From 9dfdd67d8a118b5fd5d5ce4c33aca6f9a45201b7 Mon Sep 17 00:00:00 2001 From: Joshua Fernandes Date: Thu, 12 Sep 2024 22:02:29 +1000 Subject: [PATCH] fix lint errors --- .github/workflows/lint.yml | 3 +- .markdownlint.yaml | 275 ++++++++++++++++++ docs/concepts/architecture.md | 13 +- docs/get-started/key-best-practices.md | 4 +- docs/get-started/start-web3signer.md | 2 +- docs/how-to/configure-slashing-protection.md | 25 +- docs/how-to/configure-tls.md | 11 +- docs/how-to/load-keys.md | 38 +-- docs/how-to/monitor/metrics.md | 19 +- docs/how-to/run-at-scale.md | 46 ++- docs/how-to/store-keys/hsm/usb-armory.md | 4 +- docs/how-to/store-keys/hsm/yubihsm2.md | 50 ++-- docs/how-to/store-keys/index.md | 14 +- .../vaults/aws/kms-execution-layer.md | 10 +- docs/how-to/store-keys/vaults/gcp.md | 2 +- docs/reference/api/json-rpc.md | 10 +- docs/reference/api/rest.md | 8 +- docs/reference/cli/options.md | 3 +- docs/reference/cli/subcommands.md | 12 +- docs/reference/key-config-file-params.md | 6 +- docs/reference/security-disclosure.md | 4 +- 21 files changed, 442 insertions(+), 117 deletions(-) create mode 100644 .markdownlint.yaml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a933331..13277f6 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -21,6 +21,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Lint markdown - uses: ConsenSys/docs-gha/lint-markdown@mdlint + uses: ConsenSys/docs-gha/lint-markdown@main with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CONFIG_FILE: ".markdownlint.yaml" \ No newline at end of file diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 0000000..bd40af1 --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,275 @@ +# Example markdownlint configuration with all properties set to their default value + +# Default state for all rules +default: true + +# Path to configuration file to extend +extends: null + +# MD001/heading-increment : Heading levels should only increment by one level at a time : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md001.md +MD001: false + +# MD003/heading-style : Heading style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md003.md +MD003: + # Heading style + style: "consistent" + +# MD004/ul-style : Unordered list style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md004.md +MD004: + # List style + style: "consistent" + +# MD005/list-indent : Inconsistent indentation for list items at the same level : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md005.md +MD005: true + +# MD007/ul-indent : Unordered list indentation : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md007.md +MD007: + # Spaces for indent + indent: 2 + # Whether to indent the first level of the list + start_indented: false + # Spaces for first level indent (when start_indented is set) + start_indent: 2 + +# MD009/no-trailing-spaces : Trailing spaces : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md009.md +MD009: + # Spaces for line break + br_spaces: 2 + # Allow spaces for empty lines in list items + list_item_empty_lines: false + # Include unnecessary breaks + strict: false + +# MD010/no-hard-tabs : Hard tabs : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md010.md +MD010: + # Include code blocks + code_blocks: true + # Fenced code languages to ignore + ignore_code_languages: [] + # Number of spaces for each hard tab + spaces_per_tab: 1 + +# MD011/no-reversed-links : Reversed link syntax : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md011.md +MD011: true + +# MD012/no-multiple-blanks : Multiple consecutive blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md012.md +MD012: + # Consecutive blank lines + maximum: 1 + +# MD013/line-length : Line length : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md013.md +MD013: + # Number of characters + line_length: 200 + # Number of characters for headings + heading_line_length: 100 + # Number of characters for code blocks + code_block_line_length: 200 + # Include code blocks + code_blocks: true + # Include tables + tables: true + # Include headings + headings: true + # Strict length checking + strict: false + # Stern length checking + stern: false + +# MD014/commands-show-output : Dollar signs used before commands without showing output : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md014.md +MD014: true + +# MD018/no-missing-space-atx : No space after hash on atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md018.md +MD018: true + +# MD019/no-multiple-space-atx : Multiple spaces after hash on atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md019.md +MD019: true + +# MD020/no-missing-space-closed-atx : No space inside hashes on closed atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md020.md +MD020: true + +# MD021/no-multiple-space-closed-atx : Multiple spaces inside hashes on closed atx style heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md021.md +MD021: true + +# MD022/blanks-around-headings : Headings should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md022.md +MD022: + # Blank lines above heading + lines_above: 1 + # Blank lines below heading + lines_below: 1 + +# MD023/heading-start-left : Headings must start at the beginning of the line : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md023.md +MD023: true + +# MD024/no-duplicate-heading : Multiple headings with the same content : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md024.md +MD024: false + # Only check sibling headings + # siblings_only: false + +# MD025/single-title/single-h1 : Multiple top-level headings in the same document : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md025.md +MD025: false + # Heading level + # level: 3 + # # RegExp for matching title in front matter + # front_matter_title: "^\\s*title\\s*[:=]" + +# MD026/no-trailing-punctuation : Trailing punctuation in heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md026.md +MD026: + # Punctuation characters + punctuation: ".,;:!。