Releases: eth-educators/ethstaker-deposit-cli
Ethereum Key Forge
Summary
This is the first production release for ethstaker-deposit-cli. It includes all the fixes and recommendations from our security assessment report from Trail of Bits that was completed on December 13, 2024.
Notable changes from the original project include:
- New exit commands to create an exit message and perform a voluntary exit for your validators.
- Multiprocessing support to increase the speed of processes that can be expanded to use more than a single thread or a single process. This helps with generating a large number of validator keys for instance.
- Support for more recent OSes and Python versions by default.
- A dedicated documentation website.
- Support for compounding or
0x02withdrawal credentials for EIP-7251 and the upcoming Pectra fork.
All changes
What's Changed
- Bump docker/build-push-action from 6.9.0 to 6.10.0 by @dependabot in #241
- Bump pytest from 8.3.3 to 8.3.4 by @dependabot in #240
- Bump tomli from 2.1.0 to 2.2.1 by @dependabot in #239
- Call everything in clear terminal twice by @remyroy in #242
- Bump six from 1.16.0 to 1.17.0 by @dependabot in #243
- Bump actions/attest-build-provenance from 1 to 2 by @dependabot in #245
- Bump coverage from 7.6.8 to 7.6.9 by @dependabot in #244
- Bump ssz from 0.5.0 to 0.5.1 by @dependabot in #247
- Bump pyrsistent from 0.16.1 to 0.20.0 by @dependabot in #206
- Bump cytoolz from 1.0.0 to 1.0.1 by @dependabot in #248
- Bump pytest-asyncio from 0.24.0 to 0.25.0 by @dependabot in #246
- Add security report details by @remyroy in #249
Full Changelog: v0.6.0...v1.0.0
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
With the GitHub CLI installed, a simple way to verify these assets is to run this command while replacing [filename] with the path to the downloaded asset:
gh attestation verify [filename] --repo eth-educators/ethstaker-deposit-cliThis step requires you to be online. If you want to perform this offline, follow these instructions from GitHub.
Binaries
| System | Architecture | Binary | Checksum |
|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-4ce275e-windows-amd64.zip | sha256 |
| macOS | x86_64 | ethstaker_deposit-cli-4ce275e-darwin-amd64.tar.gz | sha256 |
| macOS | aarch64 | ethstaker_deposit-cli-4ce275e-darwin-arm64.tar.gz | sha256 |
| Linux | x86_64 | ethstaker_deposit-cli-4ce275e-linux-amd64.tar.gz | sha256 |
| Linux | aarch64 | ethstaker_deposit-cli-4ce275e-linux-arm64.tar.gz | sha256 |
Docker image
| Version | Name | Package |
|---|---|---|
| v1.0.0 | ghcr.io/eth-educators/ethstaker-deposit-cli:v1.0.0 |
Github Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 12
Key Safety
Summary
This is our main release after our security assessment with Trail of Bits. This release include all fixes and changes that were recommended from the draft report that was shown to us. It includes fixes for the following issues:
- Use of unpinned third-party docker image and actions on workflows [TOB-ETHSTAKER-1] #181
- Use of GPG for release signing and verification [TOB-ETHSTAKER-2] #182
- Sensitive files are incorrectly assigned permissions and ownership [TOB-ETHSTAKER-3] #183
- Error-prone path handling [TOB-ETHSTAKER-4] #184
- Emphasize critical warning regarding clipboard clearing [TOB-ETHSTAKER-5] #185
- Terminal buffer is not cleared on iterm2 [TOB-ETHSTAKER-7] #186
- Code Quality Recommendations from ToB #187
- Encryption function random parameters are set at program init [TOB-ETHSTAKER-6] #238
A security issue was discovered during a security review of the ethstaker-deposit-cli project by Trail of Bits. This vulnerability affects users who previously generated multiple keystore files in a single run using staking-deposit-cli (formerly eth2-deposit-cli), ethstaker-deposit-cli, or Wagyu Key Gen. If a malicious actor obtains your keystore files, there is a risk of exposing the private keys. While a small number of leaked keystore files would require significant computing power to exploit, the attack becomes increasingly feasible as more files are compromised from a single tool run.
We strongly recommend using the updated version of ethstaker-deposit-cli to create new validator keys if you want to add more validators to an existing setup or if you are starting from scratch. If you believe your previously generated keystore files were not leaked or exposed to any malicious actor, no further action is necessary. However, if you suspect a large number of keystore files from a single tool run may have been potentially exposed, you should assume the keystore private keys have been compromised.
