Summary
Critical security fixes in this release include:
- Harden timestamp validation of EL payload
- Prevent potential panics and node halts while decoding data
Update Priority
This table provides priorities for which classes of users should update particular components.
| User Class | Priority |
|---|---|
| Payload Builders | Strongly Recommended |
| Non-Payload Builders | Strongly Recommended |
All Changes
- chore(networks): 80094 network configs (#2484)
- Fix broken CI due to using newest go version which is not supported b… (#2505)
- fix(types): avoid panic on unmarshalling of empty inputs (#162)
- fix(state-processor): stricter timestamp enforcement on execution-payload (#160)
- do not reject PRs based on missing period in a comment (#2504)
- fix(ci): Update Test Configs to work with new Geth version (#2489)
Binaries
| System | Architecture | Binary | PGP Signature |
|---|---|---|---|
| amd64 | beacond-v1.1.2-linux-amd64 | Signature | |
| arm64 | beacond-v1.1.2-linux-arm64 | Signature | |
| arm64 | beacond-v1.1.2-darwin-arm64 | Signature | |
| System | Option | - | Resource |
| Docker | berachain/beacon-kit |
Verifying signatures
Use gpg to verify the signature on these binary archives. This is important to make sure that the content you've downloaded is legitimate. gpg can be installed with most package managers. For example:
brew install gpgon macapt install gpgon Ubuntu/Debian
Once gpg is installed, import our public key into its database and verify:
- Download signing public key from here.
- Run
gpg --import berachain_release.asc - Verify with
gpg --verify {signature}.sig {binary}.tar.gz - This message is expected:
WARNING: This key is not certified with a trusted signature! - To resolve the warning, trust the key by signing with your own keypair.
gpg --lsign-key <keyid>