signature.hex. It's returned in the /validators response (figment_signature under attributes).
    1. echo -n $FIGMENT_SIGNATURE > signature.hex
      
  5. Decode the file by running:
xxd -r -p < signature.hex > signature.bin
  1. Verify that the decoded signature matches the message. The command below should return "Verified OK"
openssl dgst -sha256 -verify public-key.pem -signature signature.bin message.txt