Allow capability DONs to include OCR attestation of the responses#1907
Open
dhaidashenko wants to merge 1 commit intomainfrom
Open
Allow capability DONs to include OCR attestation of the responses#1907dhaidashenko wants to merge 1 commit intomainfrom
dhaidashenko wants to merge 1 commit intomainfrom
Conversation
dhaidashenko
temporarily deployed
to
integration
GitHub Actions
Inactive
dhaidashenko
had a problem deploying
to
integration
GitHub Actions
Failure
dhaidashenko
temporarily deployed
to
integration
GitHub Actions
Inactive
|
✅ API Diff Results -
|
product-security-plaid-production
bot
requested review from
harry-anderson and
ilija42
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the capabilities response metadata to optionally carry an OCR attestation (config digest, sequence number, and attributed signatures), enabling Capability DONs to include OCR-style attestations alongside responses.
Changes:
- Added
ocr_attestation(withResponseOCRAttestation+AttributedSignature) toResponseMetadatain the capabilities protobuf schema. - Updated Go capability types and pb helper conversions to serialize/deserialize OCR attestation data.
- Added test coverage for attestation round-tripping and invalid config digest length handling; refactored EVM keyring blob verification into a reusable function.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/capabilities/pb/capabilities_helpers_test.go | Adds subtests for invalid digest length and round-trip conversion including OCR attestation metadata. |
| pkg/capabilities/pb/capabilities_helpers.go | Adds OCR attestation marshaling/unmarshaling logic to capability response proto helpers. |
| pkg/capabilities/pb/capabilities.proto | Introduces ocr_attestation on ResponseMetadata and new messages for attestation + signatures. |
| pkg/capabilities/pb/capabilities.pb.go | Regenerated protobuf Go output for the updated schema. |
| pkg/capabilities/capabilities.go | Adds OCR attestation types to response metadata and introduces ResponseToReportData hashing helper. |
| keystore/corekeys/ocr2key/evm_keyring.go | Extracts EVM blob verification into EvmVerifyBlob and reuses it from the keyring method. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dhaidashenko
force-pushed
the
feature/PLEX-2611-pass-ocr-attestation-to-workflow-don
branch
from
1de3504 to
82a189c
Compare
dhaidashenko
had a problem deploying
to
integration
GitHub Actions
Failure
dhaidashenko
had a problem deploying
to
integration
GitHub Actions
Failure
dhaidashenko
temporarily deployed
to
integration
GitHub Actions
Inactive
Contributor
There was a problem hiding this comment.
Pull request overview
Adds OCR attestation metadata support to capability responses so Capability DONs can include verifiable OCR context (config digest, sequence number, signatures) alongside the response.
Changes:
- Extend
ResponseMetadataprotobuf schema with an optionalocr_attestationmessage (including attributed signatures). - Update Go conversion helpers to marshal/unmarshal OCR attestation between internal types and protobuf types, plus add round-trip/validation tests.
- Introduce response-to-report hashing helper and extract EVM blob verification into a reusable function.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/capabilities/pb/capabilities.proto | Adds ResponseOCRAttestation + AttributedSignature and wires it into ResponseMetadata. |
| pkg/capabilities/pb/capabilities.pb.go | Regenerated protobuf Go types to include the new messages/field. |
| pkg/capabilities/pb/capabilities_helpers.go | Adds proto ↔ internal mapping for OCR attestation on capability responses. |
| pkg/capabilities/pb/capabilities_helpers_test.go | Adds validation + round-trip coverage for response OCR attestation conversions. |
| pkg/capabilities/capabilities.go | Adds internal OCR attestation types and ResponseToReportData hashing helper. |
| keystore/corekeys/ocr2key/evm_keyring.go | Extracts EVM blob verification into EvmVerifyBlob and reuses it from the keyring method. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+193
to
+197
| attestation = &capabilities.ResponseOCRAttestation{ | ||
| ConfigDigest: [32]byte(pr.Metadata.OcrAttestation.ConfigDigest), | ||
| SequenceNumber: pr.Metadata.OcrAttestation.SequenceNumber, | ||
| Sigs: make([]capabilities.AttributedSignature, len(pr.Metadata.OcrAttestation.Signatures)), | ||
| } |
pkg/capabilities/capabilities.go
Outdated
Comment on lines
+101
to
+116
| func ResponseToReportData(requestID string, responsePayload []byte, spendUnit, spendValue string) []byte { | ||
| hash := sha3.New256() | ||
| const domainSeparator = "CapabilityResponseReportData:v1" | ||
| hash.Write([]byte(domainSeparator)) | ||
| // Helper to write a length-prefixed byte slice. | ||
| writeField := func(b []byte) { | ||
| // Use a fixed-width length prefix to make encoding unambiguous. | ||
| _ = binary.Write(hash, binary.BigEndian, uint64(len(b))) | ||
| _, _ = hash.Write(b) | ||
| } | ||
| writeField([]byte(requestID)) | ||
| writeField(responsePayload) | ||
| writeField([]byte(spendUnit)) | ||
| writeField([]byte(spendValue)) | ||
|
|
||
| return hash.Sum(nil) |
Comment on lines
+114
to
+122
| func EvmVerifyBlob(pubkey types.OnchainPublicKey, b, sig []byte) bool { | ||
| authorPubkey, err := crypto.SigToPub(b, sig) | ||
| if err != nil { | ||
| return false | ||
| } | ||
| authorAddress := crypto.PubkeyToAddress(*authorPubkey) | ||
| // no need for constant time compare since neither arg is sensitive | ||
| return bytes.Equal(pubkey[:], authorAddress[:]) | ||
| } |
dhaidashenko
force-pushed
the
feature/PLEX-2611-pass-ocr-attestation-to-workflow-don
branch
from
82a189c to
76aac32
Compare
dhaidashenko
temporarily deployed
to
integration
GitHub Actions
Inactive
dhaidashenko
had a problem deploying
to
integration
GitHub Actions
Failure
dhaidashenko
temporarily deployed
to
integration
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://smartcontract-it.atlassian.net/browse/PLEX-2611
Supports: