Home
These docs are for v1.0. Click to read the latest docs for v2.0.

Verifying our validator data

Suggest Edits

TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.

The Validator API returns validator data, including the following fields:pubkey, signature, amount , deposit_data_root, withdrawal_credentials, figment_signature.

The signature ensures the validator data is valid

signatureis a cryptographic "proof of possession". It signs over pubkey, withdrawal_credentials, and amount by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root and will revert the transaction if unsuccessful.

The signature could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.

The figment_signature ensures it was generated by Figment

In addition to this, Figment provides figment_signature, a verifiable signature of the validator's pubkey by a private key held within Figment infra, so you know the validator returned by our API is from Figment.

Here's how you can use this signature to verify the validator authenticity:

  1. Get Figment's public key and save as a plain text file named public-key.pem. Make sure the newline is not included in the file: 
    1. echo -n $FIGMENT_PUBLIC_KEY >  public.key.pem
    2. . Public key for each network: 
      1. -----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA8fZT/uOlVSmcyEu4sJxvL6yn+VTk
CjhSSIoeGAPSmp96KPLcL1X+CgFU/Qia5OdV/rWm9BWyFyr36lZKM/AImpsAnvfz
YrkXkwTzcwCWVG8ZEG4bsrPQqPunhohbE0YHgxVgoXhnkjsiruLELGDaYHSPpqUt
yPdqJFg4jmjpPzzwH+E=
-----END PUBLIC KEY-----

        -----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----

        -----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAOBXqpkA5Mmb3HxPHT0+Iyly3TxrE
GmML1KC8UkSAXV7wrLzLaky4ftwHUAeScj/E5aG5m2spL5QSjbaLtE8l4RsATc2W
RPlFJKpeahI4p3LpvomjZUaBvrDJm/uF6V7SGVBBne0UKq7D6LdV97k/bUqidvR+
AOnYCW1zFbCDYWEXQxQ=
-----END PUBLIC KEY-----
  2. Save the validator's public key as plain text in a file named message.txt. It's returned in the /validators response (pubkey under attributes): 
  3. echo -n $VALIDATOR_PUBKEY > message.txt
  4. Save the signature as plain text in a file named signature.hex. It's returned in the /validators response (figment_signature under attributes). 
    1. echo -n $FIGMENT_SIGNATURE > signature.hex
  5. Decode the file by running:
xxd -r -p < signature.hex > signature.bin
  1. Verify that the decoded signature matches the message. The command below should return "Verified OK"
openssl dgst -sha256 -verify public-key.pem -signature signature.bin message.txt

Updated about 1 year ago