smartcontractkit · prashantkumar1982 · Sep 16, 2025 · Sep 9, 2025 · Sep 9, 2025 · Sep 9, 2025
@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+#added DKG to local CRE
@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+#added DKG integration with Vault plugin
@@ -520,6 +520,16 @@ func (s *Shell) runNode(c *cli.Context) error {
 	}
 
 	if s.Config.CRE().EnableDKGRecipient() {
+		if s.Config.ImportedDKGRecipientKey().JSON() != "" {
+			lggr.Debugf("Importing DKG recipient key %s", s.Config.ImportedDKGRecipientKey().JSON())
+			_, err2 := app.GetKeyStore().DKGRecipient().Import(rootCtx, []byte(s.Config.ImportedDKGRecipientKey().JSON()), s.Config.ImportedDKGRecipientKey().Password())
+			if errors.Is(err2, keystore.ErrKeyExists) {
+				lggr.Debugf("DKG recipient key already exists %s", s.Config.ImportedDKGRecipientKey().JSON())
+			} else if err2 != nil {
+				return s.errorOut(errors.Wrap(err2, "error importing dkg recipient key"))
+			}
+		}
+
 		err2 := app.GetKeyStore().DKGRecipient().EnsureKey(rootCtx)
 		if err2 != nil {
 			return errors.Wrap(err2, "failed to ensure dkg recipient key")

@@ -141,8 +141,10 @@ type Secrets struct {
 	EVM        EthKeys                  `toml:",omitempty"` // choose EVM as the TOML field name to align with relayer config convention
 	Solana     SolKeys                  `toml:",omitempty"` // choose Solana as the TOML field name to align with relayer config convention
 
-	P2PKey P2PKey     `toml:",omitempty"`
-	CRE    CreSecrets `toml:",omitempty"`
+	P2PKey          P2PKey          `toml:",omitempty"`
+	DKGRecipientKey DKGRecipientKey `toml:",omitempty"`
+
+	CRE CreSecrets `toml:",omitempty"`
 }
 
 type SolKeys struct {
@@ -453,6 +455,42 @@ func (p *P2PKey) ValidateConfig() (err error) {
 	return err
 }
 
+type DKGRecipientKey struct {
+	JSON     *models.Secret
+	Password *models.Secret
+}
+
+func (p *DKGRecipientKey) SetFrom(f *DKGRecipientKey) (err error) {
+	err = p.validateMerge(f)
+	if err != nil {
+		return err
+	}
+	if v := f.JSON; v != nil {
+		p.JSON = v
+	}
+	if v := f.Password; v != nil {
+		p.Password = v
+	}
+	return nil
+}
+
+func (p *DKGRecipientKey) validateMerge(f *DKGRecipientKey) (err error) {
+	if p.JSON != nil && f.JSON != nil {
+		err = errors.Join(err, configutils.ErrOverride{Name: "JSON"})
+	}
+	if p.Password != nil && f.Password != nil {
+		err = errors.Join(err, configutils.ErrOverride{Name: "Password"})
+	}
+	return err
+}
+
+func (p *DKGRecipientKey) ValidateConfig() (err error) {
+	if (p.JSON != nil) != (p.Password != nil) {
+		err = errors.Join(err, configutils.ErrInvalid{Name: "DKGRecipientKey", Value: p.JSON, Msg: "all fields must be nil or non-nil"})
+	}
+	return err
+}
+
 type Passwords struct {
 	Keystore *models.Secret
 	VRF      *models.Secret

@@ -499,7 +499,7 @@ require (
 	github.com/smartcontractkit/freeport v0.1.3-0.20250716200817-cb5dfd0e369e // indirect
 	github.com/smartcontractkit/grpc-proxy v0.0.0-20240830132753-a7e17fec5ab7 // indirect
 	github.com/smartcontractkit/mcms v0.21.1 // indirect
-	github.com/smartcontractkit/smdkg v0.0.0-20250905122113-4057e4fe4b25 // indirect
+	github.com/smartcontractkit/smdkg v0.0.0-20250910095332-fcfc37af3920 // indirect
 	github.com/smartcontractkit/tdh2/go/ocr2/decryptionplugin v0.0.0-20241009055228-33d0c0bf38de // indirect
 	github.com/smartcontractkit/tdh2/go/tdh2 v0.0.0-20250624150019-e49f7e125e6b // indirect
 	github.com/smartcontractkit/wsrpc v0.8.5-0.20250502134807-c57d3d995945 // indirect

