no more default devnet VK; it should now be set manually via GenesisC…

…onfiguration during (re)deployment
aptos-labs · Jan 10, 2025 · 951a286 · 951a286
1 parent 4b1b3e9
commit 951a286
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 28 deletions.
diff --git a/aptos-move/e2e-move-tests/README.md b/aptos-move/e2e-move-tests/README.md
@@ -0,0 +1,9 @@
+# e2e-move-tests
+
+## Keyless
+
+To run the keyless VM tests:
+
+```
+cargo test -- keyless
+```
diff --git a/aptos-move/e2e-move-tests/src/tests/keyless_feature_gating.rs b/aptos-move/e2e-move-tests/src/tests/keyless_feature_gating.rs
@@ -16,6 +16,7 @@ use aptos_types::{
         },
         AnyKeylessPublicKey, Configuration, EphemeralCertificate, FederatedKeylessPublicKey,
         Groth16VerificationKey, KeylessPublicKey, KeylessSignature, TransactionAndProof,
+        DEVNET_VERIFICATION_KEY,
     },
     on_chain_config::FeatureFlag,
     transaction::{
@@ -35,7 +36,7 @@ use move_core_types::{
     },
 };
 
-/// Initializes an Aptos VM and sets the keyless configuration via script (the VK is already set in genesis).
+/// Initializes an Aptos VM and sets the keyless configuration via script.
 fn init_feature_gating(
     enabled_features: Vec<FeatureFlag>,
     disabled_features: Vec<FeatureFlag>,
@@ -46,6 +47,12 @@ fn init_feature_gating(
 
     // initialize JWKs
     let core_resources = run_jwk_and_config_script(&mut h);
+    // initialize default VK
+    run_upgrade_vk_script(
+        &mut h,
+        core_resources.clone(),
+        Groth16VerificationKey::from(DEVNET_VERIFICATION_KEY.clone()),
+    );
 
     (h, recipient, core_resources)
 }
@@ -256,6 +263,14 @@ fn test_federated_keyless_at_jwk_addr() {
 
     let jwk_addr = AccountAddress::from_hex_literal("0xadd").unwrap();
 
+    // Step 0: Make sure the default VK is installed
+    let core_resources = h.new_account_at(AccountAddress::from_hex_literal("0xA550C18").unwrap());
+    run_upgrade_vk_script(
+        &mut h,
+        core_resources.clone(),
+        Groth16VerificationKey::from(DEVNET_VERIFICATION_KEY.clone()),
+    );
+
     // Step 1: Make sure TXN validation fails if JWKs are not installed at jwk_addr.
     let (sig, pk) = get_sample_groth16_sig_and_pk();
     let sender = create_federated_keyless_account(&mut h, jwk_addr, pk);
@@ -280,7 +295,7 @@ fn test_federated_keyless_at_jwk_addr() {
     // Step 1: Make sure TXN validation succeeds once JWKs are installed at jwk_addr.
     let iss = get_sample_iss();
     let jwk = get_sample_jwk();
-    let _core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
+    let _ = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
 
     let txn = spend_keyless_account(&mut h, sig, &sender, *recipient.address());
     let output = h.run_raw(txn);
@@ -308,7 +323,14 @@ fn test_federated_keyless_override_at_0x1() {
     let jwk_addr = AccountAddress::from_hex_literal("0xadd").unwrap();
     let iss = get_sample_iss();
     let jwk = secure_test_rsa_jwk(); // this will be the wrong JWK
-    let _core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
+    let core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
+
+    // Step 0: Make sure the default VK is installed
+    run_upgrade_vk_script(
+        &mut h,
+        core_resources.clone(),
+        Groth16VerificationKey::from(DEVNET_VERIFICATION_KEY.clone()),
+    );
 
     // Step 1: Make sure the TXN does not validate, since the wrong JWK is installed at JWK addr
     let (sig, pk) = get_sample_groth16_sig_and_pk();
@@ -441,7 +463,7 @@ fn create_and_spend_keyless_account(
     spend_keyless_account(h, sig, &account, recipient)
 }
 
-/// Sets the keyless configuration (Note: the VK is already set in genesis.)
+/// Sets the keyless configuration
 fn run_jwk_and_config_script(h: &mut MoveHarness) -> Account {
     let core_resources = h.new_account_at(AccountAddress::from_hex_literal("0xA550C18").unwrap());
 
@@ -475,16 +497,14 @@ fn run_jwk_and_config_script(h: &mut MoveHarness) -> Account {
         .sign();
 
     // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource
-    // because it does not (yet) work with resource groups. This is okay, because the VK will be
-    // there from genesis.
+    // because it does not (yet) work with resource groups.
 
     assert_success!(h.run(txn));
 
     core_resources
 }
 
-/// Sets the keyless configuration and installs the sample RSA JWK as a federated JWK
-/// (Note: the VK is already set in genesis.)
+/// Sets the keyless configuration and installs the sample RSA JWK as a federated JWK.
 fn install_federated_jwks_and_set_keyless_config(
     h: &mut MoveHarness,
     jwk_owner: AccountAddress,
@@ -524,8 +544,7 @@ fn federated_keyless_init_config(h: &mut MoveHarness, core_resources: Account) {
         .sign();
 
     // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource
-    // because it does not (yet) work with resource groups. This is okay, because the VK will be
-    // there from genesis.
+    // because it does not (yet) work with resource groups.
 
     assert_success!(h.run(txn));
 }
@@ -557,8 +576,7 @@ fn federated_keyless_install_jwk(
         .sign();
 
     // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource
-    // because it does not (yet) work with resource groups. This is okay, because the VK will be
-    // there from genesis.
+    // because it does not (yet) work with resource groups.
 