,;:!" + +# MD027/no-multiple-space-blockquote : Multiple spaces after blockquote symbol : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md027.md +MD027: true + +# MD028/no-blanks-blockquote : Blank line inside blockquote : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md028.md +MD028: true + +# MD029/ol-prefix : Ordered list item prefix : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md029.md +MD029: + # List style + style: "one_or_ordered" + +# MD030/list-marker-space : Spaces after list markers : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md030.md +MD030: + # Spaces for single-line unordered list items + ul_single: 1 + # Spaces for single-line ordered list items + ol_single: 1 + # Spaces for multi-line unordered list items + ul_multi: 1 + # Spaces for multi-line ordered list items + ol_multi: 1 + +# MD031/blanks-around-fences : Fenced code blocks should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md031.md +MD031: + # Include list items + list_items: true + +# MD032/blanks-around-lists : Lists should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md032.md +MD032: true + +# MD033/no-inline-html : Inline HTML : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md033.md +MD033: false + # Allowed elements + # allowed_elements: [] + +# MD034/no-bare-urls : Bare URL used : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md034.md +MD034: true + +# MD035/hr-style : Horizontal rule style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md035.md +MD035: + # Horizontal rule style + style: "consistent" + +# MD036/no-emphasis-as-heading : Emphasis used instead of a heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md036.md +MD036: + # Punctuation characters + punctuation: ".,;:!?。,;:!?" + +# MD037/no-space-in-emphasis : Spaces inside emphasis markers : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md037.md +MD037: true + +# MD038/no-space-in-code : Spaces inside code span elements : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md038.md +MD038: true + +# MD039/no-space-in-links : Spaces inside link text : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md039.md +MD039: true + +# MD040/fenced-code-language : Fenced code blocks should have a language specified : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md040.md +MD040: + # List of languages + allowed_languages: [] + # Require language only + language_only: false + +# MD041/first-line-heading/first-line-h1 : First line in a file should be a top-level heading : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md041.md +MD041: + # Heading level + level: 1 + # RegExp for matching title in front matter + front_matter_title: "^\\s*title\\s*[:=]" + +# MD042/no-empty-links : No empty links : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md042.md +MD042: true + +# MD043/required-headings : Required heading structure : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md043.md +MD043: false + # List of headings + # headings: [] + # Match case of headings + # match_case: false + +# MD044/proper-names : Proper names should have the correct capitalization : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md044.md +MD044: + # List of proper names + names: [] + # Include code blocks + code_blocks: true + # Include HTML elements + html_elements: true + +# MD045/no-alt-text : Images should have alternate text (alt text) : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md045.md +MD045: true + +# MD046/code-block-style : Code block style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md046.md +MD046: + # Block style + style: "consistent" + +# MD047/single-trailing-newline : Files should end with a single newline character : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md047.md +MD047: true + +# MD048/code-fence-style : Code fence style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md048.md +MD048: + # Code fence style + style: "consistent" + +# MD049/emphasis-style : Emphasis style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md049.md +MD049: + # Emphasis style + style: "consistent" + +# MD050/strong-style : Strong style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md050.md +MD050: + # Strong style + style: "consistent" + +# MD051/link-fragments : Link fragments should be valid : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md051.md +MD051: false + +# MD052/reference-links-images : Reference links and images should use a label that is defined : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md052.md +MD052: + # Include shortcut syntax + shortcut_syntax: false + +# MD053/link-image-reference-definitions : Link and image reference definitions should be needed : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md053.md +MD053: + # Ignored definitions + ignored_definitions: + - "//" + +# MD054/link-image-style : Link and image style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md054.md +MD054: + # Allow autolinks + autolink: true + # Allow inline links and images + inline: true + # Allow full reference links and images + full: true + # Allow collapsed reference links and images + collapsed: true + # Allow shortcut reference links and images + shortcut: true + # Allow URLs as inline links + url_inline: true + +# MD055/table-pipe-style : Table pipe style : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md055.md +MD055: + # Table pipe style + style: "consistent" + +# MD056/table-column-count : Table column count : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md056.md +MD056: true + +# MD058/blanks-around-tables : Tables should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md058.md +MD058: true \ No newline at end of file diff --git a/docs/concepts/architecture.md b/docs/concepts/architecture.md index efd5000..ed66311 100644 --- a/docs/concepts/architecture.md +++ b/docs/concepts/architecture.md @@ -3,25 +3,26 @@ description: Learn more about Web3Signer's architecture. sidebar_position: 1 --- -# Architecture +# Architecture Web3Signer is a remote signing client comprised of three main components: - Remote signer - Slashing database -- APIs +- APIs ## The remote signer -The remote signer [loads private keys](../how-to/load-keys.md) into memory and responds to signature requests. -If you are using an [HSM](../how-to/store-keys/hsm/_category_.json) or a [vault](../how-to/store-keys/vaults/_category_.json) for execution layer signing, the keys stay at rest. +The remote signer [loads private keys](../how-to/load-keys.md) into memory and responds to signature requests. +If you are using an [HSM](../how-to/store-keys/hsm/_category_.json) or a [vault](../how-to/store-keys/vaults/_category_.json) for execution layer signing, the keys stay at rest. This component communicates with the slashing database, the APIs, and the keystore (if used), to coordinate remote signing. ## The slashing database -The [slashing database](./slashing-protection.md) is a Postgres database that tracks which keys have signed messages. +The [slashing database](./slashing-protection.md) is a Postgres database that tracks which keys have signed messages. Database locking ensures that when multiple Web3Signer instances load the same keys, only one instance is permitted to sign. ## The APIs -Web3Signer supports REST and [JSON-RPC APIs](../reference/api/_category_.json) to sign consensus layer and execution layer payloads respectively. These connections should be carefully secured. Web3Signer offers [TLS communication](../how-to/configure-tls.md). +Web3Signer supports REST and [JSON-RPC APIs](../reference/api/_category_.json) to sign consensus layer and execution layer payloads +respectively. These connections should be carefully secured. Web3Signer offers [TLS communication](../how-to/configure-tls.md). diff --git a/docs/get-started/key-best-practices.md b/docs/get-started/key-best-practices.md index f710160..7975ac8 100644 --- a/docs/get-started/key-best-practices.md +++ b/docs/get-started/key-best-practices.md @@ -5,8 +5,8 @@ sidebar_position: 5 # Private key management best practices -Web3Signer manages validator keys for Ethereum 2.0 staking. -This document outlines best practices for key generation, storage, access control, and system security when using Web3Signer. +Web3Signer manages validator keys for Ethereum 2.0 staking. +This document outlines best practices for key generation, storage, access control, and system security when using Web3Signer. The following guidelines help protect your staked assets and supports Ethereum network integrity. ## Generate secure BLS keys diff --git a/docs/get-started/start-web3signer.md b/docs/get-started/start-web3signer.md index 4bba6f7..fcd2e27 100644 --- a/docs/get-started/start-web3signer.md +++ b/docs/get-started/start-web3signer.md @@ -114,4 +114,4 @@ Web3Signer by default also performs a health check on the [subcommand]: ../reference/cli/subcommands.md [bulk load signing keys]: ../how-to/load-keys.md#bulk-load-keys [slashing protection]: ../concepts/slashing-protection.md -[slashing protection database]: ../how-to/configure-slashing-protection.md \ No newline at end of file +[slashing protection database]: ../how-to/configure-slashing-protection.md diff --git a/docs/how-to/configure-slashing-protection.md b/docs/how-to/configure-slashing-protection.md index 83d99a6..c5d219e 100644 --- a/docs/how-to/configure-slashing-protection.md +++ b/docs/how-to/configure-slashing-protection.md @@ -74,14 +74,18 @@ Use the [Flyway] migration tool to automatically load them in order. ```bash -flyway migrate -url="jdbc:postgresql://localhost/web3signer" -locations="filesystem:/Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql" +flyway migrate -url="jdbc:postgresql://localhost/web3signer" \ +-locations="filesystem:/Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql" ``` + ```bash -psql --echo-all --host=localhost --port=5432 --dbname=web3signer --username=postgres -f /Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql/postgresql/V1__initial.sql +psql --echo-all --host=localhost --port=5432 --dbname=web3signer --username=postgres \ +-f /Users/me/web3signer-0.2.1-SNAPSHOT/migrations/postgresql/postgresql/V1__initial.sql ``` + @@ -95,7 +99,9 @@ If using the PostgreSQL command line inside a docker container, ensure you mount Start Web3Signer and specify the PostgreSQL connection options. ```bash -web3signer --key-store-path=/Users/me/keys eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password --slashing-protection-pruning-enabled=true +web3signer --key-store-path=/Users/me/keys eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres --slashing-protection-db-password=password \ +--slashing-protection-pruning-enabled=true ``` :::note @@ -121,13 +127,17 @@ Use the [`eth2 import`](../reference/cli/subcommands.md#eth2-import) and To import a slashing protection database file into the Postgres database, run: ```bash -web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password import --from=/Users/me/my_node/interchange.json +web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres \ +--slashing-protection-db-password=password import --from=/Users/me/my_node/interchange.json ``` To export the Postgres database to a file run: ```bash -web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password export --to=/Users/me/my_node/interchange.json +web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres \ +--slashing-protection-db-password=password export --to=/Users/me/my_node/interchange.json ``` You must supply the Postgres database connection details when importing or exporting the slashing @@ -150,7 +160,10 @@ You can include additional optional pruning configuration options. For example, run: ```bash -web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" --slashing-protection-db-username=postgres --slashing-protection-db-password=password --slashing-protection-pruning-enabled=true --slashing-protection-pruning-at-boot-enabled=true --slashing-protection-pruning-epochs-to-keep=5000 --slashing-protection-pruning-interval=18 +web3signer eth2 --slashing-protection-db-url="jdbc:postgresql://localhost/web3signer" \ +--slashing-protection-db-username=postgres --slashing-protection-db-password=password \ +--slashing-protection-pruning-enabled=true --slashing-protection-pruning-at-boot-enabled=true \ +--slashing-protection-pruning-epochs-to-keep=5000 --slashing-protection-pruning-interval=18 ``` :::caution Warning diff --git a/docs/how-to/configure-tls.md b/docs/how-to/configure-tls.md index b97509b..f1729ff 100644 --- a/docs/how-to/configure-tls.md +++ b/docs/how-to/configure-tls.md @@ -45,7 +45,7 @@ The file contents use the format ` ` where: - `` is the Common Name used for the client's keystore - `` is the SHA-256 fingerprint of the client's keystore. -``` +```bash curl_client DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50 ``` @@ -54,7 +54,7 @@ You can use [OpenSSL](https://www.openssl.org/) or client's Common Name and fingerprint. For example: -``` +```bash keytool -list -v -keystore -storetype PKCS12 -storepass ``` @@ -110,7 +110,7 @@ The file contents use the format `: ` where: - `` is the port used for communication - `` is the SHA-256 fingerprint of the server's certificate. -``` +```bash localhost:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB 127.0.0.1:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB ``` @@ -122,7 +122,10 @@ Specify both hostname and IP address in the file if unsure which is used in requ ### Start Web3Signer ```bash -web3signer eth1 --downstream-http-tls-enabled --downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx --downstream-http-tls-keystore-password-file=/Users/me/my_node/keyPassword --downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers +web3signer eth1 --downstream-http-tls-enabled \ +--downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx \ +--downstream-http-tls-keystore-password-file=/Users/me/my_node/keyPassword \ +--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers ``` The command line: diff --git a/docs/how-to/load-keys.md b/docs/how-to/load-keys.md index 6d7ace9..5595a4d 100644 --- a/docs/how-to/load-keys.md +++ b/docs/how-to/load-keys.md @@ -8,19 +8,19 @@ import TabItem from '@theme/TabItem'; # Load signing keys -Load signing keys using a [key configuration file], or bulk load using the [`eth1` and `eth2` subcommands]. -Web3Signer supports loading keys with the following methods: +Load signing keys using a [key configuration file], or bulk load using the [`eth1` and `eth2` subcommands]. +Web3Signer supports loading keys with the following methods: -| Key storage | Key configuration file | Bulk load with `eth1` | Bulk load with `eth2` | +| Key storage | Key configuration file | Bulk load with `eth1` | Bulk load with `eth2` | |--------------------------------------|:----------------------:|:---------------------:|:---------------------:| -| [Keystore files] | x | x | x | -| **Vaults** | -| [Hashicorp Vault] | x | | | -| [Azure Key Vault] | x | x | x | -| [AWS Secrets Manager] | x | | x | -| [AWS KMS] | x | x | | -| [GCP Secret Manager] | | | x | -| **Hardware Security Modules (HSMs)** | +| [Keystore files] | x | x | x | +| **Vaults** | | | | +| [Hashicorp Vault] | x | | | +| [Azure Key Vault] | x | x | x | +| [AWS Secrets Manager] | x | | x | +| [AWS KMS] | x | x | | +| [GCP Secret Manager] | | | x | +| **Hardware Security Modules (HSMs)** | | | | | [USB Armory Mk II] | x | | | | [YubiHSM 2] | x | | | @@ -53,10 +53,12 @@ You can bulk load keys that are stored in Azure Key Vault using the Web3Signer [`eth2` subcommand options](../reference/cli/subcommands.md#eth2). For `eth1` bulk loading, Web3Signer creates Azure keys connections in bulk mode. The Azure keys -connections are used to perform remote signing using SECP keys. Web3Signer does not download the private keys for `eth1` bulk loading with Azure. +connections are used to perform remote signing using SECP keys. Web3Signer does not download the private keys +for `eth1` bulk loading with Azure. For `eth2` bulk loading, Web3Signer bulk loads the BLS keys from Azure Secrets. The bulk loading -mode supports loading multiple consensus layer keys from the same Azure secret, if keys are stored with a line terminating character such as `\n`. +mode supports loading multiple consensus layer keys from the same Azure secret, if keys are stored with a line +terminating character such as `\n`. This saves cost when dealing with a large number of keys. Up to 200 keys can be stored under a secret name. @@ -105,7 +107,7 @@ web3signer eth2 --aws-secrets-enabled=true --aws-secrets-access-key-id=AKIA...EX You can bulk load execution layer keys that are stored in the AWS Key Management Service (KMS) using the Web3Signer [`eth1` subcommand options](../reference/cli/subcommands.md#eth1). -```bash +```bash web3signer eth1 --aws-kms-enabled=true --aws-kms-access-key-id=AKIA...EXAMPLE \ --aws-kms-secret-access-key=sk...EXAMPLE \ --aws-secrets-region=us-east-2 @@ -113,10 +115,10 @@ web3signer eth1 --aws-kms-enabled=true --aws-kms-access-key-id=AKIA...EXAMPLE \ ### GCP Secret Manager -You can bulk load consensus layer keys that are stored in the GCP Secret Manager using -the Web3Signer [`eth2` subcommand options](../reference/cli/subcommands.md#eth2). +You can bulk load consensus layer keys that are stored in the GCP Secret Manager using +the Web3Signer [`eth2` subcommand options](../reference/cli/subcommands.md#eth2). -```bash +```bash web3signer eth2 --gcp-secrets-enabled=true --gcp-project-id=AKIA...EXAMPLE ``` @@ -162,4 +164,4 @@ keystore passwords. [keystore files]: #keystore-files [Hashicorp Vault]: #use-key-configuration-files [USB Armory Mk II]: #use-key-configuration-files -[YubiHSM 2]: #use-key-configuration-files \ No newline at end of file +[YubiHSM 2]: #use-key-configuration-files diff --git a/docs/how-to/monitor/metrics.md b/docs/how-to/monitor/metrics.md index dadabd6..d46f527 100644 --- a/docs/how-to/monitor/metrics.md +++ b/docs/how-to/monitor/metrics.md @@ -64,11 +64,16 @@ To configure Prometheus and run with Web3Signer: ## Run Prometheus with Web3Signer in push mode -The [`--metrics-enabled`](../../reference/cli/options.md#metrics-enabled) option enables Prometheus polling of Besu, but sometimes metrics are hard to poll (for example, when running inside Docker containers with varying IP addresses). To enable Besu to push metrics to a [Prometheus push gateway](https://github.com/prometheus/pushgateway), use the [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) option. +The [`--metrics-enabled`](../../reference/cli/options.md#metrics-enabled) option enables Prometheus +polling of Besu, but sometimes metrics are hard to poll (for example, when running inside Docker +containers with varying IP addresses). To enable Besu to push metrics to a +[Prometheus push gateway](https://github.com/prometheus/pushgateway), use +the [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) option. To configure Prometheus and run with Web3Signer pushing to a push gateway: -1. Configure Prometheus to read from a push gateway. For example, add the following YAML fragment to the `scrape_configs` block of the `prometheus.yml` file: +1. Configure Prometheus to read from a push gateway. For example, add the following YAML fragment to +the `scrape_configs` block of the `prometheus.yml` file: ```yml - job_name: push-gateway @@ -79,25 +84,25 @@ To configure Prometheus and run with Web3Signer pushing to a push gateway: - localhost:9091 ``` -1. Start the push gateway. You can deploy the push gateway using the Docker image: +1. Start the push gateway. You can deploy the push gateway using the Docker image: ```bash docker pull prom/pushgateway docker run -d -p 9091:9091 prom/pushgateway ``` -1. Start Web3Signer specifying options: - * [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) +1. Start Web3Signer specifying options: + * [`--metrics-push-enabled`](../../reference/cli/options.md#metrics-push-enabled) * [`--metrics-push-port`](../../reference/cli/options.md#metrics-push-enabled) * [`--metrics-push-host`](../../reference/cli/options.md#metrics-push-host) -1. In another terminal, run Prometheus specifying the `prometheus.yml` file: +1. In another terminal, run Prometheus specifying the `prometheus.yml` file: ```bash prometheus --config.file=prometheus.yml ``` -1. View the [Prometheus graphical interface](#view-prometheus-graphical-interface). +1. View the [Prometheus graphical interface](#view-prometheus-graphical-interface). ## View Prometheus graphical interface diff --git a/docs/how-to/run-at-scale.md b/docs/how-to/run-at-scale.md index 417f97f..450eb87 100644 --- a/docs/how-to/run-at-scale.md +++ b/docs/how-to/run-at-scale.md @@ -9,29 +9,38 @@ import TabItem from '@theme/TabItem'; # Run Web3Signer at scale -When running Web3Signer at scale with hundreds or thousands of keys, several factors affect attestation performance on validators. -Horizontal scaling reduces request latency on Web3Signer. To maintain low signing latency and high safety, connect multiple Web3Signer instances to the same slashing database. +When running Web3Signer at scale with hundreds or thousands of keys, several factors affect attestation +performance on validators. Horizontal scaling reduces request latency on Web3Signer. To maintain low +signing latency and high safety, connect multiple Web3Signer instances to the same slashing database. -The primary performance cost occurs during startup. More keys increase Web3Signer's startup time, representing a one-time cost per restart. +The primary performance cost occurs during startup. More keys increase Web3Signer's startup time, representing +a one-time cost per restart. -When configuring your environment, consider the startup delay, the number of keys managed, and available system resources. +When configuring your environment, consider the startup delay, the number of keys managed, and available system +resources. -Balancing these factors optimizes system performance and responsiveness. Regular monitoring and tuning are necessary as the number of managed keys grows or network conditions change. +Balancing these factors optimizes system performance and responsiveness. Regular monitoring and tuning +are necessary as the number of managed keys grows or network conditions change. ## Database proximity -The [slashing database](./configure-slashing-protection.md) ensures the safe management of multiple validators. Optimizing the slashing database reduces latency and overhead, improving overall system performance. +The [slashing database](./configure-slashing-protection.md) ensures the safe management of multiple +validators. Optimizing the slashing database reduces latency and overhead, improving overall system performance. - **Reduced geographic latency**: Strategically place Web3Signer instances to ensure minimal distance to the slashing protection database. - **Performance tuning**: Optimize database configurations for rapid access, considering factors such as indexing and connection pooling. ## Threading model optimization -Web3Signer uses [Vertx](https://vertx.io/docs/vertx-core/java/) as its threading framework. While powerful, Vertx requires proper configuration for optimal performance in different environments. If you encounter request latency or blocked threads, adjust the [worker pool size](../reference/cli/options.md#vertx-worker-pool-size). +Web3Signer uses [Vertx](https://vertx.io/docs/vertx-core/java/) as its threading framework. While powerful, +Vertx requires proper configuration for optimal performance in different environments. If you encounter +request latency or blocked threads, adjust the [worker pool size](../reference/cli/options.md#vertx-worker-pool-size). -To manage concurrency, tailor Web3Signer's thread pool size to your expected load. Increase the pool size if you observe decreased attestation performance during peak signing loads. +To