All changes
What's Changed
- fix: typos in documentation files by @leopardracer in #232
- Bump tomli from 2.0.2 to 2.1.0 by @dependabot in #234
- Bump coverage from 7.6.4 to 7.6.7 by @dependabot in #233
- Bump docker/metadata-action from 5.5.1 to 5.6.1 by @dependabot in #236
- Bump coverage from 7.6.7 to 7.6.8 by @dependabot in #235
New Contributors
- @leopardracer made their first contribution in #232
Full Changelog: v0.5.0...v0.6.0
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
With the GitHub CLI installed, a simple way to verify these assets is to run this command while replacing [filename] with the path to the downloaded asset:
gh attestation verify [filename] --repo eth-educators/ethstaker-deposit-cliThis step requires you to be online. If you want to perform this offline, follow these instructions from GitHub.
Binaries
| System | Architecture | Binary | Checksum |
|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-932a916-windows-amd64.zip | sha256 |
| macOS | x86_64 | ethstaker_deposit-cli-932a916-darwin-amd64.tar.gz | sha256 |
| macOS | aarch64 | ethstaker_deposit-cli-932a916-darwin-arm64.tar.gz | sha256 |
| Linux | x86_64 | ethstaker_deposit-cli-932a916-linux-amd64.tar.gz | sha256 |
| Linux | aarch64 | ethstaker_deposit-cli-932a916-linux-arm64.tar.gz | sha256 |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.6.0 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.6.0 |
Github Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 12
Consolidated Power
Summary
This release adds the Mekong testnet settings and it implements compounding or 0x02 withdrawal credentials from EIP 7251. To target the Mekong testnet, simply use --chain mekong or enter mekong when prompted for a chain name with the various commands.
Known Issues
There are still an issue left to resolve from the security assessment from Trail of Bits.
All changes
What's Changed
- Bump cached-property from 1.5.2 to 2.0.1 by @dependabot in #229
- Bump tomli from 2.0.1 to 2.0.2 by @dependabot in #230
- Adding the Mekong testnet settings as another supported testnet by @remyroy in #231
- Add support for compounding validators and the related withdrawal credentials from EIP 7251 by @remyroy in #228
Full Changelog: v0.4.0...v0.5.0
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
With the GitHub CLI installed, a simple way to verify these assets is to run this command while replacing [filename] with the path to the downloaded asset:
gh attestation verify [filename] --repo eth-educators/ethstaker-deposit-cliThis step requires you to be online. If you want to perform this offline, follow these instructions from GitHub.
Binaries
| System | Architecture | Binary | Checksum |
|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-97a534a-windows-amd64.zip | sha256 |
| macOS | x86_64 | ethstaker_deposit-cli-97a534a-darwin-amd64.tar.gz | sha256 |
| macOS | aarch64 | ethstaker_deposit-cli-97a534a-darwin-arm64.tar.gz | sha256 |
| Linux | x86_64 | ethstaker_deposit-cli-97a534a-linux-amd64.tar.gz | sha256 |
| Linux | aarch64 | ethstaker_deposit-cli-97a534a-linux-arm64.tar.gz | sha256 |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.5.0 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.5.0 |
Github Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 12
Safer Staking Steps
Summary
This is our first release after our security assessment with Trail of Bits. This release include fixes and changes from the draft report that was shown to us. It includes fixes for the following issues:
- Use of unpinned third-party docker image and actions on workflows [TOB-ETHSTAKER-1] #181
- Use of GPG for release signing and verification [TOB-ETHSTAKER-2] #182
- Sensitive files are incorrectly assigned permissions and ownership [TOB-ETHSTAKER-3] #183
- Error-prone path handling [TOB-ETHSTAKER-4] #184
- Emphasize critical warning regarding clipboard clearing [TOB-ETHSTAKER-5] #185
- Terminal buffer is not cleared on iterm2 [TOB-ETHSTAKER-7] #186
- Code Quality Recommendations from ToB #187
Known Issues
There are still an issue left to resolve from the security assessment from Trail of Bits.
