Skip to content

Commit

Permalink
Update verified-builds.md
Browse files Browse the repository at this point in the history
  • Loading branch information
Woody4618 committed Dec 18, 2024
1 parent 8ee6e06 commit de70dd0
Showing 1 changed file with 255 additions and 5 deletions.
260 changes: 255 additions & 5 deletions content/guides/advanced/verified-builds.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,36 @@ verified builds for their programs on Solana. We will cover what verified builds
are, how to use them, special considerations, and best practices to ensure the
authenticity of your program onchain.

# How to Verify a Program

## Table of Contents

- [What are verified builds?](#what-are-verified-builds)
- [Why should I use verified builds?](#why-should-i-use-verified-builds)
- [Benefits](#why-should-i-use-verified-builds)
- [How do I create verified builds?](#how-do-i-create-verified-builds)
- [Install Docker and Cargo](#install-docker-and-cargo)
- [Install the Solana Verify CLI](#install-the-solana-verify-cli)
- [Prepare project](#prepare-project)
- [Building Verifiable Programs](#building-verifiable-programs)
- [Remote Verification](#remote-verification)
- [How to verify your program when its controlled by a Multisig](#how-to-verify-your-program-when-its-controlled-by-a-multisig-like-squads)
- [Build and Deploy](#1-build-the-verifiable-program)
- [Verify Repository](#3-commit-and-verify-against-repository)
- [Transfer to Multisig](#4-transfer-program-authority-to-multisig)
- [Export and Submit](#5-export-pda-transaction)
- [Program Updates](#8-updating-the-program-optional)
- [Verify from docker image](#verify-from-docker-image)
- [Example verified build](#example-verified-build)
- [Some programs that are already verified](#some-programs-that-are-already-verified)
- [Phoenix](#phoenix)
- [Squads V3](#squads-v3)
- [Drift V2](#drift-v2)
- [Marginfi V2](#marginfi-v2)
- [Security + Disclaimer](#security--disclaimer)

[Insert rest of document here...]

# What are verified builds?

Verified builds ensure that the executable program you deploy to Solana’s
Expand Down Expand Up @@ -135,9 +165,6 @@ The Solana Verify CLI is the primary tool used to verify builds. Solana Verify
CLI is currently maintained by [Ellipsis Labs](https://ellipsislabs.xyz/) and
can be installed using Cargo.

> The verify process will soon move into the [Anza](https://www.anza.xyz/) tool
> suite. The general way of verifying builds will stay very similar though.
You can install it by running:

```bash
Expand Down Expand Up @@ -331,8 +358,30 @@ artifact from your repository.
The default is the
[OtterSec API](https://github.com/otter-sec/solana-verified-programs-api).

Once the build is done, which takes a while, and was successful you will be able
to see your program as verified in the
Make sure to pick yes when you are asked to upload the verification data
onchain. This is used by the API to verify that you uploaded the verification
data.

You can also trigger a remote job manually by using:

```bash
solana-verify remote submit-job --program-id <program-id> --uploader <address>
```

Where the uploader is the address that has the authority to write to the PDA.
That should be program authority in most cases. If your program is controlled by
a multisig please continue in the
[multisig guide](#how-to-verify-your-program-when-its-controlled-by-a-multisig-like-squads).

This will submit a job to the OtterSec API and you can then verify the job
status with:

```bash
solana-verify remote get-job-status --job-id <job-id>
```

Once the verification is done, which takes a while, and was successful you will
be able to see your program as verified in the
[OtterSec API for single programs](https://verify.osec.io/status/PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY)
and in the
[Solana Explorer](https://explorer.solana.com/address/PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY/verified-build),
Expand All @@ -348,6 +397,145 @@ contributing to a more healthy Solana ecosystem.

</Steps>

## How to verify your program when its controlled by a Multisig like squads

For the remote verification to work you need to write the verification data into
a PDA signed by the program authority. If your program is controlled by a
multisig you can export this write PDA transaction and submit it through
[Squads Protocol](https://squads.so/protocol) or another multisig solution of
your choice.

<Steps>

### 1. Build the verifiable program

First build the program:

```bash
solana-verify build
```

This will build a verifiable build using a docker container using the solana
version specified in the `Cargo.lock` file.

### 2. Deploy the program

