Generate Only flag doesn't seem to work for creating certs

[de-husk]

Im trying to use a multisig akash wallet to share access to infra in our DAO.

I was trying to: akash tx cert generate client --from $my_multisig --generate-only

But the error I was getting was: Error: cannot sign with offline keys. Which makes it seem like --generate-only is being ignored since it shouldn't be signing a transaction.

I also tried akash tx cert publish client --from $my_multisig --generate-only with the same error.

When I tried --generate-only with a non multisig key, it just created the client cert.

Unless Im doing something wrong, it seems like we can't use --generate-only to generate unsigned cert and deployment transactions?

[JeancarloBarrios]

@troian Hey, quick question: it seems that the generate-only flag is not being checked and that the NewKeyPairManager is creating a signature and using it as a password for keyPairManager; however, if this account is multi-sig, the signature will fail due to not reaching the threshold. As a solution, is it possible to check for the flag and, if it exists, do a passwordless keyPairMAnager or maybe also require a password? @PJEstada

https://github.com/akash-network/node/blob/52d5ee5caa2c6e5a5e59893d903d22fe450d6045/x/cert/utils/key_pair_manager.go#L47-L58

[PJEstrada]

I think one of the things to consider is what would be the implications of generating a keyPairManager with an empty string as password.

    keyPairManager{
        addr:          fromAddress,
        passwordBytes: []bytes(""),
        homeDir:       cctx.HomeDir,
    }

because if this is possible, I can create a PR to fix this and make use of the flag. I'm just not sure if there and security implications on generating a certificate.

I just see usage for it here:

    blk, err = x509.EncryptPEMBlock(rand.Reader, types.PemBlkTypeECPrivateKey, keyDer, kpm.passwordBytes, x509.PEMCipherAES256) // nolint: staticcheck

https://github.com/akash-network/node/blob/52d5ee5caa2c6e5a5e59893d903d22fe450d6045/x/cert/utils/key_pair_manager.go#L256

Or find another mechanism to generate a password that does not involve signing.

[troian]

@JeancarloBarrios thanks for digging, yeah, it does not work with msig accounts at the moment. track https://github.com/akash-network/support/issues/59 for updates to cert tool. i have PoC in my stash, however there is one dependency that creates version collision between cosmos-sdk and new pem library. i hope we get it resolved when new cosmos-sdk ends up in the node repo

[PJEstrada]

I was reading the related issues and it seems that go std library will not add support for PKCS8 so probably will need to use something like: https://pkg.go.dev/golang.org/x/crypto/pbkdf2 not sure if this is the related library that is colliding with cosmos SDK.

Is this change also affecting things on the provider repo too?

[troian]

we will be switching to with PKCS8 support

[troian]

i'll give a think for multisig issue as well.

[troian]

fixed in v0.24.0 network upgrade