All changes
What's Changed
- Adding missing bls_keystore documentation by @valefar-on-discord in #180
- Switch to Python 3.13 stable by @yorickdowne in #177
- bugfix: Use all clearing methods for linux/darwin by @valefar-on-discord in #189
- Added documentation page for reporting a vulnerability by @remyroy in #197
- Remove the use of eval in build workflow by @remyroy in #194
- Pin dockerfile image with sha256 hash by @remyroy in #188
- Pin coverage python package by @remyroy in #192
- Create dependabot.yml by @remyroy in #190
- Create SECURITY.md by @remyroy in #191
- Don't return in
JITOption.__init__by @remyroy in #195 - Pin jsonlint tool by @remyroy in #196
- Pinned third party workflow actions by @remyroy in #198
- Replace the use of GPG release signatures with GitHub attestations by @remyroy in #193
- Fix the comment workflow failure by checking for the coverage job success by @remyroy in #199
- Improve build workflow and release process by @remyroy in #200
- Improved runner workflow and minor fixes for shell scripts by @remyroy in #207
- Use 400 for sensitive files permissions on creation with O_EXCL flag by @remyroy in #208
- Emphasize clipboard clearing warning by @remyroy in #213
- Use utf-8 encoding for all JSON file writing and reading by @remyroy in #209
- Use a relative path from the last occurence of the project directory name by @remyroy in #211
- Moved colorama dependency to platform dependent in requirements.txt by @remyroy in #219
- Bump pytest from 8.3.2 to 8.3.3 by @dependabot in #202
- Bump pycryptodome from 3.20.0 to 3.21.0 by @dependabot in #205
- Bump cytoolz from 0.12.3 to 1.0.0 by @dependabot in #204
- Bump mypy from 1.11.2 to 1.13.0 by @dependabot in #220
- Bump python docker image to python:3.12.7-slim-bookworm by @remyroy in #221
- Adding documentation how to create a non-32 eth deposit by @valefar-on-discord in #222
- Bump toolz from 0.12.1 to 1.0.0 by @dependabot in #223
- Bump eth-typing from 5.0.0 to 5.0.1 by @dependabot in #224
- Bump eth-utils from 5.0.0 to 5.1.0 by @dependabot in #225
- Bump coverage from 7.6.2 to 7.6.4 by @dependabot in #226
- Use a fake version value for the deposit data file to work around a Launchpad issue by @remyroy in #217
New Contributors
- @dependabot made their first contribution in #202
Full Changelog: v0.2.1...v0.4.0
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
With the GitHub CLI installed, a simple way to verify these assets is to run this command while replacing [filename] with the path to the downloaded asset:
gh attestation verify [filename] --repo eth-educators/ethstaker-deposit-cliThis step requires you to be online. If you want to perform this offline, follow these instructions from GitHub.
Binaries
| System | Architecture | Binary | Checksum |
|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-fb25c7b-windows-amd64.zip | sha256 |
| macOS | x86_64 | ethstaker_deposit-cli-fb25c7b-darwin-amd64.tar.gz | sha256 |
| macOS | aarch64 | ethstaker_deposit-cli-fb25c7b-darwin-arm64.tar.gz | sha256 |
| Linux | x86_64 | ethstaker_deposit-cli-fb25c7b-linux-amd64.tar.gz | sha256 |
| Linux | aarch64 | ethstaker_deposit-cli-fb25c7b-linux-arm64.tar.gz | sha256 |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.4.0 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.4.0 |
Github Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 12
Smooth Escape
Summary
This preview release contains all the changes made since the original fork of the staking-deposit-cli project (fdab65d commit) and all the improvements the EthStaker team has been working on to enhance the feature set and address issues in preparation for our security audit.
All changes
What's Changed
- Use sys.exit instead of exit by @valefar-on-discord in #176
Full Changelog: v0.2.0...v0.2.1
Building process
Release assets were built using GitHub Actions and this workflow run. You can verify the provenance of this build using our artifact attestations.
Binaries
Our binaries are signed with ethstaker-deposit-cli's PGP key: 54FA06FC0860FC0DCCC68E3ECE9FF2391DF26368.
| System | Architecture | Binary | Checksum | PGP Signature |
|---|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-66054f5-windows-amd64.zip | sha256 | PGP Signature |
| macOS | x86_64 | ethstaker_deposit-cli-66054f5-darwin-amd64.tar.gz | sha256 | PGP Signature |
| macOS | aarch64 | ethstaker_deposit-cli-66054f5-darwin-arm64.tar.gz | sha256 | PGP Signature |
| Linux | x86_64 | ethstaker_deposit-cli-66054f5-linux-amd64.tar.gz | sha256 | PGP Signature |
| Linux | aarch64 | ethstaker_deposit-cli-66054f5-linux-arm64.tar.gz | sha256 | PGP Signature |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.2.1 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.2.1 |
GitHub Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 17
Audit Armor
Summary
This preview release contains all the changes made since the original fork of the staking-deposit-cli project (fdab65d commit) and all the improvements the EthStaker team has been working on to enhance the feature set and address issues in preparation for our security audit.