```bash
solana config set --url "PayedMainnetRPCAddress" // the public endpoint will be rate limited too much
solana program deploy target/deploy/verify_squads.so
```

Get program id -> 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD

### 3. Commit and verify against repository

Once that is done we commit the project to to github. Here is an example:
https://github.com/solana-developers/verify-squads

Optional: See if you can verify locally first:

```bash
solana-verify verify-from-repo https://github.com/solana-developers/verify-squads --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD
```

Just to make sure your parameters are correct.

### 4. Transfer program authority to multisig

If you have not yet transfer your programs authority to the multisig and copy
the multisig authority. You need it in the next step.

### 5. Export PDA transaction

When you have you program authority locally you are prompted to upload the build
data onchain when using the command `solana-verify verify-from-repo`.

Since you can not do that when you are using a multisig you need to export the
PDA transaction manually and then trigger the transaction through Squads.

```bash
solana-verify export-pda-tx https://github.com/solana-developers/verify-squads --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD --uploader 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K
```

This will return you a base58 or base64 encoded transaction:

```bash
P6vBfcPaaXb8fZoT3NBAYEcdtEj7tubA1k2gBxmFKZ3UWF5YyrmDMFTvLKALCJoUuRsPAjMckudYruCu3eeWQtuDrFbEMLxLFutnKXac974fnkMivcwUdY66VLjbxQT6ATmcy7F4hBtz1G4P1h6iBJLhb8WtrtgY3i4qq45MUEb7RjuMEfUFXKrNgPdGxkz5xvMHq3dxKRcpmEK5k2DkeW6SUQYBVe19Ga3B9GyhTX8k3CMt9JCEah13WyRnQd8GjoK6sTEvGJym6xDNvmd8yiJYSNcaYwEJsjHEUf4Yh6kAC7ki2KRvVAr3NVe1gjqK9McrwSQjtUatvydTG8Zovcr7PPUEMf3yPMgKXjZLB2QpkH63yTTYdNAnWFuv9E6b6nYRqye5XcNi436yKw5U14fXh65yK34bgYLi9328UT1huJELsJU9BRGnGUmb6GWp6c2WL5BhnzgNTSnt9TXFfEgUMzhvKzpVBxLP44hwqqBdyUhHFysCF37531PnmiESq8x1xou23xJ6FcQbc199754MkqQd7tX9CUznGzAEqHGkzn3VBoJnojsKtgYmiTYbdRsT1CU18MbYEE7WvGAvXyxxbpNzbAcc94HrnM6cqRGmwhEBroPfFghTdmzg9D
```

### 6. Submit transaction through Squads

Go to the squads transaction builder and import the base58 encoded transaction.
Make sure that in the simulation the transaction only has a call to the osec
verify program and the computer budget program and nothing else!

### 7. Submit remote verification job

Once the transaction to squads was successful you can submit the remote job:

```bash
solana-verify remote submit-job --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD --uploader 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K
```

This is it! You have verified your program against a public repository and
submitted a remote job to the OtterSec API. You should be able to see it reflect
in the solana explorer and other places now.

### 8. Updating the program (Optional)

When you update your program you need to export a new PDA transaction and submit
it through Squads again.

Doing an update to the program:

```bash
solana-verify build
solana program write-buffer target/deploy/verify_squads.so --with-compute-unit-price 50000 --max-sign-attempts 50
```

Then transfer that buffer authority to the multisig or directly create the
buffer with the authority of the multisig.

```bash
solana program set-buffer-authority Fu3k79g53ZozAj47uq1tXrFy4QbQYh7y745DDsxjtyLR --new-buffer-authority 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K
```

### 9. Export and submit new PDA transaction

Don't forget to commit your changes to github. Export the PDA upgrade
transaction again:

```bash
solana-verify export-pda-tx https://github.com/solana-developers/verify-squads --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD --uploader 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K
```

Submit the transaction through Squads again.

https://solana.fm/tx/4zJ1vK2KToAwxuEYzTMLqPkcebjoi9rdeeyxtEEx9L5Q4vWDA8h6Rr4kPRuRxcV7ZLKMr6qx1LTWb6x3ZpUJaFUW?cluster=mainnet-alpha

Then submit for another remote build:

