Skip to main content

5 posts tagged with "production"

View All Tags

Mithril certificate chain security advisory

· 2 min read
Mithril Team

Mithril certificate chain could be manipulated by an adversarial signer (security advisory)

info

The certificate chain of the release-mainnet aggregator has been re-genesised at epoch 539, and the network has resumed producing a valid chain at epoch 540.

The Mithril team has published a security advisory for users running the Mithril client on the mainnet infrastructure:

  • Identifier: GHSA-724h-fpm5-4qvr
  • Title: Mithril certificate chain could be manipulated by an adversarial signer
  • Location: GHSA-724h-fpm5-4qvr
  • Severity: High (5.3/10).
danger

We strongly encourage all the mainnet users running a client library, client CLI, or client WASM to update to the latest versions to prevent the issue:

  • The Mithril client library has been fixed with version 0.11.1 and is available here
  • The Mithril client WASM has been fixed with version 0.8.1 and is available here
  • The Mithril client CLI has been fixed with version 0.11.0 and can be downloaded with the following command:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-client -d 2506.0 -p $(pwd)

Note that all the previous versions must not be used anymore.

For any inquiries or assistance, feel free to contact the team on the Discord channel.

Mithril signer service new configuration

· One min read
Mithril Team

PR: Fix signer service recommended configuration #1419

Issue: Fix signer node service setup #1404

The previous recommended configuration proposed a service restart frequency which was too high. When the service was restarted, and if the Cardano node was not ready yet, the service tried to restart too many times in a short period: thus the service just failed and the service had to be started manually after the Cardano node is up and ready. This lead to some SPOs skipping registrations for some epochs.

The duration before restarting the service is increased to 60s: RestartSec=60.

Below is the new recommended configuration:

[Unit]
Description=Mithril signer service
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=60
User=cardano
EnvironmentFile=/opt/mithril/mithril-signer.env
ExecStart=/opt/mithril/mithril-signer -vvv

[Install]
WantedBy=multi-user.target
EOF'

We highly recommend to update your existing configuration file (/etc/systemd/system/mithril-signer.service) with the values specified in the guide

⚠️ Following this modification, the service needs to be restarted with the following command:

sudo systemctl restart mithril-signer

Feel free to reach out to us on the Discord channel for questions and/or help.

Mithril Relay Security Advisory

· One min read
Mithril Team

Mithril relay could expose Cardano block producer internal IP when updated (Security Advisory)

The Mithril team has published a security advisory to destination of SPOs running a Mithril signer/relay on the mainnet infrastructure:

danger

We strongly encourage all the mainnet SPOs to update the listening port of their Mithril relay in order to prevent the issue, with the process explained in the Workarounds section of the security advisory.

Feel free to reach out to us on the Discord channel for questions and/or help.

Mithril Protocol’s Mainnet Beta Launch

· 2 min read
Mithril Team

Update 2023/07/30: The first certificates and snapshots have been produced by the release-mainnet network!

Update 2023/07/25: The Genesis certificate of the release-mainnet network has been successfully created.

Mithril Protocol’s Mainnet Beta is launched 🚀

The Mithril team is thrilled to announce that the Mithril Protocol’s Mainnet Beta is launched 🎉

Here are the next steps that we will follow in order to get the release-mainnet network producing its first certificates:

  1. Open the first signers registrations on the release-mainnet network (1 epoch).
  2. Create the genesis certificate of the release-mainnet network (1 epoch).
  3. Wait for the first certificates to be produced by the release-mainnet network.

This is an expected timeline, in case of modification, we will amend this post with a new one.

Also, the documentation has been updated with the configuration of the release-mainnet network. It is available here.

danger

As a Cardano SPO, before being able to setup a Mithril signer on the mainnet, it is required to complete the step 2 of the SPO onboarding guide

Feel free to reach out to us on the Discord channel for questions and/or help.

Mithril Signer Deployment Models

· 2 min read
Mithril Team

The new Mithril Signer Deployment Models for SPOs will be introduced soon

Epic: Prepare Mithril Signer deployment model for SPO #862

⚠️ The Mithril Signer Deployment Models is not deployed yet to the pre-release-preview and release-preprod network. A special announcement will be made on the ask-mithril Discord channel when a new release candidate distribution is ready.

All these information will be available at the updated Run a Mithril Signer node (SPO) guide. In the mean time, a preview of the Mithril signer setup with the production deployment model is available here. In the new production deployment model, a new Mithril Relay has been introduced and requires an extra setup effort versus the naive deployment model that is currently ran by the pioneer SPOs on the Mithril test networks.

info

We strongly encourage the volunteer SPOs to test the production deployment (once it is available of the pre-release-preview network) and to give us their feedback on the setup (clarity of the documentation, if you needed some fixes to make it work, ...).

Here is the schema of the production deployment for the mainnet: Production Mithril Signer Deployment Model

and the schema of the naive deployment only for the testnet: Naive Mithril Signer Deployment Model

Feel free to reach out to us on the Discord channel for questions and/or help.