manage concurrency, tailor Web3Signer's thread pool size to your expected load. Increase the pool +size if you observe decreased attestation performance during peak signing loads. -You can implement monitoring tools for dynamic thread adjustments based on current demand and workload. Measure spikes and adjust the pool accordingly. +You can implement monitoring tools for dynamic thread adjustments based on current demand and workload. +Measure spikes and adjust the pool accordingly. You can use the following [metrics](./monitor/metrics.md): @@ -40,20 +49,25 @@ You can use the following [metrics](./monitor/metrics.md): ## Load balancing -At scale, deploy multiple Web3Signer instances behind a load balancer. This setup ensures balanced request distribution. -Use an ingress load balancer to spread requests evenly across instances. This prevents overloading of single instances. -Connect all Web3Signer instances to the same slashing database. This allows parallel signing without slashing risk. +At scale, deploy multiple Web3Signer instances behind a load balancer. This setup ensures balanced +request distribution. Use an ingress load balancer to spread requests evenly across instances. This +prevents overloading of single instances. Connect all Web3Signer instances to the same slashing database. +This allows parallel signing without slashing risk. -For more information, see the [Kiln article](https://www.kiln.fi/post/learnings-from-running-web3signer-at-scale-on-holesky) on running Web3Signer at scale. +For more information, see +the [Kiln article](https://www.kiln.fi/post/learnings-from-running-web3signer-at-scale-on-holesky) on +running Web3Signer at scale. ## Hardware recommendations -The Web3Signer team runs nodes managing 10,000 keys on various testnets. For example, a single Azure Standard D8as v5 VM (8 vCPUs, 32 GiB memory) can host Besu, Teku, and Web3Signer simultaneously. +The Web3Signer team runs nodes managing 10,000 keys on various testnets. For example, a single Azure +Standard D8as v5 VM (8 vCPUs, 32 GiB memory) can host Besu, Teku, and Web3Signer simultaneously. Your specific use case might require less powerful hardware. ![Dashboard for Web3Signer](../../static/img/dashboard_hw.png) Web3Signer consumes less than 2 GB of JVM heap while managing 10,000 keys in this setup. -The test configuration connects one validator client to Web3Signer. Using multiple validator clients might change resource requirements. -Distributing the same 10,000 keys across multiple clients maintains the total number of requests to Web3Signer. +The test configuration connects one validator client to Web3Signer. Using multiple validator +clients might change resource requirements. Distributing the same 10,000 keys across multiple clients +maintains the total number of requests to Web3Signer. diff --git a/docs/how-to/store-keys/hsm/usb-armory.md b/docs/how-to/store-keys/hsm/usb-armory.md index 27c0b4e..2e57d4f 100644 --- a/docs/how-to/store-keys/hsm/usb-armory.md +++ b/docs/how-to/store-keys/hsm/usb-armory.md @@ -49,7 +49,9 @@ Alternatively you can manually create the file and add the certificate details i ```bash 10.0.0.1:443 DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50 ``` -After storing keys, [load keys into Web3Signer using a key configuration file](../../load-keys.md#use-key-configuration-files). + +After storing keys, +[load keys into Web3Signer using a key configuration file](../../load-keys.md#use-key-configuration-files). diff --git a/docs/how-to/store-keys/hsm/yubihsm2.md b/docs/how-to/store-keys/hsm/yubihsm2.md index 375d3c2..c4ef09b 100644 --- a/docs/how-to/store-keys/hsm/yubihsm2.md +++ b/docs/how-to/store-keys/hsm/yubihsm2.md @@ -9,19 +9,19 @@ import TabItem from '@theme/TabItem'; # Use Web3Signer with YubiHSM 2 -Web3Signer can sign payloads using private keys stored in the [YubiHSM 2 hardware security module]. Web3Signer -supports using the device as a secure key storage only. +Web3Signer can sign payloads using private keys stored in the [YubiHSM 2 hardware security module]. +Web3Signer supports using the device as a secure key storage only. ## Prerequisites Install the [YubiHSM 2 SDK] on the Web3Signer machine. -## Store private keys in YubiHSM 2 +## Store private keys in YubiHSM 2 [Store private keys in the device] using the `opaque-data` algorithm in `hex` format. All private keys on the device must be accessible using the same authentication key ID and password. -The following steps show an example of storing a key in YubiHSM: +The following steps show an example of storing a key in YubiHSM: 1. Store a private key in YubiHSM with `object-id=3` and `new-password=password3`, using the YubiHSM default credentials of `authkey=1` and `password=password`: @@ -44,20 +44,20 @@ The following steps show an example of storing a key in YubiHSM: - + ```bash Created session 0 Stored Authentication key 0x0003 ``` - + -2. Put the opaque data using `authkey=3` with the opaque `object-ID=15`: +2. Put the opaque data using `authkey=3` with the opaque `object-ID=15`: - + ```bash yubihsm-shell \ --connector=yhusb:// \ @@ -71,20 +71,20 @@ The following steps show an example of storing a key in YubiHSM: --capabilities=none \ --informat=hex --in=5e8d5667ce78982a07242739ab03dc63c91e830c80a5b6adca777e3f216a405d ``` - + - + ```bash Session keepalive set up to run every 15 seconds Created session 0 Stored 32 bytes to Opaque object 0x000f ``` - + -3. Use `authkey=1` to view the inserted data: +3. Use `authkey=1` to view the inserted data: @@ -113,37 +113,39 @@ The following steps show an example of storing a key in YubiHSM: 4. Identify the location of the `yubihsm_pkcs11` dynamic library. For example, on Mac, it is installed at `/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib` using the - latest YubiHSM release. + latest YubiHSM release. - :::info Note for Mac only + :::info Note for Mac only Due to a bug in how the YubiHSM libraries are generated, copy the file to the parent directory (`/usr/local/lib`): - ```bash + ```bash sudo cp /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib /usr/local/lib/ ``` - Create a soft link in the directory from where Web3Signer is running: + Create a soft link in the directory from where Web3Signer is running: + ```bash ln -s /usr/local/lib/libyubihsm_usb.2.dylib ./libyubihsm_usb.2.dylib ``` + ::: 5. Create a [key configuration file for YubiHSM](../../../reference/key-config-file-params.md#yubihsm-2) - in the `keys` subdirectory. + in the `keys` subdirectory. ```bash - type: yubihsm - connectorUrl: yhusb:// - authId: 3 - password: password3 - opaqueDataId: 15 + type: yubihsm + connectorUrl: yhusb:// + authId: 3 + password: password3 + opaqueDataId: 15 pkcs11ModulePath: /usr/local/lib/yubihsm_pkcs11.dylib additionalInitConfig: debug libdebug timeout=5 ``` -6. Specify the `key-store-path` as the `keys` subdirectory when starting Web3Signer. +6. Specify the `key-store-path` as the `keys` subdirectory when starting Web3Signer. - The output displayed indicates one key has been loaded: + The output displayed indicates one key has been loaded: ```bash 2023-10-04 15:30:27.761+10:00 | pool-2-thread-1 | INFO | SignerLoader | Converting signing metadata to Artifact Signer using parallel streams ... diff --git a/docs/how-to/store-keys/index.md b/docs/how-to/store-keys/index.md index f71ed61..38efb28 100644 --- a/docs/how-to/store-keys/index.md +++ b/docs/how-to/store-keys/index.md @@ -14,18 +14,18 @@ Web3Signer supports BLS12-381 (`Eth2`) or secp256k1 (`Eth1`) signing keys stored | Key storage | SECP256K1 | BLS | |--------------------------------------|:---------:|:---:| | Raw files | x | x | -| [Keystore files] | x | x | -| **Vaults** | -| [Hashicorp Vault] | x | x | -| [Azure Key Vault] | x | x | -| [AWS Secrets Manager] | | x | -| [AWS KMS] | x | | +| [Keystore files] | x | x | +| **Vaults** | | | +| [Hashicorp Vault] | x | x | +| [Azure Key Vault] | x | x | +| [AWS Secrets Manager] | | x | +| [AWS KMS] | x | | | [GCP Secret Manager] | | x | | **Hardware Security Modules (HSMs)** | | | | [YubiHSM 2] | x | x | | [USB Armory Mk II] | x | x | -Web3Signer supports `Eth1` signing from HSMs and vaults, but must load private keys into memory for `Eth2` signing. +Web3Signer supports `Eth1` signing from HSMs and vaults, but must load private keys into memory for `Eth2` signing. Follow [best practices](../../get-started/key-best-practices.md) when storing private keys. After storing keys, [load keys into Web3Signer](../load-keys.md). diff --git a/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md b/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md index cf1bfd5..a160019 100644 --- a/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md +++ b/docs/how-to/store-keys/vaults/aws/kms-execution-layer.md @@ -6,17 +6,17 @@ sidebar_position: 2 # Use Web3Signer with AWS Key Management Service -Web3Signer supports execution layer signing with secp256k1 keys stored in +Web3Signer supports execution layer signing with secp256k1 keys stored in [AWS Key Management Service (KMS)](https://aws.amazon.com/kms/). The [AWS KMS documentation](https://aws.amazon.com/kms/getting-started/) provides the information you need to get started. -## Load keys from AWS KMS +## Load keys from AWS KMS -Keys stored in AWS KMS can be loaded into Web3Signer by: +Keys stored in AWS KMS can be loaded into Web3Signer by: -* Using a [key configuration file](../../../load-keys.md#use-key-configuration-files). +* Using a [key configuration file](../../../load-keys.md#use-key-configuration-files). * Bulk loading using the [`eth1` subcommand](../../../load-keys.md#aws-key-management-service). ## Cache AWS KMS when loading multiple keys @@ -27,4 +27,4 @@ uses the same access key ID and region. Set the [`eth1 --aws-connection-cache-size`](../../../../reference/cli/subcommands.md#aws-connection-cache-size-1) option to the maximum number of AWS KMS connections to cache. -The default is `1`. \ No newline at end of file +The default is `1`. diff --git a/docs/how-to/store-keys/vaults/gcp.md b/docs/how-to/store-keys/vaults/gcp.md index 4805e51..5b0ce77 100644 --- a/docs/how-to/store-keys/vaults/gcp.md +++ b/docs/how-to/store-keys/vaults/gcp.md @@ -12,7 +12,7 @@ Web3Signer supports consensus layer signing with BLS keys stored in The [GCP Secret Manager documentation](https://cloud.google.com/secret-manager/docs) provides the information you need to get started. -## Authentication +## Authentication Web3Signer uses [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication#adc) to authenticate with GCP Secret Manager. ADC automatically finds credentials and manages token retrieval, enabling diff --git a/docs/reference/api/json-rpc.md b/docs/reference/api/json-rpc.md index 32ec25b..a557d71 100644 --- a/docs/reference/api/json-rpc.md +++ b/docs/reference/api/json-rpc.md @@ -140,7 +140,8 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTransaction","params":[{ ## `eth_signTypedData` -`eth_signTypedData` is the same as [`eth_sign`](#ethsign) except a typed data structure is specified as the object to be signed instead of a data string. +`eth_signTypedData` is the same as [`eth_sign`](#ethsign) except a typed data structure is specified +as the object to be signed instead of a data string. Calculates an Ethereum specific signature using `sign(keccak256("\x19Ethereum Signed Message:\n" + len(message) + message)))."