Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

Latest commit

 

History

History
220 lines (162 loc) · 10.5 KB

CHANGELOG.md

File metadata and controls

220 lines (162 loc) · 10.5 KB

Changelog

Next release

Features Added

  • Build and docker image to use Java 17
  • Updated Docker image to use the latest Ubuntu LTS image
  • Updated web3j library to 4.10.2

Bugs Fixed

  • Update grpc to version 1.57.2 to fix CVE-2023-33953
  • Update Azure libraries to fix CVE-2023-36415
  • Update okhttp logging interceptor version to fix CVE-2023-0833

23.6.0

As part of our ongoing commitment to deliver the best remote signing solutions, we are announcing a change in our product offerings.

We have decided to deprecate our EthSigner product to focus our efforts on enhancing Web3Signer, our newly comprehensive remote signing solution. This is rooted in our strategy to streamline our offerings and focus on a single, robust product that will provide functionality for both transaction and Ethereum validator signing. We hope this makes it applicable to all your use-cases like public Ethereum signing, staking infrastructure offerings, and in private network contexts.

Rest assured, we are not dropping existing EthSigner functionality. We are updating Web3Signer to incorporate the functionalities of EthSigner alongside everything else in Web3Signer. We will ensure a smooth transition by maintaining EthSigner with necessary patches for an additional six months. We hope this provides ample time for any necessary migration to Web3Signer.

Bugs Fixed

  • Update of Azure libraries (transitive via signers library) and manual override to fix CVE-2023-1370
  • Updated various dependent libraries versions

23.2.0

Bugs Fixed

  • Various library dependencies updates in Gradle build script
  • Docker image - manually install libssl3 to bring in latest version

22.1.3

Breaking Changes

  • Updated Metrics service default port from 8546 to 9546.

Features Added

  • Updated various dependent libraries versions

22.1.0

Features Added

  • Updated Tuweni dependency to version 2.1.0 #432
  • Updated Besu dependency to version 22.1.0 #436

21.10.9

Breaking Changes

  • Update EthSigner docker image user to use ethsigner instead of root. It may result in backward compatibility/permission issues with existing directory mounts.

Bugs Fixed

  • Update Vertx to 4.x and various other dependencies to their latest versions. #415

21.10.4

Bugs Fixed

  • Updated to log4j 2.17.1. Resolves two potential vulnerabilities which are only exploitable when using custom log4j configurations that are either writable by untrusted users or log data from the ThreadContext.

21.10.3

Bugs Fixed

  • Updated log4j to 2.17.0 to mitigate potential DOS vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup.

21.10.2

Bugs Fixed

  • Updated log4j to 2.16.0 to mitigate JNDI attack via thread context.

21.10.1

Bugs Fixed

  • Updated log4j and explicitly disabled format message lookups.

21.10.0

Breaking Changes

  • Upgrade to signers 1.0.19 removes support for deprecated SECP256K1 curve in Azure remote signing #386

Bugs Fixed

  • Adding configuration files should load new accounts automatically without restarting EthSigner #390
  • eth_sign signing of hex data #393
  • Upgrade web3j to latest version for fix to handle large chainids in eip155 transactions #382

Features Added

  • Add validation for GoQuorum transactions with value #377
  • Add publishing to docker namespace "consensys/ethsigner" and deprecate docker namespace "consensys/quorum-ethsigner" #384
  • Upgrade to signers 1.0.19 allows empty password files to be read when creating a Signer #372
  • Upgrade besu to 21.10.0 for acceptance tests

21.3.2

Bugs Fixed

  • Fix nonce too low retries and added support for "replacement underpriced" and "Known transaction" RPC responses

21.3.1

Features Added

  • Update transaction signing to handle GoQuorum private transactions
  • Azure remote signing now supports new Azure keys using the curve name P-256K and signature algorithm name ES256K. The deprecated keys using the SECP256K and signature algorithm name ECDSA256 are still supported.

