Fix public key signing.

.golangci.yml

@@ -153,7 +153,6 @@ linters:
     - depguard
     - dupl
     - err113
-    - execinquery
     - exhaustive
     - exhaustruct
     - exportloopref
@@ -163,7 +162,6 @@ linters:
     - gochecknoglobals
     - gocognit
     - goconst
-    - gomnd
     - ireturn
     - inamedparam
     - lll

CHANGELOG.md

@@ -4,6 +4,7 @@
   - enable gzip compression
   - disallow generation of distributed accounts without passphrases
   - allow use of keystore wallets
+  - fix issue where signing with a public key as identifier could fail
 
 # Version 1.2.0
   - add Amazon Secrets Manager (ASM) confidant

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/wealdtech/go-eth2-wallet v1.17.0
 	github.com/wealdtech/go-eth2-wallet-distributed v1.2.1
 	github.com/wealdtech/go-eth2-wallet-encryptor-keystorev4 v1.4.1
-	github.com/wealdtech/go-eth2-wallet-hd/v2 v2.7.0
+	github.com/wealdtech/go-eth2-wallet-hd/v2 v2.7.1
 	github.com/wealdtech/go-eth2-wallet-keystore v1.0.0
 	github.com/wealdtech/go-eth2-wallet-nd/v2 v2.5.0
 	github.com/wealdtech/go-eth2-wallet-store-filesystem v1.18.1

go.sum

@@ -432,8 +432,8 @@ github.com/wealdtech/go-eth2-wallet-encryptor-keystorev4 v1.4.1 h1:9j7bpwjT9wmwB
 github.com/wealdtech/go-eth2-wallet-encryptor-keystorev4 v1.4.1/go.mod h1:+tI1VD76E1WINI+Nstg7RVGpUolL5ql10nu2YztMO/4=
 github.com/wealdtech/go-eth2-wallet-encryptor-unencrypted v1.0.2 h1:IMIyl70hbJlxOkgTcCK//3vKe5ylhGIk6oUlIlK9xp0=
 github.com/wealdtech/go-eth2-wallet-encryptor-unencrypted v1.0.2/go.mod h1:T8nyAscWIWNcNa6EG/19PwH/OCt2Ly7Orn5okmiuSP4=
-github.com/wealdtech/go-eth2-wallet-hd/v2 v2.7.0 h1:5g4emFacTf+sX6zx6SbZIZGR7Jx5Xr/Xdb7sXnEXlWk=
-github.com/wealdtech/go-eth2-wallet-hd/v2 v2.7.0/go.mod h1:aWgnEi07w1L9wMBRB69sYvoEONppAUly6FDQRWQGqH8=
+github.com/wealdtech/go-eth2-wallet-hd/v2 v2.7.1 h1:CrcPeJhMcNxSW+GAJwtpXz3mtGJjx4p9ykLlKvwZZZ4=
+github.com/wealdtech/go-eth2-wallet-hd/v2 v2.7.1/go.mod h1:aWgnEi07w1L9wMBRB69sYvoEONppAUly6FDQRWQGqH8=
 github.com/wealdtech/go-eth2-wallet-keystore v1.0.0 h1:DYR6TAyi7RxXoAanLSPdiufGxCX617BQwWOdCxHqHX4=
 github.com/wealdtech/go-eth2-wallet-keystore v1.0.0/go.mod h1:6DGINunnasS9y9F7KH3ya2h74fHWgSCfP3dAJWe4A6U=
 github.com/wealdtech/go-eth2-wallet-nd/v2 v2.5.0 h1:vphAFklkYMRJVo9f5rVWly7PECHrLS4yarjemBa7fRM=

rules/standard/signbeaconattestations.go

@@ -150,7 +150,6 @@ func (s *Service) runSignBeaconAttestationChecks(_ context.Context, metadata *ru
 
 	if state.TargetEpoch >= 0 {
 		// The request target epoch must be greater than the previous request target epoch.
-		//nolint:gosec
 		if targetEpoch <= uint64(state.TargetEpoch) {
 			log.Warn().
 				Int64("previousTargetEpoch", state.TargetEpoch).
@@ -163,7 +162,6 @@ func (s *Service) runSignBeaconAttestationChecks(_ context.Context, metadata *ru
 
 	if state.SourceEpoch >= 0 {
 		// The request source epoch must be greater than or equal to the previous request source epoch.
-		//nolint:gosec
 		if sourceEpoch < uint64(state.SourceEpoch) {
 			log.Warn().
 				Int64("previousSourceEpoch", state.SourceEpoch).

