v3.0.0

Highlights

• Sign multiple chains from a single horcrux cluster. #122 #130 #144
• The same config.yaml file can now be used on all cosigners #147
• horcrux config migrate command to migrate config.yaml and share.json files from v2 to v3 format.
• Each chain to sign blocks for must have a respective key {chain-id}_shard.json file. This serves as a dual purpose of authorizing chain IDs for validation and which key shard to sign blocks with for that chain.

Breaking Changes

• Naming and grouping of config.yaml properties updated for clarity. (migrate to new format with horcrux config migrate)
• chain-id in the config.yaml is no-longer-needed/ignored. The chain-id that will be used for the signature is now sourced from the vote/proposal sign requests from the sentries.
• Cosigner share.json key shards, or single signer priv_validator_key.json, must now have relevant chain-id prepended to file name (now {chain-id}_shard.json or {chain-id}_priv_validator_key.json respectively). horcrux config migrate command is provided to automate this migration to the new v3 format.
• Ed25519 priv_validator_key.json key sharding must be done per chain with horcrux create-ed25519-shards <chain-id> <priv-validator-key-file> <threshold> <number of cosigners (total shards)>.
• Cosigner communication encryption keys are now a separate rsa_keys.json file per cosigner. They used to be generated in priv_validator_key.json sharding process, but now must be generated separately with horcrux create-rsa-shards <number of cosigners>. These keys were split out into a separate file per cosigner because they are one set of keys per cluster, not one set of keys per chain like the ed25519 keys.
• horcrux config init no longer takes a [chain-id] argument.
• horcrux cosigner start and horcrux signer start are now consolidated into horcrux start. The signMode in the config.yaml determines which mode will be used for signing.
• horcrux cosigner address [bech32] command is now horcrux address <chain-id> [bech32]
• horcrux state commands now require an additional chain-id argument.
• Removed the following horcrux config CLI commands: chain-id set, peers add, peers remove, peers set-shares, nodes add, nodes remove.

Updating:

Due to Cosigner GRPC interface changes, a rolling update from a prior version is not supported.

• shut down all cluster nodes and delete ~/.horcrux/raft directory
• update binary or docker image to v3.0.0
• run horcrux config migrate command to migrate key files and config to new format
• start cosigner nodes back up

Changelog

• Update metrics.md by @agouin in #117
• Add signature and timestamp to log for adjusted timestamp visibility by @chillyvee in #118
• Threshold small pr by @nitronit in #98
• Version bump for Project Management workflow by @boojamya in #123
• CLI tidy by @agouin in #132
• Fix single signer state load bug by @agouin in #131
• Update migrating.md by @Neschadin in #127
• Fix leader election flaky test by @agouin in #133
• Phase 1 of ICS by @agouin in #130
• Wait for sign state flush on stop by @agouin in #137
• Lint import aliases by @agouin in #138
• single signer multi chain by @agouin in #139
• Make threshold validator chain ID agnostic by @agouin in #140
• Interchain Security - one remote signer to rule them all by @agouin in #122
• go 1.20 by @agouin in #141
• swap tendermint with cometbft v0.37.0 by @agouin in #142
• key assignment feature by @agouin in #144
• One config file to rule them all and in cryptography bind them by @agouin in #147
• updated usage by @danbryan in #148
• tidy up usage and flags by @agouin in #149
• v3 docs updates by @agouin in #150
• grpc-multi-resolver by @agouin in #151
• v3 polish by @agouin in #153

New Contributors

• @nitronit made their first contribution in #98

Full Changelog: v2.1.1...v3.0.0

Release 3.0.0-rc4

Highlights

• Sign multiple chains from a single horcrux cluster. #122 #130 #144
• The same config.yaml file can now be used on all cosigners #147
• horcrux config migrate command to migrate config.yaml and share.json files from v2 to v3 format.
• Each chain to sign blocks for must have a respective key {chain-id}_shard.json file. This serves as a dual purpose of authorizing chain IDs for validation and which key shard to sign blocks with for that chain.

