Merge branch 'unstable' into vm-voluntary-exit

Author: chong-he

.github/workflows/docker.yml

@@ -13,8 +13,8 @@ concurrency:
   cancel-in-progress: true
 
 env:
-    DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-    DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+    DOCKER_PASSWORD: ${{ secrets.DH_KEY }}
+    DOCKER_USERNAME: ${{ secrets.DH_ORG }}
     # Enable self-hosted runners for the sigp repo only.
     SELF_HOSTED_RUNNERS: ${{ github.repository == 'sigp/lighthouse' }}
 

.github/workflows/release.yml

@@ -10,8 +10,8 @@ concurrency:
   cancel-in-progress: true
 
 env:
-    DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-    DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+    DOCKER_PASSWORD: ${{ secrets.DH_KEY }}
+    DOCKER_USERNAME: ${{ secrets.DH_ORG }}
     REPO_NAME: ${{ github.repository_owner }}/lighthouse
     IMAGE_NAME: ${{ github.repository_owner }}/lighthouse
     # Enable self-hosted runners for the sigp repo only.

Cargo.lock

@@ -201,7 +201,7 @@ tree_hash_derive = "0.8"
 url = "2"
 uuid = { version = "0.8", features = ["serde", "v4"] }
 warp = { version = "0.3.7", default-features = false, features = ["tls"] }
-zeroize = { version = "1", features = ["zeroize_derive"] }
+zeroize = { version = "1", features = ["zeroize_derive", "serde"] }
 zip = "0.6"
 
 # Local crates.

Cargo.toml

@@ -204,7 +204,7 @@ test-full: cargo-fmt test-release test-debug test-ef test-exec-engine
 # Lints the code for bad style and potentially unsafe arithmetic using Clippy.
 # Clippy lints are opt-in per-crate for now. By default, everything is allowed except for performance and correctness lints.
 lint:
-	cargo clippy --workspace --benches --tests $(EXTRA_CLIPPY_OPTS) --features "$(TEST_FEATURES)" -- \
+	RUSTFLAGS="-C debug-assertions=no $(RUSTFLAGS)" cargo clippy --workspace --benches --tests $(EXTRA_CLIPPY_OPTS) --features "$(TEST_FEATURES)" -- \
 		-D clippy::fn_to_numeric_cast_any \
 		-D clippy::manual_let_else \
 		-D clippy::large_stack_frames \

Makefile

@@ -27,6 +27,7 @@ safe_arith = { workspace = true }
 slot_clock = { workspace = true }
 filesystem = { workspace = true }
 sensitive_url = { workspace = true }
+zeroize = { workspace = true }
 
 [dev-dependencies]
 tempfile = { workspace = true }

account_manager/Cargo.toml

@@ -294,7 +294,7 @@ pub fn read_wallet_password_from_cli(
             eprintln!();
             eprintln!("{}", WALLET_PASSWORD_PROMPT);
             let password =
-                PlainText::from(read_password_from_user(stdin_inputs)?.as_ref().to_vec());
+                PlainText::from(read_password_from_user(stdin_inputs)?.as_bytes().to_vec());
             Ok(password)
         }
     }

account_manager/src/validator/create.rs

@@ -409,6 +409,6 @@ mod tests {
         )
         .unwrap();
 
-        assert_eq!(expected_pk, kp.pk.into());
+        assert_eq!(expected_pk, kp.pk);
     }
 }

account_manager/src/validator/exit.rs

@@ -7,7 +7,7 @@ use account_utils::{
         recursively_find_voting_keystores, PasswordStorage, ValidatorDefinition,
         ValidatorDefinitions, CONFIG_FILENAME,
     },
-    ZeroizeString, STDIN_INPUTS_FLAG,
+    STDIN_INPUTS_FLAG,
 };
 use clap::{Arg, ArgAction, ArgMatches, Command};
 use clap_utils::FLAG_HEADER;
@@ -16,6 +16,7 @@ use std::fs;
 use std::path::PathBuf;
 use std::thread::sleep;
 use std::time::Duration;
+use zeroize::Zeroizing;
 
 pub const CMD: &str = "import";
 pub const KEYSTORE_FLAG: &str = "keystore";
@@ -148,7 +149,7 @@ pub fn cli_run(matches: &ArgMatches, validator_dir: PathBuf) -> Result<(), Strin
     // Skip keystores that already exist, but exit early if any operation fails.
     // Reuses the same password for all keystores if the `REUSE_PASSWORD_FLAG` flag is set.
     let mut num_imported_keystores = 0;
-    let mut previous_password: Option<ZeroizeString> = None;
+    let mut previous_password: Option<Zeroizing<String>> = None;
 
     for src_keystore in &keystore_paths {
         let keystore = Keystore::from_json_file(src_keystore)
@@ -182,14 +183,17 @@ pub fn cli_run(matches: &ArgMatches, validator_dir: PathBuf) -> Result<(), Strin
 
             let password = match keystore_password_path.as_ref() {
                 Some(path) => {
-                    let password_from_file: ZeroizeString = fs::read_to_string(path)
+                    let password_from_file: Zeroizing<String> = fs::read_to_string(path)
                         .map_err(|e| format!("Unable to read {:?}: {:?}", path, e))?
                         .into();
-                    password_from_file.without_newlines()
+                    password_from_file
+                        .trim_end_matches(['\r', '\n'])
+                        .to_string()
+                        .into()
                 }
                 None => {
                     let password_from_user = read_password_from_user(stdin_inputs)?;
-                    if password_from_user.as_ref().is_empty() {
+                    if password_from_user.is_empty() {
                         eprintln!("Continuing without password.");
                         sleep(Duration::from_secs(1)); // Provides nicer UX.
                         break None;
@@ -314,7 +318,7 @@ pub fn cli_run(matches: &ArgMatches, validator_dir: PathBuf) -> Result<(), Strin
 /// Otherwise, returns the keystore error.
 fn check_password_on_keystore(
     keystore: &Keystore,
-    password: &ZeroizeString,
+    password: &Zeroizing<String>,
 ) -> Result<bool, String> {
     match keystore.decrypt_keypair(password.as_ref()) {
         Ok(_) => {

account_manager/src/validator/import.rs

@@ -226,14 +226,14 @@ pub fn read_new_wallet_password_from_cli(
             eprintln!();
             eprintln!("{}", NEW_WALLET_PASSWORD_PROMPT);
             let password =
-                PlainText::from(read_password_from_user(stdin_inputs)?.as_ref().to_vec());
+                PlainText::from(read_password_from_user(stdin_inputs)?.as_bytes().to_vec());
 
             // Ensure the password meets the minimum requirements.
             match is_password_sufficiently_complex(password.as_bytes()) {
                 Ok(_) => {
                     eprintln!("{}", RETYPE_PASSWORD_PROMPT);
                     let retyped_password =
-                        PlainText::from(read_password_from_user(stdin_inputs)?.as_ref().to_vec());
+                        PlainText::from(read_password_from_user(stdin_inputs)?.as_bytes().to_vec());
                     if retyped_password == password {
                         break Ok(password);
                     } else {