rules/standard/signbeaconproposal.go

@@ -89,7 +89,6 @@ func (s *Service) OnSignBeaconProposal(ctx context.Context, metadata *rules.ReqM
 
 	if state.Slot >= 0 {
 		// The request slot must be greater than the previous request slot.
-		//nolint:gosec
 		if slot <= uint64(state.Slot) {
 			log.Warn().
 				Int64("previousSlot", state.Slot).

services/api/grpc/handlers/signer/multisign.go

@@ -1,4 +1,4 @@
-// Copyright © 2021 Attestant Limited.
+// Copyright © 2021, 2025 Attestant Limited.
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -15,6 +15,7 @@ package signer
 
 import (
 	context "context"
+	"strings"
 
 	"github.com/attestantio/dirk/core"
 	"github.com/attestantio/dirk/rules"
@@ -47,23 +48,10 @@ func (h *Handler) Multisign(ctx context.Context, req *pb.MultisignRequest) (*pb.
 		res.Responses[i] = &pb.SignResponse{State: pb.ResponseState_UNKNOWN}
 	}
 
-	for i, request := range req.GetRequests() {
-		if request == nil {
-			log.Warn().Str("result", "denied").Msg("Request nil")
-			res.Responses[i].State = pb.ResponseState_FAILED
-
-			return res, nil
-		}
-		if request.GetData() == nil {
-			log.Warn().Str("result", "denied").Msg("Request data not specified")
-			res.Responses[i].State = pb.ResponseState_DENIED
-
-			return res, nil
-		}
-		if request.GetDomain() == nil {
-			log.Warn().Str("result", "denied").Msg("Request domain not specified")
-			res.Responses[i].State = pb.ResponseState_DENIED
-
+	validateMultisignRequests(ctx, req, res)
+	for i := range req.GetRequests() {
+		if res.GetResponses()[i].GetState() == pb.ResponseState_DENIED ||
+			res.GetResponses()[i].GetState() == pb.ResponseState_FAILED {
 			return res, nil
 		}
 	}
@@ -97,3 +85,41 @@ func (h *Handler) Multisign(ctx context.Context, req *pb.MultisignRequest) (*pb.
 
 	return res, nil
 }
+
+func validateMultisignRequests(_ context.Context,
+	req *pb.MultisignRequest,
+	res *pb.MultisignResponse,
+) {
+	for i, request := range req.GetRequests() {
+		if request == nil {
+			log.Warn().Str("result", "denied").Msg("Request nil")
+			res.Responses[i].State = pb.ResponseState_FAILED
+
+			return
+		}
+		if request.GetAccount() == "" && request.GetPublicKey() == nil {
+			log.Warn().Str("result", "denied").Msg("Neither account nor public key specified")
+			res.Responses[i].State = pb.ResponseState_DENIED
+
+			return
+		}
+		if request.GetAccount() != "" && !strings.Contains(request.GetAccount(), "/") {
+			log.Warn().Str("result", "denied").Msg("Invalid account specified")
+			res.Responses[i].State = pb.ResponseState_DENIED
+
+			return
+		}
+		if request.GetData() == nil {
+			log.Warn().Str("result", "denied").Msg("Request data not specified")
+			res.Responses[i].State = pb.ResponseState_DENIED
+
+			return
+		}
+		if request.GetDomain() == nil {
+			log.Warn().Str("result", "denied").Msg("Request domain not specified")
+			res.Responses[i].State = pb.ResponseState_DENIED
+
+			return
+		}
+	}
+}