@@ -1615,8 +1615,8 @@ github.com/smartcontractkit/libocr v0.0.0-20250905115425-2785a5cee79d h1:/0/80Ic
 github.com/smartcontractkit/libocr v0.0.0-20250905115425-2785a5cee79d/go.mod h1:Acy3BTBxou83ooMESLO90s8PKSu7RvLCzwSTbxxfOK0=
 github.com/smartcontractkit/mcms v0.21.1 h1:vbM1c45Hd526XTKdXy2G1YKlMyzyc+ybdPTK79UlkKg=
 github.com/smartcontractkit/mcms v0.21.1/go.mod h1:7bg4JECK7UHvXAJ7/kzvCNLzUu8JxKvvti3ko9y3FpI=
-github.com/smartcontractkit/smdkg v0.0.0-20250905122113-4057e4fe4b25 h1:zxZHMnCEjSfQYq9vzWUZncikyAy971yU7GsviXVGmLM=
-github.com/smartcontractkit/smdkg v0.0.0-20250905122113-4057e4fe4b25/go.mod h1:Cxtf6GUlIhyQRT6BSl39VhPOySGgsB85nmYGiICDnAs=
+github.com/smartcontractkit/smdkg v0.0.0-20250910095332-fcfc37af3920 h1:jPVBYcBq2RCMBns5nf8MR5CSAi7qfbJh0vCxkvcSg7s=
+github.com/smartcontractkit/smdkg v0.0.0-20250910095332-fcfc37af3920/go.mod h1:LruPoZcjytOUK4mjQ92dZ0XfXu7pkr+fg8Y58XKkKC8=
 github.com/smartcontractkit/tdh2/go/ocr2/decryptionplugin v0.0.0-20241009055228-33d0c0bf38de h1:n0w0rKF+SVM+S3WNlup6uabXj2zFlFNfrlsKCMMb/co=
 github.com/smartcontractkit/tdh2/go/ocr2/decryptionplugin v0.0.0-20241009055228-33d0c0bf38de/go.mod h1:Sl2MF/Fp3fgJIVzhdGhmZZX2BlnM0oUUyBP4s4xYb6o=
 github.com/smartcontractkit/tdh2/go/tdh2 v0.0.0-20250624150019-e49f7e125e6b h1:hN0Aqc20PTMGkYzqJGKIZCZMR4RoFlI85WpbK9fKIns=

@@ -101,7 +101,7 @@ func generateOCR3Config(nodeKeys []NodeKeys, configFile string) ksdeploy.OCR3Onc
 	topLevelCfg := mustReadOCR3Config(configFile)
 	cfg := topLevelCfg.OracleConfig
 	secrets := focr.XXXGenerateTestOCRSecrets()
-	c, err := ksdeploy.GenerateOCR3Config(cfg, nodeKeysToKsDeployNodeKeys(nodeKeys[1:]), secrets) // skip the bootstrap node
+	c, err := ksdeploy.GenerateOCR3Config(cfg, nodeKeysToKsDeployNodeKeys(nodeKeys[1:]), secrets, nil) // skip the bootstrap node
 	helpers.PanicErr(err)
 	return c
 }

@@ -100,7 +100,7 @@ func (g *generateLocalOCR3Config) Run(args []string) {
 		panic(err)
 	}
 
-	ocrConfig, err := changeset.GenerateOCR3Config(cfg, pubKeys, focr.XXXGenerateTestOCRSecrets())
+	ocrConfig, err := changeset.GenerateOCR3Config(cfg, pubKeys, focr.XXXGenerateTestOCRSecrets(), nil)
 	if err != nil {
 		panic(err)
 	}

@@ -412,6 +412,10 @@ func (s *Secrets) SetFrom(f *Secrets) (err error) {
 		err = errors.Join(err, commonconfig.NamedMultiErrorList(err2, "Solana"))
 	}
 
+	if err2 := s.DKGRecipientKey.SetFrom(&f.DKGRecipientKey); err2 != nil {
+		err = errors.Join(err, commonconfig.NamedMultiErrorList(err2, "DKGRecipientKey"))
+	}
+
 	if err2 := s.CRE.SetFrom(&f.CRE); err2 != nil {
 		err = errors.Join(err, commonconfig.NamedMultiErrorList(err2, "CRE"))
 	}

@@ -552,6 +552,10 @@ func (g *generalConfig) ImportedSolKeys() coreconfig.ImportableChainKeyLister {
 	return &importedSolKeyConfigs{s: g.secrets.Solana}
 }
 
+func (g *generalConfig) ImportedDKGRecipientKey() coreconfig.ImportableKey {
+	return &importedDKGRecipientKeyConfig{s: g.secrets.DKGRecipientKey}
+}
+
 func (g *generalConfig) ImportedP2PKey() coreconfig.ImportableKey {
 	return &importedP2PKeyConfig{s: g.secrets.P2PKey}
 }

