diff --git a/content/guides/advanced/verified-builds.md b/content/guides/advanced/verified-builds.md index f87473775..e601ab46d 100644 --- a/content/guides/advanced/verified-builds.md +++ b/content/guides/advanced/verified-builds.md @@ -135,9 +135,6 @@ The Solana Verify CLI is the primary tool used to verify builds. Solana Verify CLI is currently maintained by [Ellipsis Labs](https://ellipsislabs.xyz/) and can be installed using Cargo. -> The verify process will soon move into the [Anza](https://www.anza.xyz/) tool -> suite. The general way of verifying builds will stay very similar though. - You can install it by running: ```bash @@ -331,8 +328,31 @@ artifact from your repository. The default is the [OtterSec API](https://github.com/otter-sec/solana-verified-programs-api). -Once the build is done, which takes a while, and was successful you will be able -to see your program as verified in the +Make sure to pick yes when you are asked to upload the verification data +onchain. This is used by the API to verify that you uploaded the verification +data. + +You can also trigger a remote job manually by using: + +```bash +solana-verify remote submit-job --program-id --uploader
+``` + +Where the uploader is the address that has the authority to write to the PDA. +That should be program authority in most cases. If your program is controlled by +a multisig please continue in the +[multisig verification](#how-to-verify-your-program-when-its-controlled-by-a-multisig-like-squads) +part of this guide below. + +This will submit a job to the OtterSec API and you can then verify the job +status with: + +```bash +solana-verify remote get-job-status --job-id +``` + +Once the verification has completed successfully, which may take awhile, you +will be able to see your program as verified in the [OtterSec API for single programs](https://verify.osec.io/status/PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY) and in the [Solana Explorer](https://explorer.solana.com/address/PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY/verified-build), @@ -348,6 +368,153 @@ contributing to a more healthy Solana ecosystem. +## How to verify your program when its controlled by a Multisig like Squads + +For the remote verification to work you need to write the verification data into +a PDA signed by the program authority. If your program is controlled by a +multisig you can export this write PDA transaction and submit it through +[Squads Protocol](https://squads.so/protocol) or another multisig solution of +your choice. + + + +### 1. Build the verifiable program + +First build the program: + +```bash +solana-verify build +``` + +This will build a verifiable build using a docker container using the solana +version specified in the `Cargo.lock` file. + +### 2. Deploy the program + +```bash +solana config set --url "PayedMainnetRPCAddress" // the public endpoint will be rate limited too much +solana program deploy target/deploy/verify_squads.so +``` + +For the rest of this multisig guide, we will use an example program ID of +`6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD`. + +### 3. Commit and verify against repository + +Once that is done we commit the project to to github. Here is an example: +https://github.com/solana-developers/verify-squads + +Optional: See if you can verify locally first (this command uses example program +ID `6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD`): + +```bash +solana-verify verify-from-repo https://github.com/solana-developers/verify-squads --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD +``` + +Just to make sure your parameters are correct. + +### 4. Transfer program authority to multisig + +If you have not yet transfer your programs authority to the multisig and copy +the multisig authority. You need it in the next step. + +### 5. Export PDA transaction + +When you have you program authority locally you are prompted to upload the build +data onchain when using the command `solana-verify verify-from-repo`. + +Since you can not do that when you are using a multisig you need to export the +PDA transaction manually and then trigger the transaction through Squads. + +```bash +solana-verify export-pda-tx https://github.com/solana-developers/verify-squads --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD --uploader --encoding base58 --compute-unit-price 0 +``` + +This will return you a base58 transcation. If you want a base64 encoded +transaction for use in a transaction inspector, you can use `--encoding base64`. + +```bash +P6vBfcPaaXb8fZoT3NBAYEcdtEj7tubA1k2gBxmFKZ3UWF5YyrmDMFTvLKALCJoUuRsPAjMckudYruCu3eeWQtuDrFbEMLxLFutnKXac974fnkMivcwUdY66VLjbxQT6ATmcy7F4hBtz1G4P1h6iBJLhb8WtrtgY3i4qq45MUEb7RjuMEfUFXKrNgPdGxkz5xvMHq3dxKRcpmEK5k2DkeW6SUQYBVe19Ga3B9GyhTX8k3CMt9JCEah13WyRnQd8GjoK6sTEvGJym6xDNvmd8yiJYSNcaYwEJsjHEUf4Yh6kAC7ki2KRvVAr3NVe1gjqK9McrwSQjtUatvydTG8Zovcr7PPUEMf3yPMgKXjZLB2QpkH63yTTYdNAnWFuv9E6b6nYRqye5XcNi436yKw5U14fXh65yK34bgYLi9328UT1huJELsJU9BRGnGUmb6GWp6c2WL5BhnzgNTSnt9TXFfEgUMzhvKzpVBxLP44hwqqBdyUhHFysCF37531PnmiESq8x1xou23xJ6FcQbc199754MkqQd7tX9CUznGzAEqHGkzn3VBoJnojsKtgYmiTYbdRsT1CU18MbYEE7WvGAvXyxxbpNzbAcc94HrnM6cqRGmwhEBroPfFghTdmzg9D +``` + +### 6. Submit transaction through Squads + +Go to the squads transaction builder and import the base58 encoded transaction. +Make sure that in the simulation the transaction only has a call to the osec +verify program and the computer