Breaking Changes

• Naming and grouping of config.yaml properties updated for clarity. (migrate to new format with horcrux config migrate)
• chain-id in the config.yaml is no-longer-needed/ignored. The chain-id that will be used for the signature is now sourced from the vote/proposal sign requests from the sentries.
• Cosigner share.json key shards, or single signer priv_validator_key.json, must now have relevant chain-id prepended to file name (now {chain-id}_shard.json or {chain-id}_priv_validator_key.json respectively). horcrux config migrate command is provided to automate this migration to the new v3 format.
• Ed25519 priv_validator_key.json key sharding must be done per chain with horcrux create-ed25519-shards <chain-id> <priv-validator-key-file> <threshold> <number of cosigners (total shards)>.
• Cosigner communication encryption keys are now a separate rsa_keys.json file per cosigner. They used to be generated in priv_validator_key.json sharding process, but now must be generated separately with horcrux create-rsa-shards <number of cosigners>. These keys were split out into a separate file per cosigner because they are one set of keys per cluster, not one set of keys per chain like the ed25519 keys.
• horcrux config init no longer takes a [chain-id] argument.
• horcrux cosigner start and horcrux signer start are now consolidated into horcrux start. The signMode in the config.yaml determines which mode will be used for signing.
• horcrux cosigner address [bech32] command is now horcrux address <chain-id> [bech32]
• horcrux state commands now require an additional chain-id argument.
• Removed the following horcrux config CLI commands: chain-id set, peers add, peers remove, peers set-shares, nodes add, nodes remove.

Updating:

Due to Cosigner GRPC interface changes, a rolling update from a prior version is not supported.

• shut down all cluster nodes and delete ~/.horcrux/raft directory
• update binary or docker image to v3.0.0-rc4
• run horcrux config migrate command to migrate key files and config to new format
• start cosigner nodes back up

Changelog

• Update metrics.md by @agouin in #117
• Add signature and timestamp to log for adjusted timestamp visibility by @chillyvee in #118
• Threshold small pr by @nitronit in #98
• Version bump for Project Management workflow by @boojamya in #123
• CLI tidy by @agouin in #132
• Fix single signer state load bug by @agouin in #131
• Update migrating.md by @Neschadin in #127
• Fix leader election flaky test by @agouin in #133
• Phase 1 of ICS by @agouin in #130
• Wait for sign state flush on stop by @agouin in #137
• Lint import aliases by @agouin in #138
• single signer multi chain by @agouin in #139
• Make threshold validator chain ID agnostic by @agouin in #140
• Interchain Security - one remote signer to rule them all by @agouin in #122
• go 1.20 by @agouin in #141
• swap tendermint with cometbft v0.37.0 by @agouin in #142
• key assignment feature by @agouin in #144
• One config file to rule them all and in cryptography bind them by @agouin in #147
• updated usage by @danbryan in #148
• tidy up usage and flags by @agouin in #149
• v3 docs updates by @agouin in #150
• grpc-multi-resolver by @agouin in #151

New Contributors

• @nitronit made their first contribution in #98

Full Changelog: v2.1.1...v3.0.0-rc4

Release 3.0.0-rc3

Highlights

• Sign multiple chains from a single horcrux cluster. #122 #130 #144
• The same config.yaml file can now be used on all cosigners #147
• horcrux config migrate command to migrate config.yaml and share.json files from v2 to v3 format.
• Each chain to sign blocks for must have a respective key {chain-id}_shard.json file. This serves as a dual purpose of authorizing chain IDs for validation and which key shard to sign blocks with for that chain.

Breaking Changes

• Naming and grouping of config.yaml properties updated for clarity. (migrate to new format with horcrux config migrate)
• chain-id in the config.yaml is no-longer-needed/ignored. The chain-id that will be used for the signature is now sourced from the vote/proposal sign requests from the sentries.
• Cosigner share.json key shards, or single signer priv_validator_key.json, must now have relevant chain-id prepended to file name (now {chain-id}_shard.json or {chain-id}_priv_validator_key.json respectively). horcrux config migrate command is provided to automate this migration to the new v3 format.
• Ed25519 priv_validator_key.json key sharding must be done per chain with horcrux create-ed25519-shards <chain-id> <priv-validator-key-file> <threshold> <number of cosigners (total shards)>.
• Cosigner communication encryption keys are now a separate rsa_keys.json file per cosigner. They used to be generated in priv_validator_key.json sharding process, but now must be generated separately with horcrux create-rsa-shards <number of cosigners>. These keys were split out into a separate file per cosigner because they are one set of keys per cluster, not one set of keys per chain like the ed25519 keys.
• horcrux config init no longer takes a [chain-id] argument.
• horcrux cosigner start and horcrux signer start are now consolidated into horcrux start. The signMode in the config.yaml determines which mode will be used for signing.
• horcrux cosigner address [bech32] command is now horcrux address <chain-id> [bech32]
• horcrux state commands now require an additional chain-id argument.
• Removed the following horcrux config CLI commands: chain-id set, peers add, peers remove, peers set-shares, nodes add, nodes remove.

