Verifying our validator data
TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.
The Validator API returns validator data, including the following fields:pubkey
, signature
, amount
, deposit_data_root
, withdrawal_credentials
, figment_signature
.
The signature
ensures the validator data is valid
signature
ensures the validator data is validsignature
is a cryptographic "proof of possession". It signs over pubkey
, withdrawal_credentials
, and amount
by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root
and will revert the transaction if unsuccessful.
The signature
could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.
The figment_signature
ensures it was generated by Figment
figment_signature
ensures it was generated by FigmentIn addition to this, Figment provides figment_signature
, a verifiable signature of the validator's pubkey
by a private key held within Figment infra, so you know the validator returned by our API is from Figment.
Here's how you can use this signature to verify the validator authenticity:
- Get Figment's public key and save as a plain text file named
public-key.pem
. Make sure the newline is not included in the file:-
echo -n $FIGMENT_PUBLIC_KEY > public.key.pem
- . Public key for each network:
-
-----BEGIN PUBLIC KEY----- MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA8fZT/uOlVSmcyEu4sJxvL6yn+VTk CjhSSIoeGAPSmp96KPLcL1X+CgFU/Qia5OdV/rWm9BWyFyr36lZKM/AImpsAnvfz YrkXkwTzcwCWVG8ZEG4bsrPQqPunhohbE0YHgxVgoXhnkjsiruLELGDaYHSPpqUt yPdqJFg4jmjpPzzwH+E= -----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY----- MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY hknTCfe4R4T5e5Ql4g8= -----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY----- MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAOBXqpkA5Mmb3HxPHT0+Iyly3TxrE GmML1KC8UkSAXV7wrLzLaky4ftwHUAeScj/E5aG5m2spL5QSjbaLtE8l4RsATc2W RPlFJKpeahI4p3LpvomjZUaBvrDJm/uF6V7SGVBBne0UKq7D6LdV97k/bUqidvR+ AOnYCW1zFbCDYWEXQxQ= -----END PUBLIC KEY-----
-
-
- Save the validator's public key as plain text in a file named
message.txt
. It's returned in the/validators
response (pubkey
underattributes
): -
echo -n $VALIDATOR_PUBKEY > message.txt
- Save the signature as plain text in a file named
signature.hex
. It's returned in the/validators
response (figment_signature
underattributes
).-
echo -n $FIGMENT_SIGNATURE > signature.hex
-
- Decode the file by running:
xxd -r -p < signature.hex > signature.bin
- Verify that the decoded signature matches the message. The command below should return "Verified OK"
openssl dgst -sha256 -verify public-key.pem -signature signature.bin message.txt
Updated 11 months ago