Home

Verifying Validator Data

Suggest Edits

TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.

The Validator API returns validator data, including the following fields:pubkey, signature, amount , deposit_data_root, withdrawal_credentials, figment_signature.

The signature ensures the validator data is valid

signatureis a cryptographic "proof of possession". It signs over pubkey, withdrawal_credentials, and amount by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root and will revert the transaction if unsuccessful.

The signature could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.

The figment_signature ensures it was generated by Figment

In addition to this, Figment provides figment_signature, a verifiable signature of the validator's pubkey by a private key held within Figment infra, so you know the validator returned by our API is from Figment.

Here's how you can use this signature to verify the validator authenticity:

  1. Get Figment's public key and save as a plain text file named signing-pubkey.pem.
    1. Holesky 
      -----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----
    2. Mainnet 
      -----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAOBXqpkA5Mmb3HxPHT0+Iyly3TxrE
GmML1KC8UkSAXV7wrLzLaky4ftwHUAeScj/E5aG5m2spL5QSjbaLtE8l4RsATc2W
RPlFJKpeahI4p3LpvomjZUaBvrDJm/uF6V7SGVBBne0UKq7D6LdV97k/bUqidvR+
AOnYCW1zFbCDYWEXQxQ=
-----END PUBLIC KEY-----
      e.g.
    echo '-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----' > signing-pubkey.pem
  2. Grab the pubkey from the response of GET /validators, remove 0x, and store it in a file named pubkey.txt: 
    echo -n 809ccd6d235280b7892d96853a6281ec3a1b696818f0c869a38208f4beea4dc761726df3615f5214bfca6578bf7b5e96 > pubkey.txt
  3. Grab the figment_signature from the response, remove 0x, and store the binary format in a file named signature.bin: 
    echo 3081880242017976bfe9723ce70b15a7c1e9ba7d34ea701a57f4cd5629f939c31e10debd634911b42a234636445df7c47c2030664539c075edd230a7d5d7088157512f1c4de969024201f14cadfd0b3de90f350deefa48d4a59961ea4b89d3c421d0af6bddbe51c09d3dce76f94635cea9eac824b7c82591656d59fb1527d51d90d08679268260ed118f34 | xxd -r -p > signature.bin
  4. Verify the signature using OpenSSL: 
    openssl dgst -sha256 -verify signing-pubkey.pem -signature signature.bin pubkey.txt
  5. Verify that the decoded signature matches the message. The command below should return "Verified OK"

Updated 4 days ago