Updating:

Due to Cosigner GRPC interface changes, a rolling update from a prior version is not supported.

• shut down all cluster nodes and delete ~/.horcrux/raft directory
• update binary or docker image to v3.0.0-rc3
• run horcrux config migrate command to migrate key files and config to new format
• start cosigner nodes back up

Changelog

• Update metrics.md by @agouin in #117
• Add signature and timestamp to log for adjusted timestamp visibility by @chillyvee in #118
• Threshold small pr by @nitronit in #98
• Version bump for Project Management workflow by @boojamya in #123
• CLI tidy by @agouin in #132
• Fix single signer state load bug by @agouin in #131
• Update migrating.md by @Neschadin in #127
• Fix leader election flaky test by @agouin in #133
• Phase 1 of ICS by @agouin in #130
• Wait for sign state flush on stop by @agouin in #137
• Lint import aliases by @agouin in #138
• single signer multi chain by @agouin in #139
• Make threshold validator chain ID agnostic by @agouin in #140
• Interchain Security - one remote signer to rule them all by @agouin in #122
• go 1.20 by @agouin in #141
• swap tendermint with cometbft v0.37.0 by @agouin in #142
• key assignment feature by @agouin in #144

New Contributors

• @nitronit made their first contribution in #98

Full Changelog: v2.1.1...v3.0.0-rc3

Release 3.0.0-rc2

Highlights

• Horcrux v3 introduces the ability to sign multiple chains from a single horcrux cluster using the same private key.
  chain-id in the config.yaml is now ignored. The chain ID that will be used in the signature is now sourced from the vote/proposal sign requests from the sentries.
• Each chain to sign blocks for must have a respective key {chain-id}_share.json file. This serves as a dual purpose of both authorizing chain IDs for validation and which key share to sign blocks with for that chain.

Breaking Changes

• Cosigner share.json key shards, or single signer priv_validator_key.json, must now have relevant chain-id prepended to file name (now {chain-id}_share.json or {chain-id}_priv_validator_key.json respectively). horcrux config migrate command is provided to automate this migration to the new v3 format.
• horcrux config init no longer takes a [chain-id] argument.
• horcrux state commands now require an additional [chain-id] argument.
• Removed the following horcrux config CLI commands: chain-id set, peers add, peers remove, peers set-shares, nodes add, nodes remove.

Updating:

Due to Cosigner GRPC interface changes, a rolling update from a prior version is not supported.

• shut down all cluster nodes and delete ~/.horcrux/raft directory
• update binary or docker image to v3.0.0-rc2
• run horcrux config migrate command to migrate key files and config to new format
• start nodes back up

Changelog

• Update metrics.md by @agouin in #117
• Add signature and timestamp to log for adjusted timestamp visibility by @chillyvee in #118
• Threshold small pr by @nitronit in #98
• Version bump for Project Management workflow by @boojamya in #123
• CLI tidy by @agouin in #132
• Fix single signer state load bug by @agouin in #131
• Update migrating.md by @Neschadin in #127
• Fix leader election flaky test by @agouin in #133
• Phase 1 of ICS by @agouin in #130
• Wait for sign state flush on stop by @agouin in #137
• Lint import aliases by @agouin in #138
• single signer multi chain by @agouin in #139
• Make threshold validator chain ID agnostic by @agouin in #140
• Interchain Security - one remote signer to rule them all by @agouin in #122
• go 1.20 by @agouin in #141
• swap tendermint with cometbft v0.37.0 by @agouin in #142
• key assignment feature by @agouin in #144

New Contributors

• @nitronit made their first contribution in #98

Full Changelog: v2.1.1...v3.0.0-rc2

Release 3.0.0-rc1

Highlights

Horcrux v3 introduces the ability to sign multiple chains from a single horcrux cluster using the same private key.
chain-id in the config.yaml is now ignored. The chain ID that will be used in the signature is now sourced from the vote/proposal sign requests from the sentries.

