docs(tbtc/signer): pin frost dependency audit status; attestation cadence#4042
Merged
mswilkison merged 1 commit intoJun 12, 2026
Conversation
…ence Post-merge follow-up #5 from the June 2026 review stack (the remaining half of #4033's item): cite the exact external audit coverage of the pinned FROST stack in the readiness/rollout docs, and record the attestation-rotation operational requirement surfaced by #4037. - rollout gates doc gains a "Cryptographic Dependency Audit Status" section: NCC Group's Zcash FROST Security Assessment (2023-10-20) covered v0.6.0 (commit 5fa17ed) of frost-core and five ciphersuites; upstream states explicitly that frost-secp256k1-tr and rerandomized FROST are NOT included; Least Authority's Q1 2025 audit covered demo tooling only. Bottom line recorded honestly: the pinned frost-secp256k1-tr =3.0.0 and the v0.6.0->3.0.0 frost-core evolution have no external audit coverage, so Gate 1 must either commission an audit or record written risk acceptance scoped to canary - a team decision this section now gives a factual basis. - rollout runbook prerequisites gain the attestation rotation cadence: init-time config is immutable per process and attestation TTL caps at 7 days, so signers must restart with fresh attestation within every window; live re-attestation is deliberately unsupported. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
484c377
into
extraction/frost-signer-mirror-2026-05-26
19 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Post-merge follow-up #5 from the June 2026 review stack — the remaining half of #4033's item: cite the exact external audit report and version range covering the pinned FROST stack in the readiness/rollout docs. Also records the attestation-rotation operational requirement that #4037's review surfaced.
Audit status (researched against upstream sources, 2026-06-12)
The new "Cryptographic Dependency Audit Status" section in
roast-phase-5-security-rollout-gates.mdrecords, with citations:5fa17ed) offrost-core+ five ciphersuites — trusted-dealer and DKG key generation plus signing; all findings addressed and re-reviewed.frost-client/frostdtooling only — not the library crates this signer consumes.The honest bottom line, now on the record: the exact ciphersuite this signer uses for production signatures (
frost-secp256k1-tr =3.0.0, released 2025-04-23) and the v0.6.0 → 3.0.0 evolution offrost-corehave no external audit coverage. Gate 1 sign-off must therefore either commission/await an audit covering that range (the checklist item-8 "audit as ECDSA-retirement merge gate" decision) or record a written, canary-scoped risk acceptance. The section gives that team decision its factual basis instead of letting "FROST was audited" stand unqualified.Attestation rotation cadence (runbook prerequisite 6)
From #4037's design: init-time config is immutable for the process lifetime and attestation TTL caps at 7 days, so production signers must restart with fresh attestation material within every window — rollout stage scheduling has to absorb that cadence. Live re-attestation without restart is deliberately unsupported (it would need a dedicated narrow FFI; general config mutation reopens the split-brain risk the immutable design closed).
Doc-only change; no code. Sources verified via the upstream README, NCC's published report PDF, zfnd.org announcements, and the ZcashFoundation/frost releases page.
🤖 Generated with Claude Code