budget program and nothing else! + +### 7. Submit remote verification job + +Once the transaction to squads was successful you can submit the remote job: + +```bash +solana-verify remote submit-job --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD +--uploader +``` + +This is it! You have verified your program against a public repository and +submitted a remote job to the OtterSec API. You should be able to see it reflect +in the solana explorer and other places now. + +### 8. Updating the program (Optional) + +When you update your program you need to export a new PDA transaction and submit +it through Squads again. + +Doing an update to the program: + +```bash +solana-verify build +solana program write-buffer target/deploy/verify_squads.so --with-compute-unit-price 50000 --max-sign-attempts 50 +``` + +Then transfer that buffer authority to the multisig or directly create the +buffer with the authority of the multisig. + +```bash +solana program set-buffer-authority Fu3k79g53ZozAj47uq1tXrFy4QbQYh7y745DDsxjtyLR --new-buffer-authority 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K +``` + +### 9. Export and submit new PDA transaction + +Don't forget to commit your changes to github. Export the PDA upgrade +transaction again: + +```bash +solana-verify export-pda-tx https://github.com/solana-developers/verify-squads --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD --uploader 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K +``` + +Submit the transaction through Squads again. + +You can see an example transaction here: + +https://solana.fm/tx/4zJ1vK2KToAwxuEYzTMLqPkcebjoi9rdeeyxtEEx9L5Q4vWDA8h6Rr4kPRuRxcV7ZLKMr6qx1LTWb6x3ZpUJaFUW?cluster=mainnet-alpha + +Then submit for another remote build: + +```bash +solana-verify remote submit-job --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD --uploader 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K +``` + +Should result in something like this: + +```shell +Verification request sent with request id: b63339d2-163e-49ac-b55d-3454c1c2b5b3 +Verification in progress... ⏳ [00:18:02] ✅ Process completed. (Done in 18 +minutes) Program 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD has been verified. +✅ The provided GitHub build matches the on-chain hash. On Chain Hash: +96f8c3d9400258f7759408d1f6f8435b4a24d9b52f5a0340d97907e567cb8773 Executable +Hash: 96f8c3d9400258f7759408d1f6f8435b4a24d9b52f5a0340d97907e567cb8773 Repo URL: +https://github.com/Woody4618/verify-squads/tree/0fb0a2e30c15c51732c0ad5e837975a6f7bbc7ed +Check the verification status at: +https://verify.osec.io/status/6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD Job +url: https://verify.osec.io/job/b63339d2-163e-49ac-b55d-3454c1c2b5b3 +``` + +Congratulations you have verified your program after a multisig upgrade! + + + ## Verify from docker image You can also verify your program against a docker image by running the following @@ -412,6 +579,68 @@ a remote build of your program. Once the build is complete, the system verifies that the onchain hash of your program matches the hash of the generated build artifact from your repository. +## Popular programs that are already verified + +### Phoenix + +```shell +solana-verify verify-from-repo -um --program-id PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY https://github.com/Ellipsis-Labs/phoenix-v1 +``` + +Final Output: + +```shell +Executable Program Hash from repo: 6877a5b732b3494b828a324ec846d526d962223959534dbaf4209e0da3b2d6a9 +On-chain Program Hash: 6877a5b732b3494b828a324ec846d526d962223959534dbaf4209e0da3b2d6a9 +Program hash matches ✅ +``` + +### Squads V3 + +```shell +solana-verify verify-from-repo https://github.com/Squads-Protocol/squads-mpl --commit-hash c95b7673d616c377a349ca424261872dfcf8b19d --program-id SMPLecH534NA9acpos4G6x7uf3LWbCAwZQE9e8ZekMu -um --library-name squads_mpl --bpf +``` + +> Notice we needed to specify the `library-name` because the Squads repo +> includes multiple programs. We use the `--bpf` flag because `squads_mpl` was +> previously verified with Anchor. + +Final Output: + +```shell +Executable Program Hash from repo: 72da599d9ee14b2a03a23ccfa6f06d53eea4a00825ad2191929cbd78fb69205c +On-chain Program Hash: 72da599d9ee14b2a03a23ccfa6f06d53eea4a00825ad2191929cbd78fb69205c +Program hash matches ✅ +``` + +### Drift V2 + +```shell +solana-verify verify-from-repo -um --program-id dRiftyHA39MWEi3m9aunc5MzRF1JYuBsbn6VPcn33UH https://github.com/drift-labs/protocol-v2 --commit-hash 110d3ff4f8ba07c178d69f9bfc7b30194fac56d6 --library-name drift +``` + +Final Output: + +```shell +Executable Program Hash from repo: e31d58edeabc3c30bf6f2aa60bfaa5e492b41ec203e9006404b463e5adee5828 +On-chain Program Hash: e31d58edeabc3c30bf6f2aa60bfaa5e492b41ec203e9006404b463e5adee5828 +Program hash matches ✅ +``` + +### Marginfi V2 + +```shell +solana-verify verify-from-repo -um --program-id MFv2hWf31Z9kbCa1snEPYctwafyhdvnV7FZnsebVacA https://github.com/mrgnlabs/marginfi-v2 --commit-hash d33e649e415c354cc2a1e3c49131725552d69ba0 --library-name marginfi -- --features mainnet-beta +``` + +Final Output: + +```shell +Executable Program Hash from repo: 890d68f48f96991016222b1fcbc2cc81b8ef2dcbf280c44fe378c523c108fad5 +On-chain Program Hash: 890d68f48f96991016222b1fcbc2cc81b8ef2dcbf280c44fe378c523c108fad5 +Program hash matches ✅ +``` + # Conclusion Using [verified builds on Solana](/content/guides/advanced/verified-builds.md)