All changes
What's Changed
- Updating mnemonic language determination by @valefar-on-discord in #142
- Don't pause or prompt for a key when running in non-interactive mode by @remyroy in #173
Full Changelog: v0.1.4...v0.2.0
Building process
Release assets were built using GitHub Actions and this workflow run. You can verify the provenance of this build using our artifact attestations.
Binaries
Our binaries are signed with ethstaker-deposit-cli's PGP key: 54FA06FC0860FC0DCCC68E3ECE9FF2391DF26368.
| System | Architecture | Binary | Checksum | PGP Signature |
|---|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-18abde3-windows-amd64.zip | sha256 | PGP Signature |
| macOS | x86_64 | ethstaker_deposit-cli-18abde3-darwin-amd64.tar.gz | sha256 | PGP Signature |
| macOS | aarch64 | ethstaker_deposit-cli-18abde3-darwin-arm64.tar.gz | sha256 | PGP Signature |
| Linux | x86_64 | ethstaker_deposit-cli-18abde3-linux-amd64.tar.gz | sha256 | PGP Signature |
| Linux | aarch64 | ethstaker_deposit-cli-18abde3-linux-arm64.tar.gz | sha256 | PGP Signature |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.2.0 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.2.0 |
GitHub Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 17
Prelude to Scrutiny
Summary
This preview release contains all the latest changes from the work being done to prepare for the security audit. This release is a test for the full release process.
Known Issues
- Using mnemonic words that are possible in multiple languages will potentially lead to hidden behaviors. See #119
All changes
What's Changed
- Add test-keystore command to verify keystore access by @valefar-on-discord in #143
- Use withdrawal address instead of execution address and rework parts around it by @remyroy in #149
- Start build workflow on tag by @remyroy in #154
- Use a different asset name for Ubuntu on arm64 binary assets by @remyroy in #155
- Clear clipboard of the mnemonic by @yorickdowne in #130
- Remove unused circleci stuff by @remyroy in #150
- Clear scrollback by @yorickdowne in #158
- Notes on Windows prerequisites by @yorickdowne in #161
- Remove
LD_LIBRARY_PATHon Linux when callingtputby @yorickdowne in #164 - Fix mac clear by @yorickdowne in #165
- Update pull_request_template.md by @yorickdowne in #166
- Add documentation page for BLS to execution change file by @remyroy in #168
- Add release instructions by @remyroy in #159
- Add documentation page for Signed Exit Transaction file and related fixes by @remyroy in #169
- Moved majority of README info into docs by @nixorokish in #172
- Adding documentation for bls-to-execution-change-keystore command by @valefar-on-discord in #171
New Contributors
- @nixorokish made their first contribution in #172
Full Changelog: v0.1.3...v0.1.4
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
Binaries
Our binaries are signed with ethstaker-deposit-cli's PGP key: 54FA06FC0860FC0DCCC68E3ECE9FF2391DF26368 .
| System | Architecture | Binary | Checksum | PGP Signature |
|---|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-cf2503e-windows-amd64.zip | sha256 | PGP Signature |
| macOS | x86_64 | ethstaker_deposit-cli-cf2503e-darwin-amd64.tar.gz | sha256 | PGP Signature |
| macOS | aarch64 | ethstaker_deposit-cli-cf2503e-darwin-arm64.tar.gz | sha256 | PGP Signature |
| Linux | x86_64 | ethstaker_deposit-cli-cf2503e-linux-amd64.tar.gz | sha256 | PGP Signature |
| Linux | aarch64 | ethstaker_deposit-cli-cf2503e-linux-arm64.tar.gz | sha256 | PGP Signature |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.1.4 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.1.4 |
Github Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 17
Dress Rehearsal
Summary
This preview release contains all the latest changes from the work being done to prepare for the security audit. This release is a test for the full release process.