@@ -0,0 +1,21 @@
+package chainlink
+
+import "github.com/smartcontractkit/chainlink/v2/core/config/toml"
+
+type importedDKGRecipientKeyConfig struct {
+	s toml.DKGRecipientKey
+}
+
+func (t *importedDKGRecipientKeyConfig) JSON() string {
+	if t.s.JSON == nil {
+		return ""
+	}
+	return string(*t.s.JSON)
+}
+
+func (t *importedDKGRecipientKeyConfig) Password() string {
+	if t.s.Password == nil {
+		return ""
+	}
+	return string(*t.s.Password)
+}
@@ -28,4 +28,5 @@ type ImportedSecretConfig interface {
 	ImportedP2PKey() coreconfig.ImportableKey
 	ImportedEthKeys() coreconfig.ImportableChainKeyLister
 	ImportedSolKeys() coreconfig.ImportableChainKeyLister
+	ImportedDKGRecipientKey() coreconfig.ImportableKey
 }
@@ -25,7 +25,6 @@ const (
 	Tron ChainType = "tron"
 	// TON for the TON chain
 	TON ChainType = "ton"
-
 	// Offchain is used by the MultichainKeyringAdapter when we are signing for offchain (eg. for DKG).
 	Offchain ChainType = "offchain"
 )

@@ -35,8 +35,11 @@ import (
 	ocr2keepers21config "github.com/smartcontractkit/chainlink-automation/pkg/v3/config"
 	ocr2keepers21 "github.com/smartcontractkit/chainlink-automation/pkg/v3/plugin"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaulttypes"
+	"github.com/smartcontractkit/chainlink/v2/core/config/env"
 	syncerV2 "github.com/smartcontractkit/chainlink/v2/core/services/workflows/syncer/v2"
 
+	"github.com/smartcontractkit/smdkg/dkgocr/oracleargs"
+
 	"github.com/smartcontractkit/chainlink-common/pkg/capabilities/consensus/requests"
 	"github.com/smartcontractkit/chainlink-common/pkg/loop"
 	"github.com/smartcontractkit/chainlink-common/pkg/loop/reportingplugins"
@@ -56,7 +59,6 @@ import (
 	gatewayconnector "github.com/smartcontractkit/chainlink/v2/core/capabilities/gateway_connector"
 	vaultcap "github.com/smartcontractkit/chainlink/v2/core/capabilities/vault"
 	coreconfig "github.com/smartcontractkit/chainlink/v2/core/config"
-	"github.com/smartcontractkit/chainlink/v2/core/config/env"
 	"github.com/smartcontractkit/chainlink/v2/core/logger"
 	"github.com/smartcontractkit/chainlink/v2/core/services/job"
 	"github.com/smartcontractkit/chainlink/v2/core/services/keystore"
@@ -573,7 +575,6 @@ func (d *Delegate) ServicesForSpec(ctx context.Context, jb job.Job) ([]job.Servi
 		return d.newServicesCCIPCommit(ctx, lggr, jb, bootstrapPeers, kb, ocrDB, lc, transmitterID)
 	case types.CCIPExecution:
 		return d.newServicesCCIPExecution(ctx, lggr, jb, bootstrapPeers, kb, ocrDB, lc, transmitterID)
-
 	case types.VaultPlugin:
 		return d.newServicesVaultPlugin(ctx, lggr, jb, bootstrapPeers, kb, ocrDB, lc, d.capabilitiesRegistry, d.gatewayConnectorServiceWrapper, d.WorkflowRegistrySyncer)
 
@@ -817,7 +818,15 @@ func (d *Delegate) newServicesVaultPlugin(
 	if err != nil {
 		return nil, fmt.Errorf("failed to instantiate vault plugin: failed to get DKG keys: %w", err)
 	}
-	rpf, err := vaultocrplugin.NewReportingPluginFactory(lggr, requestStore, nil, &dkgRecipientKey, pk, secKeyShare, lpk)
+	rpf, err := vaultocrplugin.NewReportingPluginFactory(
+		lggr,
+		requestStore,
+		vaultocrplugin.NewVaultORM(d.ds),
+		&dkgRecipientKey,
+		pk,
+		secKeyShare,
+		lpk,
+	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to instantiate vault plugin: failed to create reporting plugin factory: %w", err)
 	}
@@ -829,6 +838,64 @@ func (d *Delegate) newServicesVaultPlugin(
 	}
 	srvs = append(srvs, job.NewServiceAdapter(oracle))
 
