Summary

This is our first release after our security assessment with Trail of Bits. This release include fixes and changes from the draft report that was shown to us. It includes fixes for the following issues:

• Use of unpinned third-party docker image and actions on workflows [TOB-ETHSTAKER-1] #181
• Use of GPG for release signing and verification [TOB-ETHSTAKER-2] #182
• Sensitive files are incorrectly assigned permissions and ownership [TOB-ETHSTAKER-3] #183
• Error-prone path handling [TOB-ETHSTAKER-4] #184
• Emphasize critical warning regarding clipboard clearing [TOB-ETHSTAKER-5] #185
• Terminal buffer is not cleared on iterm2 [TOB-ETHSTAKER-7] #186
• Code Quality Recommendations from ToB #187

Known Issues

There are still an issue left to resolve from the security assessment from Trail of Bits.

All changes

What's Changed

• Adding missing bls_keystore documentation by @valefar-on-discord in #180
• Switch to Python 3.13 stable by @yorickdowne in #177
• bugfix: Use all clearing methods for linux/darwin by @valefar-on-discord in #189
• Added documentation page for reporting a vulnerability by @remyroy in #197
• Remove the use of eval in build workflow by @remyroy in #194
• Pin dockerfile image with sha256 hash by @remyroy in #188
• Pin coverage python package by @remyroy in #192
• Create dependabot.yml by @remyroy in #190
• Create SECURITY.md by @remyroy in #191
• Don't return in JITOption.__init__ by @remyroy in #195
• Pin jsonlint tool by @remyroy in #196
• Pinned third party workflow actions by @remyroy in #198
• Replace the use of GPG release signatures with GitHub attestations by @remyroy in #193
• Fix the comment workflow failure by checking for the coverage job success by @remyroy in #199
• Improve build workflow and release process by @remyroy in #200
• Improved runner workflow and minor fixes for shell scripts by @remyroy in #207
• Use 400 for sensitive files permissions on creation with O_EXCL flag by @remyroy in #208
• Emphasize clipboard clearing warning by @remyroy in #213
• Use utf-8 encoding for all JSON file writing and reading by @remyroy in #209
• Use a relative path from the last occurence of the project directory name by @remyroy in #211
• Moved colorama dependency to platform dependent in requirements.txt by @remyroy in #219
• Bump pytest from 8.3.2 to 8.3.3 by @dependabot in #202
• Bump pycryptodome from 3.20.0 to 3.21.0 by @dependabot in #205
• Bump cytoolz from 0.12.3 to 1.0.0 by @dependabot in #204
• Bump mypy from 1.11.2 to 1.13.0 by @dependabot in #220
• Bump python docker image to python:3.12.7-slim-bookworm by @remyroy in #221
• Adding documentation how to create a non-32 eth deposit by @valefar-on-discord in #222
• Bump toolz from 0.12.1 to 1.0.0 by @dependabot in #223
• Bump eth-typing from 5.0.0 to 5.0.1 by @dependabot in #224
• Bump eth-utils from 5.0.0 to 5.1.0 by @dependabot in #225
• Bump coverage from 7.6.2 to 7.6.4 by @dependabot in #226
• Use a fake version value for the deposit data file to work around a Launchpad issue by @remyroy in #217

New Contributors

• @dependabot made their first contribution in #202

Full Changelog: v0.2.1...v0.4.0

Building process

Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.

With the GitHub CLI installed, a simple way to verify these assets is to run this command while replacing [filename] with the path to the downloaded asset:

gh attestation verify [filename] --repo eth-educators/ethstaker-deposit-cli

This step requires you to be online. If you want to perform this offline, follow these instructions from GitHub.

Binaries

Docker image

License

By downloading and using this software, you agree to the license.