Closed de-husk closed 10 months ago
@troian Hey, quick question: it seems that the generate-only flag is not being checked and that the NewKeyPairManager is creating a signature and using it as a password for keyPairManager; however, if this account is multi-sig, the signature will fail due to not reaching the threshold. As a solution, is it possible to check for the flag and, if it exists, do a passwordless keyPairMAnager or maybe also require a password? @PJEstada
I think one of the things to consider is what would be the implications of generating a keyPairManager
with an empty string as password.
keyPairManager{
addr: fromAddress,
passwordBytes: []bytes(""),
homeDir: cctx.HomeDir,
}
because if this is possible, I can create a PR to fix this and make use of the flag. I'm just not sure if there and security implications on generating a certificate.
I just see usage for it here:
blk, err = x509.EncryptPEMBlock(rand.Reader, types.PemBlkTypeECPrivateKey, keyDer, kpm.passwordBytes, x509.PEMCipherAES256) // nolint: staticcheck
Or find another mechanism to generate a password that does not involve signing.
@JeancarloBarrios thanks for digging, yeah, it does not work with msig accounts at the moment. track https://github.com/akash-network/support/issues/59 for updates to cert tool. i have PoC in my stash, however there is one dependency that creates version collision between cosmos-sdk and new pem library. i hope we get it resolved when new cosmos-sdk ends up in the node repo
I was reading the related issues and it seems that go std library will not add support for PKCS8
so probably will need to use something like: https://pkg.go.dev/golang.org/x/crypto/pbkdf2 not sure if this is the related library that is colliding with cosmos SDK.
Is this change also affecting things on the provider repo too?
i'll give a think for multisig issue as well.
fixed in v0.24.0 network upgrade
Im trying to use a multisig akash wallet to share access to infra in our DAO.
I was trying to:
akash tx cert generate client --from $my_multisig --generate-only
But the error I was getting was:
Error: cannot sign with offline keys
. Which makes it seem like--generate-only
is being ignored since it shouldn't be signing a transaction.I also tried
akash tx cert publish client --from $my_multisig --generate-only
with the same error.When I tried
--generate-only
with a non multisig key, it just created the client cert.Unless Im doing something wrong, it seems like we can't use
--generate-only
to generate unsigned cert and deployment transactions?