Bugs Fixed

  • Fixing nonce too low retries and added support for replacement underpriced rpc response

21.3.0

Features Added

  • Upgraded besu-metrics library
  • Publish ethsigner module jars to cloudsmith maven repo
  • Update Besu latest version for Acceptance Tests
  • Add gzip compression support

21.1.0

Features Added

  • Publish artifacts to cloudsmith.
  • Added support for sending GoQuorum private transactions via "eth_sendTransaction" JSON-RPC
  • Improve error message if HTTP server fails to start

20.10.0

Features Added

  • Added "eth_signTransaction" JSON-RPC
  • Docker namespace updated to reflect "consensys/quorum-ethsigner"
  • Strip ACCESS_CONTROL_ALLOW_ORIGIN header from responses received from the web3provider
  • Added a Prometheus metrics endpoint, reporting basic application metrics

Bugs Fixed

  • Transactions were not being handled in parallel, triggering poor performance under load

0.7.1

Features Added

  • Support for using config file and environment variables as default values for cli options
  • Updated signers library to the latest version
  • Accessing Azure signing service requires tenant id as part of Azure configuration
  • Communication details moved to Discord

Bugs Fixed

  • Prevent multiple transmission exceptions propagation upwards #312
  • Resolve failures in the application of CORS headers #286

0.7.0

Features Added

  • Added "eth_sign" JSON RPC
  • Added "--http-cors-origins" commandline option to allow browser based apps (remix/metamask) to connect to EthSigner
  • Added "--downstream-http-path" commandline option to allow Ethsigner to connect to a downstream web3 provider not on root path (eg web3 provider running in infura)
  • If inbound request contains the "Host" header, it is renamed to "X-Forwarded-Host" and added to downstream request
  • Code base split, crypto operations moved to "Signers" repository
  • First line of Password file (stripping EOL) is treated as the password (rather than whole file content)

Bugs Fixed

  • Create invalid signature when Signature field was treated as negative BigInteger #247

0.6.0

Changed CLI option name from --downstream-http-tls-ca-auth-disabled to --downstream-http-tls-ca-auth-enabled #230

0.5.0

Features Added

Bugs Fixed

  • Received headers are now forwarded to the web3 provider, resolving an issue where JWT token was not being passed in header #208
  • Resolved an issue where private transactions using privacyGroupId without a nonce failed #215

0.4.0

Features Added

  • Multi-key signing: Ethsigner is initialised with a directory containing a number of TOML metadata files, each of which describe a key which may be used for signing. Upon reception of a Transaction, Ethsigner loads the corresponding metadata file, and signs the Transaction with the key defined therein.
  • Relaxed definition of 'optional' when parsing eth_SendTransaction (empty string, null an "0x" are deemed a missing optional parameter).
  • All endpoints (not just "/") are proxied to the downstream web3j provider (eg. "/login")
  • CI moved from Jenkins to CircleCI
  • Updated to Web3j 4.5.5
  • Updated to JUnit 5

Bugs Fixed

  • When a private transaction is submitted without a nonce, a nonce is generated and inserted. However, if the supplied nonce is too low, the transaction is not resubmitted with a new nonce. Rather an error is returned to the caller (resolved in Besu 1.2.5).
  • Removed intermittent "out of memory" failure during integration testing.
  • Resolved an issue whereby a missing optional field in eth_SendTransaction would fail

0.3.0

Known Issues

  • When a private transaction is submitted without a nonce, a nonce is generated and inserted. However, if the supplied nonce is too low, the transaction is not resubmitted with a new nonce. Rather an error is returned to the caller.

Features Added

  • Updated to use Web3j 4.5.0
  • Accepts Private Transactions addressed with "PrivacyGroupId", not just "PrivateFor"

Bugs Fixed

  • Private Transactions without nonces are now accepted and the nonce populated (see "Known Issues")

0.2.0

Known Issues

  • When a private transaction is submitted without a nonce, then transaction will be rejected. Ethsigner is unable to derive an appropriate nonce for a private transaction, as such the nonce field of eea_SendTransaction is mandatory - if a private transaction is submitted without a nonce an error will be returned. DApps can use the priv_getTransactionCount JSON RPC to determine the correct nonce prior to transaction transmission.

Breaking Changes

  • Command line reworked to specify the source of the key used for transaction signing.
  • EthSigner is supported on Java 11+ only; Java 8 is no longer supported.

Features Added

  • Created EthSigner documentation
  • Allow EthSigner to be deployed as a Docker image
  • Support signing transaction with a key stored in an Azure KeyVault (cloud based software/HSM signing service) (thanks to jimthematrix)
  • Added an Upcheck endpoint
  • Support signing transactions with a key stored in a Hashicorp vault
  • Sign private transaction submitted via eea_SendTransaction
  • Jar files are available from the EthSigner bintray repository.

Bugs Fixed

  • N/A