` @@ -150,7 +151,7 @@ specific signature. This prevents malicious dapps from signing arbitrary data (for example, a transaction) and using the signature to impersonate the victim. -The JSON schema for the typed data structure to sign is: +The JSON schema for the typed data structure to sign is: ```json { @@ -216,7 +217,8 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_signTypedData","params":["0x Creates and signs a transaction using the signing key. -Web3Signer submits the signed transaction to Besu using [`eth_sendRawTransaction`](https://besu.hyperledger.org/stable/public-networks/reference/api#eth_sendrawtransaction). +Web3Signer submits the signed transaction to Besu using +[`eth_sendRawTransaction`](https://besu.hyperledger.org/stable/public-networks/reference/api#eth_sendrawtransaction). ### Parameters @@ -268,4 +270,4 @@ curl -X POST --data '{"jsonrpc":"2.0","method":"eth_sendTransaction","params":[{ -[EIP-1559]: https://eips.ethereum.org/EIPS/eip-1559 \ No newline at end of file +[EIP-1559]: https://eips.ethereum.org/EIPS/eip-1559 diff --git a/docs/reference/api/rest.md b/docs/reference/api/rest.md index ec0213d..7369c7d 100644 --- a/docs/reference/api/rest.md +++ b/docs/reference/api/rest.md @@ -5,11 +5,11 @@ sidebar_position: 2 # Web3Signer REST API -The Web3Signer REST API contains an ETH2 (that is, consensus layer) API, and an ETH1 (that is, execution layer) API. -Use the ETH2 API for signing consensus layer payloads. +The Web3Signer REST API contains an ETH2 (that is, consensus layer) API, and an ETH1 (that is, execution layer) API. +Use the ETH2 API for signing consensus layer payloads. -We recommend using the [Web3Signer JSON-RPC API](json-rpc.md) for signing execution layer payloads. The ETH1 REST API contains a basic signing method but does not implement transaction encoding -or create an an Ethereum signature. +We recommend using the [Web3Signer JSON-RPC API](json-rpc.md) for signing execution layer payloads. The ETH1 REST API +contains a basic signing method but does not implement transaction encoding or create an an Ethereum signature. ## View the REST API documentation diff --git a/docs/reference/cli/options.md b/docs/reference/cli/options.md index fc5e2ad..adc8f8e 100644 --- a/docs/reference/cli/options.md +++ b/docs/reference/cli/options.md @@ -86,6 +86,7 @@ WEB3SIGNER_DATA_PATH=/Users/me/my_node/data ```bash data-path: "/Users/me/my_node/data" ``` + @@ -977,7 +978,7 @@ tls-known-clients-file: "/Users/me/my_node/knownClients.txt" -File containing the Common Names and SHA-256 fingerprints of +File containing the Common Names and SHA-256 fingerprints of [authorized clients](../../how-to/configure-tls.md#create-the-known-clients-file). ### `tls-allow-ca-clients` diff --git a/docs/reference/cli/subcommands.md b/docs/reference/cli/subcommands.md index fe80901..f3cebf4 100644 --- a/docs/reference/cli/subcommands.md +++ b/docs/reference/cli/subcommands.md @@ -248,7 +248,7 @@ eth1.aws-kms-client-cache-size: "5" -AWS KMS client cache size. Set to the total number of credentials +AWS KMS client cache size. Set to the total number of credentials used to access the service plus the number of regions the service is accessed from. The default is `1`. #### `aws-kms-enabled` @@ -285,7 +285,7 @@ eth1.aws-kms-enabled: "true" -Set to `true` to enable bulk loading from the AWS KMS. The default is `false`. +Set to `true` to enable bulk loading from the AWS KMS. The default is `false`. #### `aws-kms-region` @@ -582,7 +582,8 @@ eth1.azure-response-timeout: "40" -The response timeout used by the HTTP client (in seconds). The default is 60. You can also set the timeout using the `timeout` field in the Azure metadata file. +The response timeout used by the HTTP client (in seconds). The default is 60. You can also set the timeout using +the `timeout` field in the Azure metadata file. #### `azure-tags` @@ -767,7 +768,8 @@ eth1.chain-id: "2017" -ID of the chain to receive the signed transactions. The Besu documentation lists [chain IDs for public networks](https://besu.hyperledger.org/development/public-networks/concepts/network-and-chain-id). +ID of the chain to receive the signed transactions. The Besu documentation +lists [chain IDs for public networks](https://besu.hyperledger.org/development/public-networks/concepts/network-and-chain-id). #### `downstream-http-host` @@ -2061,7 +2063,7 @@ eth2.gcp-secrets-enabled: true -Set to `true` to enable bulk loading from the GCP Secrets Manager service. The default is `false`. +Set to `true` to enable bulk loading from the GCP Secrets Manager service. The default is `false`. #### `gcp-secrets-filter` diff --git a/docs/reference/key-config-file-params.md b/docs/reference/key-config-file-params.md index 1e797c8..49aeb90 100644 --- a/docs/reference/key-config-file-params.md +++ b/docs/reference/key-config-file-params.md @@ -138,7 +138,7 @@ keyName: "KeyName" ## AWS Secrets Manager Use the private key stored in [AWS Secrets Manager](../how-to/store-keys/vaults/aws/secrets-manager-consensus-layer.md). -Supports BLS keys for consensus layer signing. +Supports BLS keys for consensus layer signing. ```bash type: "aws-secret" @@ -162,8 +162,8 @@ region: "us-west-2" ## AWS Key Management Service -Use the private key stored in [AWS Key Management Service (KMS)](../how-to/store-keys/vaults/aws/kms-execution-layer.md). -Supports SECP256K1 keys for execution layer signing. +Use the private key stored in [AWS Key Management Service (KMS)](../how-to/store-keys/vaults/aws/kms-execution-layer.md). +Supports SECP256K1 keys for execution layer signing. ```bash type: "aws-kms" diff --git a/docs/reference/security-disclosure.md b/docs/reference/security-disclosure.md index c1b3e32..e90b807 100644 --- a/docs/reference/security-disclosure.md +++ b/docs/reference/security-disclosure.md @@ -5,7 +5,9 @@ sidebar_position: 4 # Security disclosure policy -At Consensys, security is a priority. But regardless of how much effort we put into system security, there may still be vulnerabilities present. If you discover a vulnerability, we want to know about it so we can take steps to address it as quickly as possible. You can help us better protect our clients and our systems. +At Consensys, security is a priority. But regardless of how much effort we put into system security, there may still be vulnerabilities present. +If you discover a vulnerability, we want to know about it so we can take steps to address it as quickly as possible. +You can help us better protect our clients and our systems. Please do the following: