Summary
This release upgrades to a new version of CometBFT which includes a critical bug fix. This fix solves a remote DOS where anyone can crash any node with a well-crafted packet to the P2P port (26656).
Update Priority
This table provides priorities for which classes of users should update particular components.
| User Class | Priority |
|---|---|
| Payload Builders | Urgent |
| Non-Payload Builders | Urgent |
All Changes
- fix(cometbft): use AddCommit that doesn't panic on failed verification of commit (#3074)
- fix(payload): enforce the fork version of cached verified payload is consistent (#3073)
- chore: upgrade go version and add deps badge to toplevel readme (#3072)
- fix(deps): upgrade grpc to address failing vulncheck linter (#3070)
- refactor(e2e): deprecate geth nodes from kurtosis and use gethlib eth client (#3061)
- chore(kurtosis): avoid sporadic hangs on devnet launch (#3053)
- chore: vuln-and-dep-check.yml read go version from go.mod (#3057)
Binaries
| System | Architecture | Binary | PGP Signature |
|---|---|---|---|
| amd64 | beacond-v1.3.8-linux-amd64 | Signature | |
| arm64 | beacond-v1.3.8-linux-arm64 | Signature | |
| arm64 | beacond-v1.3.8-darwin-arm64 | Signature | |
| System | Option | - | Resource |
| Docker | berachain/beacon-kit |
Verifying signatures
Use gpg to verify the signature on these binary archives. This is important to make sure that the content you've downloaded is legitimate. gpg can be installed with most package managers. For example:
brew install gpgon macapt install gpgon Ubuntu/Debian
Once gpg is installed, import our public key into its database and verify:
- Download signing public key from here.
- Run
gpg --import berachain_release.asc - Verify with
gpg --verify {signature}.sig {binary}.tar.gz - This message is expected:
WARNING: This key is not certified with a trusted signature! - To resolve the warning, trust the key by signing with your own keypair.
gpg --lsign-key <keyid>