```bash
solana-verify remote submit-job --program-id 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD --uploader 3JG6ULvZVCrkKtSSskKNJGe8RNZGFe8Ruev9KUhxzK5K
```

Should result in something like this:

Verification request sent with request id: b63339d2-163e-49ac-b55d-3454c1c2b5b3
Verification in progress... ⏳ [00:18:02] ✅ Process completed. (Done in 18
minutes) Program 6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD has been verified.
✅ The provided GitHub build matches the on-chain hash. On Chain Hash:
96f8c3d9400258f7759408d1f6f8435b4a24d9b52f5a0340d97907e567cb8773 Executable
Hash: 96f8c3d9400258f7759408d1f6f8435b4a24d9b52f5a0340d97907e567cb8773 Repo URL:
https://github.com/Woody4618/verify-squads/tree/0fb0a2e30c15c51732c0ad5e837975a6f7bbc7ed
Check the verification status at:
https://verify.osec.io/status/6XBGfP17P3KQAKoJb2s5M5fR4aFTXzPeuC1af2GYkvhD Job
url: https://verify.osec.io/job/b63339d2-163e-49ac-b55d-3454c1c2b5b3

Congratulations you have verified your program after a multisig upgrade!

</Steps>

## Verify from docker image

You can also verify your program against a docker image by running the following
Expand Down Expand Up @@ -412,6 +600,68 @@ a remote build of your program. Once the build is complete, the system verifies
that the onchain hash of your program matches the hash of the generated build
artifact from your repository.

## Some programs that are already verified

### Phoenix

```
solana-verify verify-from-repo -um --program-id PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY https://github.com/Ellipsis-Labs/phoenix-v1
```

Final Output:

```
Executable Program Hash from repo: 6877a5b732b3494b828a324ec846d526d962223959534dbaf4209e0da3b2d6a9
On-chain Program Hash: 6877a5b732b3494b828a324ec846d526d962223959534dbaf4209e0da3b2d6a9
Program hash matches ✅
```

### Squads V3

```
solana-verify verify-from-repo https://github.com/Squads-Protocol/squads-mpl --commit-hash c95b7673d616c377a349ca424261872dfcf8b19d --program-id SMPLecH534NA9acpos4G6x7uf3LWbCAwZQE9e8ZekMu -um --library-name squads_mpl --bpf
```

(Note: we needed to specify the `library-name` because the Squads repo includes
multiple programs. We use the `--bpf` flag because `squads_mpl` was previously
verified with Anchor.)

Final Output:

```
Executable Program Hash from repo: 72da599d9ee14b2a03a23ccfa6f06d53eea4a00825ad2191929cbd78fb69205c
On-chain Program Hash: 72da599d9ee14b2a03a23ccfa6f06d53eea4a00825ad2191929cbd78fb69205c
Program hash matches ✅
```

### Drift V2

```
solana-verify verify-from-repo -um --program-id dRiftyHA39MWEi3m9aunc5MzRF1JYuBsbn6VPcn33UH https://github.com/drift-labs/protocol-v2 --commit-hash 110d3ff4f8ba07c178d69f9bfc7b30194fac56d6 --library-name drift
```

Final Output:

```
Executable Program Hash from repo: e31d58edeabc3c30bf6f2aa60bfaa5e492b41ec203e9006404b463e5adee5828
On-chain Program Hash: e31d58edeabc3c30bf6f2aa60bfaa5e492b41ec203e9006404b463e5adee5828
Program hash matches ✅
```

### Marginfi V2

```
solana-verify verify-from-repo -um --program-id MFv2hWf31Z9kbCa1snEPYctwafyhdvnV7FZnsebVacA https://github.com/mrgnlabs/marginfi-v2 --commit-hash d33e649e415c354cc2a1e3c49131725552d69ba0 --library-name marginfi -- --features mainnet-beta
```

Final Output:

```
Executable Program Hash from repo: 890d68f48f96991016222b1fcbc2cc81b8ef2dcbf280c44fe378c523c108fad5
On-chain Program Hash: 890d68f48f96991016222b1fcbc2cc81b8ef2dcbf280c44fe378c523c108fad5
Program hash matches ✅
```

# Conclusion

Using [verified builds on Solana](/content/guides/advanced/verified-builds.md)
Expand Down

0 comments on commit de70dd0

Please sign in to comment.