Summary
This release upgrades to a new version of CometBFT which includes a critical bug fix. This fix solves the case where a remote peer can deadlock blocksync by poisoning maxPeerHeight with a value no peer can serve.
Update Priority
This table provides priorities for which classes of users should update particular components.
| User Class | Priority |
|---|---|
| Payload Builders | High |
| Non-Payload Builders | High |
All Changes
- chore(cometbft): bump to include maxPeerHeight poisoning fix (#3088)
- chore(cometbft): bump to cometbft version with overflow bug fix (#3085)
- chore(ci): add nightly build for preconf-dev branch (#3076)
- fix(ci): use go
runinstead ofinstallfor vulncheck (#3079)
Binaries
| System | Architecture | Binary | PGP Signature |
|---|---|---|---|
| amd64 | beacond-v1.3.9-linux-amd64 | Signature | |
| arm64 | beacond-v1.3.9-linux-arm64 | Signature | |
| arm64 | beacond-v1.3.9-darwin-arm64 | Signature | |
| System | Option | - | Resource |
| Docker | berachain/beacon-kit |
Verifying signatures
Use gpg to verify the signature on these binary archives. This is important to make sure that the content you've downloaded is legitimate. gpg can be installed with most package managers. For example:
brew install gpgon macapt install gpgon Ubuntu/Debian
Once gpg is installed, import our public key into its database and verify:
- Download signing public key from here.
- Run
gpg --import berachain_release.asc - Verify with
gpg --verify {signature}.sig {binary}.tar.gz - This message is expected:
WARNING: This key is not certified with a trusted signature! - To resolve the warning, trust the key by signing with your own keypair.
gpg --lsign-key <keyid>