Backport pallet-identity double encoding on signature payload fix into crates io release 1.7.0
#4702
Conversation
In order to receive a username in `pallet-identity`, users have to, among other things, provide a signature of the desired username. Right now, there is an [extra encoding step](https://github.com/paritytech/polkadot-sdk/blob/4ab078d6754147ce731523292dd1882f8a7b5775/substrate/frame/identity/src/lib.rs#L1119) when generating the payload to sign. Encoding a `Vec` adds extra bytes related to the length, which changes the payload. This is unnecessary and confusing as users expect the payload to sign to be just the username bytes. This PR fixes this issue by validating the signature directly against the username bytes. --------- Signed-off-by: georgepisaltu <george.pisaltu@parity.io>
|
This change is marked as major so is not suitable for backport. The existing release branches should stay stable and have no breaking changes. |
|
Ok, closing the PR then |
|
@Morganamilo we have had some other "major" backports, even that changed the |
There was a problem hiding this comment.
In this case we can keep everything sane by yanking the previous version of pallet-identity and releasing this new "patched" one.
The major breaking change here will not break compilation (API is unchanged); the interpretation of one of the parameters does indeed change, so it is only breaking for actual users of it - which there are none yet since this hasn't been deployed anywhere yet.
Patching the fix here allows us to use the right behavior on the first deployment.
substrate/frame/identity/Cargo.toml
Outdated
| @@ -1,6 +1,6 @@ | |||
| [package] | |||
| name = "pallet-identity" | |||
| version = "29.0.1" | |||
| version = "30.0.0" | |||
There was a problem hiding this comment.
30.0.0 is already released (guessing with sdk v1.8.0)
| version = "30.0.0" | |
| version = "29.0.2" |
There was a problem hiding this comment.
Looks like latest on crates.io is v34.0.0, so there's some versions in between. Anyway, updated it to v29.0.2.
There was a problem hiding this comment.
Release tooling handles versioning. There's no need to change the crate or dep versions.
Signed-off-by: georgepisaltu <george.pisaltu@parity.io>
Signed-off-by: georgepisaltu <george.pisaltu@parity.io>
Signed-off-by: georgepisaltu <george.pisaltu@parity.io>
|
The CI pipeline was cancelled due to failure one of the required jobs. |
If this crate is considered unreleased then in this case it's fine. But I don't know what you mean by it hasn't been deployed yet. |
Technically it is deployed on Kusama People chain, but there is no way to use the broken functionality because there are no registered username authorities. It is unreleased on Polkadot People chain, which is good because we have a chance to fix it. I think yanking the current version makes sense and we can just release this "patch" version on top of the yanked one, and do the same for the remaining release branches. |
Backport for #4646