Commit-Boost · jclapis · Apr 2, 2025 · May 5, 2025 · May 6, 2025 · May 6, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -36,6 +36,7 @@ color-eyre = "0.6.3"
 ctr = "0.9.2"
 derive_more = { version = "2.0.1", features = ["deref", "display", "from", "into"] }
 docker-compose-types = "0.16.0"
+docker-image = "0.2.1"
 eth2_keystore = { git = "https://github.com/sigp/lighthouse", rev = "8d058e4040b765a96aa4968f4167af7571292be2" }
 ethereum_serde_utils = "0.7.0"
 ethereum_ssz = "0.8"
@@ -57,6 +58,7 @@ serde_json = "1.0.117"
 serde_yaml = "0.9.33"
 sha2 = "0.10.8"
 ssz_types = "0.10"
+tempfile = "3.20.0"
 thiserror = "2.0.12"
 tokio = { version = "1.37.0", features = ["full"] }
 toml = "0.8.13"

diff --git a/config.example.toml b/config.example.toml
@@ -144,16 +144,22 @@ url = "http://0xa119589bb33ef52acbb8116832bec2b58fca590fe5c85eac5d3230b44d5bc09f
 #   - Dirk: a remote Dirk instance
 #   - Local: a local Signer module
 # More details on the docs (https://commit-boost.github.io/commit-boost-client/get_started/configuration/#signer-module)
-# [signer]
+[signer]
 # Docker image to use for the Signer module.
 # OPTIONAL, DEFAULT: ghcr.io/commit-boost/signer:latest
-# docker_image = "ghcr.io/commit-boost/signer:latest"
+docker_image = "ghcr.io/commit-boost/signer:latest"
 # Host to bind the Signer API server to
 # OPTIONAL, DEFAULT: 127.0.0.1
 host = "127.0.0.1"
 # Port to listen for Signer API calls on
 # OPTIONAL, DEFAULT: 20000
 port = 20000
+# Number of JWT authentication attempts a client can fail before blocking that client temporarily from Signer access
+# OPTIONAL, DEFAULT: 3
+jwt_auth_fail_limit = 3
+# How long to block a client from Signer access, in seconds, if it failed JWT authentication too many times
+# OPTIONAL, DEFAULT: 300
+jwt_auth_fail_timeout_seconds = 300
 
 # For Remote signer:
 # [signer.remote]
@@ -233,6 +239,8 @@ proxy_dir = "./proxies"
 [[modules]]
 # Unique ID of the module
 id = "DA_COMMIT"
+# Unique hash that the Signer service will combine with the incoming data in signing requests to generate a signature specific to this module
+signing_id = "0x6a33a23ef26a4836979edff86c493a69b26ccf0b4a16491a815a13787657431b"
 # Type of the module. Supported values: commit, events
 type = "commit"
 # Docker image of the module

diff --git a/crates/cli/src/docker_init.rs b/crates/cli/src/docker_init.rs
@@ -15,10 +15,10 @@ use cb_common::{
         PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT, PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT,
         SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV, SIGNER_DIR_SECRETS_DEFAULT,
         SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV, SIGNER_KEYS_ENV, SIGNER_MODULE_NAME,
-        SIGNER_URL_ENV,
+        SIGNER_PORT_DEFAULT, SIGNER_URL_ENV,
     },
     pbs::{BUILDER_API_PATH, GET_STATUS_PATH},
-    signer::{ProxyStore, SignerLoader, DEFAULT_SIGNER_PORT},
+    signer::{ProxyStore, SignerLoader},
     types::ModuleId,
     utils::random_jwt_secret,
 };
@@ -73,7 +73,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
     let mut targets = Vec::new();
 
     // address for signer API communication
-    let signer_port = cb_config.signer.as_ref().map(|s| s.port).unwrap_or(DEFAULT_SIGNER_PORT);
+    let signer_port = cb_config.signer.as_ref().map(|s| s.port).unwrap_or(SIGNER_PORT_DEFAULT);
     let signer_server =
         if let Some(SignerConfig { inner: SignerType::Remote { url }, .. }) = &cb_config.signer {
             url.to_string()

diff --git a/crates/common/Cargo.toml b/crates/common/Cargo.toml
@@ -16,6 +16,7 @@ blst.workspace = true
 cipher.workspace = true
 ctr.workspace = true
 derive_more.workspace = true
+docker-image.workspace = true
 eth2_keystore.workspace = true
 ethereum_serde_utils.workspace = true
 ethereum_ssz.workspace = true

diff --git a/crates/common/src/commit/request.rs b/crates/common/src/commit/request.rs
@@ -57,6 +57,7 @@ impl<T: ProxyId> SignedProxyDelegation<T> {
             &self.message.delegator,
             &self.message,
             &self.signature,
+            None,
             COMMIT_BOOST_DOMAIN,
         )
     }

diff --git a/crates/common/src/config/constants.rs b/crates/common/src/config/constants.rs
@@ -34,6 +34,16 @@ pub const SIGNER_MODULE_NAME: &str = "signer";
 
 /// Where the signer module should open the server
 pub const SIGNER_ENDPOINT_ENV: &str = "CB_SIGNER_ENDPOINT";
+pub const SIGNER_PORT_DEFAULT: u16 = 20000;
+
+/// Number of auth failures before rate limiting the client
+pub const SIGNER_JWT_AUTH_FAIL_LIMIT_ENV: &str = "CB_SIGNER_JWT_AUTH_FAIL_LIMIT";
+pub const SIGNER_JWT_AUTH_FAIL_LIMIT_DEFAULT: u32 = 3;
+
+/// How long to rate limit the client after auth failures
+pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV: &str =
+    "CB_SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS";
+pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_DEFAULT: u32 = 5 * 60;
 
 /// Comma separated list module_id=jwt_secret
 pub const JWTS_ENV: &str = "CB_JWTS";

diff --git a/crates/common/src/config/mod.rs b/crates/common/src/config/mod.rs
@@ -41,6 +41,9 @@ impl CommitBoostConfig {
     /// Validate config
     pub async fn validate(&self) -> Result<()> {
         self.pbs.pbs_config.validate(self.chain).await?;
+        if let Some(signer) = &self.signer {
+            signer.validate().await?;
+        }
         Ok(())
     }
 

diff --git a/crates/common/src/config/module.rs b/crates/common/src/config/module.rs
@@ -1,5 +1,6 @@
 use std::collections::HashMap;
 
+use alloy::primitives::B256;
 use eyre::{ContextCompat, Result};
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use toml::Table;
@@ -37,6 +38,8 @@ pub struct StaticModuleConfig {
     /// Type of the module
     #[serde(rename = "type")]
     pub kind: ModuleKind,
+    /// Signing ID for the module to use when requesting signatures
+    pub signing_id: Option<B256>,
 }
 
 /// Runtime config to start a module