-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add verification feature #631
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally, it looks alright. I have a few requests though:
- Would like to see how it's being verified / a link to the source code for it. Error messages are a little cloudy / it's failing to compile on the framework, which is strange.
- Minor: Verification service should be a little smarter. No reason to compile if it's already been compiled and not changed (this might require more work). This is purely an optimization though, and could still always compile on each button click.
- Please fix the lints so the build succeeds, as shown in the CI below
setIsInProgress(false); | ||
if (dto.errMsg) { | ||
setVerificationStatus("NOT_VERIFIED"); | ||
setVerificationServerErr(`${dto.errMsg}`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My main concern is the messages that currently come out of this need to be cleaned up a bit. Would be great to see some of the code for the verification service.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I fixed verification server to show the actual error message.
(ex. Move compilation failed: Unable to resolve packages for package 'AptosFramework': While resolving dependency 'AptosStdlib' in package 'AptosFramework': While processing dependency 'AptosStdlib': Unable to find package manifest for 'AptosStdlib' at "~/mainnet/0x1/1704956814227/../aptos-stdlib" )
export const defaultVerificationServiceUrl = | ||
"https://verify.welldonestudio.io/aptos"; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there's a service for this, we should possibly provide help details somewhere for how someone can run it themselves. Since, this is essentially trusting this URL entirely, it would be good to provide a more trustless system (you can run it yourself), or that the foundation will run it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will inform you once I have prepared for it.
Hello, @gregnazario. Thank you for your feedback. I answered your questions below.
I updated the version of Aptos CLI to the latest 2.4.0 which the verification server uses to compile. Current verification service has two limitations.
I am considering below solutions for this limitation.
It would be appreciate if you have a comment about this limitations. |
Yeah, I'm aware of those limitations, which can be a pain. For now, maybe when we know it's address 0x1, that we can use the dependencies direct from git just so it doesn't say "it's unverified", especially since. The source code is uploaded at the same time |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The service doesn't seem to handle named addresses correctly. If there's a named address, it just fails.
I heard that you inquired with sooyoung as follows. and I received a below link for test. I could not compile the source code from on-chain even though I filled named address with CLI
I seems that additional version information needs to be uploaded to onchain when publishing packages to verify stable. For now, the service does not handle named addresses. To test,
and compiled and analyzed bytecode.
I have some questions.
I am considering trying the following method.
I would appreciate your opinion on whether above method is a feasible approach. |
I added @gregnazario to the repository of the verification server. Below is the part of verification logic. |
@gregnazario Hello, Greg. I granted a github repo read permission of verification server as you requested. But it seems that the progress is pending for a long time. When you can initiate the review again, please let me know, and I'll grant the permission again. |
Hello,
I added code verification feature.
The feature enables user to check if the source code matches to the on-chain bytecode.
User can choose verification service by changing url input.
The verification server get source code by account resource query and builds the source code
and compares the built bytecode to on-chain bytecode.
Please refer to below screenshots.