Open Slesarew opened 2 years ago
@Slesarew Could you please explain more about verifier certificate? What is general certificate and how is it generated and used?
Verifier certificate is just an asymmetric key that is used to sign metadata as proof of generated update authorship. Currently, it is any of Substrate-supported keypairs. These could be generated normally, using subkey
(more convenient for personal use) or the Signer (this option was designed for metadata portal maintainers). It serves no other purposes except for proving that update was indeed authored by the same party as previously downloaded updates.
General verifier is just the first certificate accepted by Signer - it comes with pre-installed certificate from Parity, but could be replaced with any other (this is encouraged really so that we stay distributed). It gives slightly more flexibility to the user, effectively reflecting higher trust level to the issuer compared to other certificates.
See here for more detailed explanations https://github.com/varovainen/parity-signer/blob/2022-05-25-uos/docs/src/development/UOS.md#verifiers - this will be merged to master soon and appear in Signer docs, so the link might break sooner than later.
Now that we have metadata published and other developers can deploy forks and mirrors of this portal, we should start building usable infrastructure for verifying metadata validity. We currently use some development tools for this on metadata updates, but we should make metadata verification easily accessible for everyone even if they are not subscribed to our verifier certificate.
Thus, we should: [ ] Add metadata hash to update screen [ ] Add metadata hash identicon to update screen (it's just normal polkadot identicon build on metadata hash - it's 2 hashed in a row, sacrifice elegance for modularity) [ ] Make some tool(s?) users can use to query metadata hash through rpc calls locally or from web [ ] Add same information (and tools?) to popular places like polkadot-js website