Breaking Changes

• horcrux config init no longer takes a [chain-id] argument.
• horcrux state commands now require an additional [chain-id] argument.
• Removed the following horcrux config CLI commands: chain-id set, peers add, peers remove, peers set-shares, nodes add, nodes remove.

Updating:

Due to Cosigner GRPC interface changes, a rolling update from a prior version is not supported.

• shut down all cluster nodes and delete ~/.horcrux/raft directory
• update binary or docker image to v3.0.0-rc1
• start nodes back up

Changelog

• Update metrics.md by @agouin in #117
• Add signature and timestamp to log for adjusted timestamp visibility by @chillyvee in #118
• Threshold small pr by @nitronit in #98
• Version bump for Project Management workflow by @boojamya in #123
• CLI tidy by @agouin in #132
• Fix single signer state load bug by @agouin in #131
• Update migrating.md by @Neschadin in #127
• Fix leader election flaky test by @agouin in #133
• Phase 1 of ICS by @agouin in #130
• Wait for sign state flush on stop by @agouin in #137
• Lint import aliases by @agouin in #138
• single signer multi chain by @agouin in #139
• Make threshold validator chain ID agnostic by @agouin in #140
• Interchain Security - one remote signer to rule them all by @agouin in #122
• go 1.20 by @agouin in #141

New Contributors

• @nitronit made their first contribution in #98

Full Changelog: v2.1.1...v3.0.0-rc1

Release 2.1.1

What's Changed

This is a security patch release to fix a state handling bug with single-signer mode. This does not affect MPC/Cosigner mode.
Single signer mode is now unsupported, but the issue is patched and the functionality is still available. To run in single-signer mode, run horcrux signer start --accept-risk

• CLI tidy by @agouin in #132
• Fix single signer state load bug by @agouin in #131

Full Changelog: v2.1.0...v2.1.1

Release 2.1.0

🚀🚀🚀

New since v2.0.0:

• Debug server with prometheus /metrics endpoint. #93
• Import state from tendermint priv_validator_state.json file with horcrux state import. You will be asked to paste your file contents. #92
• Raft update to v1.3.10, raft-grpc-transport update to v1.2.1, raft-boltdb update to v2.2.2 #105 #106
• Threshold parameter validation during key shard and daemon startup #112
• Logs added for participating cosigners even if they are not receiving requests directly from a sentry. #111
• Leader election IPv6 fix and test framework improvements. #107 #110

Updating:
Due to raft library updates, a rolling update from v2.0.0 is not supported.

1. shut down all cluster nodes and delete ~/.horcrux/raft directory
2. update binary or docker image to v2.1.0
3. start nodes back up

Big thank you to first time contributor @chillyvee for work on the prometheus metrics, state import command, and leader election IPv6 fix.

Release 2.1.0-rc1

🚀🚀🚀

New since v2.0.0:

• Debug server with prometheus /metrics endpoint. #93
• Import state from tendermint priv_validator_state.json file with horcrux state import. You will be asked to paste your file contents. #92
• Raft update to v1.3.10, raft-grpc-transport update to v1.2.1, raft-boltdb update to v2.2.2 #105 #106
• Threshold parameter validation during key shard and daemon startup #112
• Logs added for participating cosigners even if they are not receiving requests directly from a sentry. #111
• Leader election IPv6 fix and test framework improvements. #107 #110

Updating:
Due to raft library updates, a rolling update from v2.0.0 is not supported.

1. shut down all cluster nodes and delete ~/.horcrux/raft directory
2. update binary or docker image to v2.1.0-rc1
3. start nodes back up

Big thank you to first time contributor @chillyvee for work on the prometheus metrics, state import command, and leader election IPv6 fix.

Release 2.0.0

🚀🚀🚀

https://www.strangelove.ventures/blog/horcrux-v2

Updating

• Same procedure as v2.0.0-rc2
• Can do rotating update without any downtime if coming from >= v2.0.0-rc1
• Will need to take down cluster and bring back up together if coming from beta versions. Procedure is documented in release v2.0.0-rc1

Release 2.0.0-rc3

🚀🚀🚀

Changelog

• Removes nil vote avoidance, which was causing issues on chains using older versions of the Cosmos SDK #64

Updating

• Same procedure as v2.0.0-rc2
• Can do rotating update without any downtime if coming from >= v2.0.0-rc1
• Will need to take down cluster and bring back up together if coming from beta versions. Procedure is documented in release v2.0.0-rc1