All changes
What's Changed
- Build changes by @yorickdowne in #94
- Click 8 by @yorickdowne in #98
- Fix misleading help message by @yorickdowne in #99
- Clarify confirmation prompt by @yorickdowne in #100
- Add coverage reports to github actions by @jshufro in #103
- Python 3.13 by @yorickdowne in #97
- Remove linter ignores by @yorickdowne in #102
- Granular test skip on macOS Python 3.9 by @yorickdowne in #104
- Clearer progress messages during key generation by @yorickdowne in #105
- Add
keystore_passwordtoREADME.mdby @yorickdowne in #107 - Establish Valefar and Remy as global code owners by @yorickdowne in #109
- Document canonical deposit contract and launchpad by @yorickdowne in #108
- Adding command to create deposit with validator keystore by @valefar-on-discord in #113
- Arm64 runners by @yorickdowne in #117
- Update build requirements by @yorickdowne in #114
- Help with internet by @yorickdowne in #116
- RTL handling by @yorickdowne in #96
- Add pre-commit by @yorickdowne in #118
- Lint first by @yorickdowne in #123
- Add owl art by @yorickdowne in #124
- List becomes list by @yorickdowne in #126
- Don't prompt for
--languagewhen--non_interactiveby @yorickdowne in #115 - Lint JSON files by @yorickdowne in #127
- Check terminal encoding by @yorickdowne in #101
- Support
uvby @yorickdowne in #112 - Minimum password length 12 by @yorickdowne in #129
- Fix coverage data uploads, update comment.yml workflow to fail open. by @jshufro in #139
- Version value rework and centralization by @remyroy in #136
- Add a CNAME to gh pages by @yorickdowne in #135
- Add command to sign a withdrawal credentials update message using a validator keystore by @valefar-on-discord in #88
- capping max deposit amount for partial to 2048 by @valefar-on-discord in #141
- Python 3.13.0-rc2 for now by @yorickdowne in #131
- Add documentation for keystore and deposit data files by @remyroy in #145
- Add the ability to use a custom network for every command by @remyroy in #147
New Contributors
Full Changelog: v0.1.2...v0.1.3
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
Binaries
Our binaries are signed with ethstaker-deposit-cli's PGP key: 54FA06FC0860FC0DCCC68E3ECE9FF2391DF26368 .
| System | Architecture | Binary | Checksum | PGP Signature |
|---|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-90b09a9-windows-amd64.zip | sha256 | PGP Signature |
| macOS | x86_64 | ethstaker_deposit-cli-90b09a9-darwin-amd64.tar.gz | sha256 | PGP Signature |
| macOS | aarch64 | ethstaker_deposit-cli-90b09a9-darwin-arm64.tar.gz | sha256 | PGP Signature |
| Linux | x86_64 | ethstaker_deposit-cli-90b09a9-linux-amd64.tar.gz | sha256 | PGP Signature |
| Linux | aarch64 | ethstaker_deposit-cli-90b09a9-linux-arm64.tar.gz | sha256 | PGP Signature |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.1.3 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.1.3 |
Github Package |
License
By downloading and using this software, you agree to the license.
Contributors
Assets 17
Impetuous Import
This release adds a setup.py so ethstaker_deposit can be imported as a Python module by other projects.
All notes from v0.1.1 otherwise apply.
Do-Over Deposit
Summary
This preview release contains a fix to #84 , the issue we had with the previous release.
Known Issues
Python 3.9 and macOS
Running the test suite seems to break once in a while on macOS with Python 3.9. This is likely to be an issue with that version of Python with multiprocessing on macOS. This is still being investigated.
All changes
Full Changelog: v0.1.0...v0.1.1
Building process
Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.
Binaries
Our binaries are signed with ethstaker-deposit-cli's PGP key: 54FA06FC0860FC0DCCC68E3ECE9FF2391DF26368 .
| System | Architecture | Binary | Checksum | PGP Signature |
|---|---|---|---|---|
| Windows | x86_64 | ethstaker_deposit-cli-e1cedbc-windows-amd64.zip | sha256 | PGP Signature |
| macOS | x86_64 | ethstaker_deposit-cli-e1cedbc-darwin-amd64.tar.gz | sha256 | PGP Signature |
| macOS | aarch64 | ethstaker_deposit-cli-e1cedbc-darwin-arm64.tar.gz | sha256 | PGP Signature |
| Linux | x86_64 | ethstaker_deposit-cli-e1cedbc-linux-amd64.tar.gz | sha256 | PGP Signature |
Docker image
| Version | Name | Package |
|---|---|---|
| v0.1.1 | ghcr.io/eth-educators/ethstaker-deposit-cli:v0.1.1 |
Github Package |
License
By downloading and using this software, you agree to the license.