     assert_success!(h.run(txn));
 }

diff --git a/aptos-move/vm-genesis/src/lib.rs b/aptos-move/vm-genesis/src/lib.rs
@@ -27,8 +27,7 @@ use aptos_types::{
         secure_test_rsa_jwk,
     },
     keyless::{
-        self, test_utils::get_sample_iss, Groth16VerificationKey, DEVNET_VERIFICATION_KEY,
-        KEYLESS_ACCOUNT_MODULE_NAME,
+        self, test_utils::get_sample_iss, Groth16VerificationKey, KEYLESS_ACCOUNT_MODULE_NAME,
     },
     move_utils::as_move_value::AsMoveValue,
     on_chain_config::{
@@ -111,7 +110,7 @@ pub struct GenesisConfiguration {
     pub randomness_config_override: Option<OnChainRandomnessConfig>,
     pub jwk_consensus_config_override: Option<OnChainJWKConsensusConfig>,
     pub initial_jwks: Vec<IssuerJWK>,
-    pub keyless_groth16_vk_override: Option<Groth16VerificationKey>,
+    pub keyless_groth16_vk: Option<Groth16VerificationKey>,
 }
 
 pub static GENESIS_KEYPAIR: Lazy<(Ed25519PrivateKey, Ed25519PublicKey)> = Lazy::new(|| {
@@ -312,7 +311,7 @@ pub fn encode_genesis_change_set(
         &module_storage,
         chain_id,
         genesis_config.initial_jwks.clone(),
-        genesis_config.keyless_groth16_vk_override.clone(),
+        genesis_config.keyless_groth16_vk.clone(),
     );
     set_genesis_end(&mut session, &module_storage);
 
@@ -686,7 +685,7 @@ fn initialize_keyless_accounts(
     module_storage: &impl AptosModuleStorage,
     chain_id: ChainId,
     mut initial_jwks: Vec<IssuerJWK>,
-    vk_override: Option<Groth16VerificationKey>,
+    vk: Option<Groth16VerificationKey>,
 ) {
     let config = keyless::Configuration::new_for_devnet();
     exec_function(
@@ -700,9 +699,8 @@ fn initialize_keyless_accounts(
             config.as_move_value(),
         ]),
     );
-    if !chain_id.is_mainnet() {
-        let vk =
-            vk_override.unwrap_or_else(|| Groth16VerificationKey::from(&*DEVNET_VERIFICATION_KEY));
+
+    if vk.is_some() {
         exec_function(
             session,
             module_storage,
@@ -711,10 +709,11 @@ fn initialize_keyless_accounts(
             vec![],
             serialize_values(&vec![
                 MoveValue::Signer(CORE_CODE_ADDRESS),
-                vk.as_move_value(),
+                vk.unwrap().as_move_value(),
             ]),
         );
-
+    }
+    if !chain_id.is_mainnet() {
         let additional_jwk_patch = IssuerJWK {
             issuer: get_sample_iss(),
             jwk: JWK::RSA(secure_test_rsa_jwk()),
@@ -1255,7 +1254,7 @@ pub fn generate_test_genesis(
             randomness_config_override: None,
             jwk_consensus_config_override: None,
             initial_jwks: vec![],
-            keyless_groth16_vk_override: None,
+            keyless_groth16_vk: None,
         },
         &OnChainConsensusConfig::default_for_genesis(),
         &OnChainExecutionConfig::default_for_genesis(),
@@ -1307,7 +1306,7 @@ fn mainnet_genesis_config() -> GenesisConfiguration {
         randomness_config_override: None,
         jwk_consensus_config_override: None,
         initial_jwks: vec![],
-        keyless_groth16_vk_override: None,
+        keyless_groth16_vk: None,
     }
 }
 

diff --git a/crates/aptos-genesis/src/lib.rs b/crates/aptos-genesis/src/lib.rs
@@ -79,7 +79,7 @@ pub struct GenesisInfo {
     pub randomness_config_override: Option<OnChainRandomnessConfig>,
     pub jwk_consensus_config_override: Option<OnChainJWKConsensusConfig>,
     pub initial_jwks: Vec<IssuerJWK>,
-    pub keyless_groth16_vk_override: Option<Groth16VerificationKey>,
+    pub keyless_groth16_vk: Option<Groth16VerificationKey>,
 }
 
 impl GenesisInfo {
@@ -120,7 +120,7 @@ impl GenesisInfo {
             randomness_config_override: genesis_config.randomness_config_override.clone(),
             jwk_consensus_config_override: genesis_config.jwk_consensus_config_override.clone(),
             initial_jwks: genesis_config.initial_jwks.clone(),
-            keyless_groth16_vk_override: genesis_config.keyless_groth16_vk_override.clone(),
+            keyless_groth16_vk: genesis_config.keyless_groth16_vk_override.clone(),
         })
     }
 
@@ -157,7 +157,7 @@ impl GenesisInfo {
                 randomness_config_override: self.randomness_config_override.clone(),
                 jwk_consensus_config_override: self.jwk_consensus_config_override.clone(),
                 initial_jwks: self.initial_jwks.clone(),
-                keyless_groth16_vk_override: self.keyless_groth16_vk_override.clone(),
+                keyless_groth16_vk: self.keyless_groth16_vk.clone(),
             },
             &self.consensus_config,
             &self.execution_config,

diff --git a/crates/aptos-genesis/src/mainnet.rs b/crates/aptos-genesis/src/mainnet.rs
@@ -144,7 +144,7 @@ impl MainnetGenesisInfo {
                 randomness_config_override: self.randomness_config_override.clone(),
                 jwk_consensus_config_override: self.jwk_consensus_config_override.clone(),
                 initial_jwks: vec![],
-                keyless_groth16_vk_override: None,
+                keyless_groth16_vk: None,
             },
         )
     }