+	// Add a DKG oracle in-parallel to populate key shares.
+	dkgLogger := logger.Sugared(lggr.With("vaultDependency", "dkg", "dkgContractID", cfg.DKG.ContractID))
+	dkgOcrLogger := ocrcommon.NewOCRWrapper(dkgLogger, d.cfg.OCR2().TraceLogging(), func(ctx context.Context, msg string) {
+		dkgLogger.ErrorIf(d.jobORM.RecordError(ctx, jb.ID, msg), "unable to record error")
+	})
+	srvs = append(srvs, dkgOcrLogger)
+
+	dkgProvider, err := relayer.NewPluginProvider(ctx, types.RelayArgs{
+		ExternalJobID: jb.ExternalJobID,
+		JobID:         jb.ID,
+		OracleSpecID:  spec.ID,
+		ContractID:    cfg.DKG.ContractID,
+		New:           d.isNewlyCreatedJob,
+		RelayConfig:   spec.RelayConfig.Bytes(),
+		ProviderType:  string(types.OCR3Capability),
+	}, types.PluginArgs{
+		TransmitterID: spec.TransmitterID.String,
+		PluginConfig:  []byte{},
+	})
+	if err != nil {
+		return nil, err
+	}
+	srvs = append(srvs, dkgProvider)
+
+	fullPathDKG := filepath.Join(d.cfg.OCR2().KeyValueStoreRootDir(), jb.ExternalJobID.String(), "_dkg")
+	err = utils.EnsureDirAndMaxPerms(fullPathDKG, os.FileMode(0700))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create key value store directory: %w", err)
+	}
+	dkgOracleEndpoint := d.monitoringEndpointGen.GenMonitoringEndpoint(
+		rid.Network,
+		rid.ChainID,
+		cfg.DKG.ContractID,
+		synchronization.TelemetryType(types.DKG),
+	)
+
+	dkgOracleArgs := oracleargs.OCR3_1OracleArgsForSanMarinoDKG(
+		d.peerWrapper.Peer3_1,
+		bootstrapPeers,
+		dkgProvider.ContractConfigTracker(),
+		ocrDB,
+		kvdb.NewBadgerKeyValueDatabaseFactory(fullPathDKG),
+		lc,
+		dkgOcrLogger,
+		prometheus.WrapRegistererWith(map[string]string{"job_name": string(types.DKG)}, prometheus.DefaultRegisterer),
+		dkgOracleEndpoint,
+		dkgProvider.OffchainConfigDigester(),
+		kb,
+		dkgRecipientKey,
+		vaultocrplugin.NewVaultORM(d.ds),
+		common.HexToAddress(cfg.DKG.ContractID),
+	)
+	dkgOracle, err := libocr2.NewOracle(dkgOracleArgs)
+	if err != nil {
+		return nil, err
+	}
+	srvs = append(srvs, job.NewServiceAdapter(dkgOracle))
+
 	return srvs, nil
 }
 

@@ -9,6 +9,7 @@ import (
 type DKGConfig struct {
 	MasterPublicKey          string `json:"masterPublicKey"`
 	EncryptedPrivateKeyShare string `json:"encryptedPrivateKeyShare"`
+	ContractID               string `json:"dkgContractID"`
 }
 
 type Config struct {

@@ -13,13 +13,18 @@ import (
 	"github.com/smartcontractkit/chainlink-common/pkg/sqlutil"
 )
 
+type ORM interface {
+	dkgocrtypes.ResultPackageDatabase
+	GetResultPackageCount(ctx context.Context) (int64, error)
+}
+
 type orm struct {
 	ds sqlutil.DataSource
 }
 
-var _ dkgocrtypes.ResultPackageDatabase = (*orm)(nil)
+var _ ORM = (*orm)(nil)
 
-func NewVaultORM(ds sqlutil.DataSource) dkgocrtypes.ResultPackageDatabase {
+func NewVaultORM(ds sqlutil.DataSource) ORM {
 	return &orm{ds: ds}
 }
 
@@ -45,6 +50,19 @@ func (o *orm) validateResultPackage(value dkgocrtypes.ResultPackageDatabaseValue
 	return nil
 }
 
+func (o *orm) GetResultPackageCount(ctx context.Context) (int64, error) {
+	var count int64
+
+	query := `SELECT COUNT(*) FROM dkg_results;`
+	row := o.ds.QueryRowxContext(ctx, query)
+	err := row.Scan(&count)
+	if err != nil {
+		return 0, errors.Wrap(err, "failed to get dkg result count")
+	}
+
+	return count, nil
+}
+
 func (o *orm) ReadResultPackage(ctx context.Context, iid dkgocrtypes.InstanceID) (*dkgocrtypes.ResultPackageDatabaseValue, error) {
 	var configDigest []byte
 	var seqNr uint64