Skip to content

[P2] security: optional signature verification for MLnode PoC endpoints#537

Closed
x0152 wants to merge 2 commits into
gonka-ai:upgrade-v0.2.12from
x0152:security/mlnode-poc-signature
Closed

[P2] security: optional signature verification for MLnode PoC endpoints#537
x0152 wants to merge 2 commits into
gonka-ai:upgrade-v0.2.12from
x0152:security/mlnode-poc-signature

Conversation

@x0152

@x0152 x0152 commented Jan 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

MLnode api endpoints are currently unauthenticated, allowing an attacker who can reach the mlnode port to hijack POC by sending their own callback_url

Adds request signing using the existing signerAccount key. Network Node signs requests with X-Signature header, mlnode verifies using SIGNER_PUBKEY environment variable. For standard deployment where mlnode is on the same machine, it works automatically since SIGNER_PUBKEY defaults to ACCOUNT_PUBKEY

For remote mlnode setups, you need to set SIGNER_PUBKEY manually. If SIGNER_PUBKEY is not set, verification is skipped for backward compatibility

Get public key on network node:

source config.env
inferenced keys show $KEY_NAME --pubkey --keyring-backend $KEYRING_BACKEND | jq -r '.key'

Start mlnode with signature verification:

export SIGNER_PUBKEY=<public_key_from_above>
docker-compose -f docker-compose.mlnode.yml up -d

@x0152 x0152 mentioned this pull request Jan 9, 2026
Closed
@x0152

x0152 commented Jan 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator Author

Current PR covers POC as the most critical - direct reward theft. Firstly would be good to understand if this direction makes sense. I should update PR description to clarify scope

IgnatovFedor
IgnatovFedor reviewed Jan 14, 2026
View reviewed changes
Comment thread mlnode/packages/pow/src/pow/service/auth.py Outdated
Comment thread mlnode/packages/pow/src/pow/service/routes.py Outdated
@x0152 x0152 marked this pull request as draft January 14, 2026 15:00
@tcharchian tcharchian linked an issue Jan 15, 2026 that may be closed by this pull request
[P2] Security MerkleTree Proofs; Merge participant validation till block0; Need to add signature check at recording #330
Open
@x0152 x0152 marked this pull request as ready for review January 15, 2026 15:55
@tcharchian tcharchian added this to Triage Feb 9, 2026
@github-project-automation github-project-automation Bot moved this to New in Triage Feb 9, 2026
@tcharchian tcharchian moved this from New to Needs triage in Triage Feb 9, 2026
@tcharchian tcharchian removed this from Triage Feb 11, 2026
@tcharchian tcharchian added this to the v0.2.11 milestone Feb 11, 2026
@IgnatovFedor IgnatovFedor changed the base branch from main to upgrade-v0.2.11 February 23, 2026 16:40
@IgnatovFedor IgnatovFedor modified the milestones: v0.2.11, v0.2.12 Feb 24, 2026
@tcharchian tcharchian moved this from Todo to Needs reviewer in Upgrade v0.2.12 Feb 28, 2026
@tcharchian tcharchian changed the title security: optional signature verification for MLnode PoC endpoints [P2] security: optional signature verification for MLnode PoC endpoints Mar 21, 2026
@tcharchian tcharchian moved this from Needs reviewer to Waiting on the author in Upgrade v0.2.12 Mar 21, 2026
@tcharchian tcharchian removed the request for review from DimaOrekhovPS March 21, 2026 00:50
@tcharchian

tcharchian commented Mar 21, 2026

Copy link
Copy Markdown
Collaborator

Hey @x0152 @akup! It would be great if you could sync on the next steps for this pull request and make the needed decisions together. If you can move it forward on your own, it could be included in v0.2.12. But overall, this is a nice-to-have rather than something critical.

@IgnatovFedor IgnatovFedor changed the base branch from upgrade-v0.2.11 to upgrade-v0.2.12 March 23, 2026 12:59
@x0152

x0152 commented Mar 25, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator Author

@akup If the poc api update is coming, let's postpone #537 and #417 until after that. #717 can go in this upgrade - it's optional, shouldn't be affected by PoC API changes and enables cloud-hosted MLNode setups

#537 and #417 for security and stability should go on top of the new api once it is validated on mainnet, to avoid regressions

what do you think about that?

@x0152

x0152 commented Mar 27, 2026

Copy link
Copy Markdown
Collaborator Author

Agree, let's merge #717 in this release and postpone #537/ #417 to the next one

@x0152 x0152 removed this from the v0.2.12 milestone Mar 27, 2026
@patimen

patimen commented Apr 29, 2026

Copy link
Copy Markdown
Collaborator

@akup , @x0152 - Do we want to push on this one? You seemed ready to push it forward.

@x0152

x0152 commented Apr 29, 2026

Copy link
Copy Markdown
Collaborator Author

Agreed - let's include this in v0.2.13

@x0152 x0152 modified the milestone: v0.2.13 Apr 29, 2026
@x0152 x0152 marked this pull request as draft April 29, 2026 09:16
@tcharchian

tcharchian commented May 21, 2026

Copy link
Copy Markdown
Collaborator

Hi @x0152, are you ready to include this PR in the next upgrade?

@x0152 x0152 mentioned this pull request Jun 10, 2026
Open
@x0152

x0152 commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator Author

#1329

@x0152 x0152 closed this Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@IgnatovFedor IgnatovFedor IgnatovFedor left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@akup akup

@x0152 x0152

Labels

Priority: Low

Projects

None yet

Milestone

v0.2.14

Development

Successfully merging this pull request may close these issues.

[P2] Security MerkleTree Proofs; Merge participant validation till block0; Need to add signature check at recording

4 participants

@x0152 @tcharchian @patimen @IgnatovFedor