Cover is an open internet service for canister code verification on the Internet Computer

Overview

Conventional Commits Client Services

Cover

Cover (short for Code Verification) is an open internet service that helps verify the code of canisters on the Internet Computer.

This is an alpha release so that developers can start to play around, test the general Cover architecture during the weekend, and provide feedback to us! The alpha registry shouldn't be considered dependable yet. We will follow-up next week with a release that will include the permissioning ruling necessary to ensure all submissions are fully trusted.

If you are Cover developer, please read the Developer Readme

Requirements ⚙️

  • Github action
  • Canister Id

Getting started 🤔

Create Build Action

Inside of your canister repo create a directory .github/workflows/ and add a myBuild.yml file, with the following content. To see a full build example see build.yml

name: Example canister build using build.js 

on:
  push:
    branches:
      - production
      - main
jobs:
  build:
    runs-on: ubuntu-latest

    container:
      image: fleek/dfxrust

    steps:
      - uses: actions/checkout@v2

      - name: Build WASM
          # HACK: set HOME to get github actions to execute correctly
          export HOME=/root
          export PATH="$HOME/.cargo/bin:${PATH}"
          # Start build
          yarn
          MODE=PRODUCTION dfx build cover --check

      - name: Cover Validator Plugin
        uses: Psychedelic/cover/GithubActionPlugin@main
        with:
          canister_id: "iftvq-niaaa-aaaai-qasga-cai"
          wasm_path: ".dfx/local/canisters/cover/cover.wasm"

Whenever you push your code using production or main branches, the above workflow will be triggered. If you successfully generated the canister.wasm the Cover Validation Plugin will call an AWS Lambda Function that will add the validation results to the Cover canister

Build Canister

In order to get the same wasm files on github actions and locally, we need to ensure that the build environment on github actions is EXACTLY the same as the local one. Thus, if you want to generate a wasm file locally, you must use the same docker image as the github actions is using.

You can either provide your own docker image (We suggest you use ubuntu:20:04 at the base) or you use our fleek/dfxrust docker image that includes tools needed to build Rust based canisters. The fleek/dfxrust image is build with this Dockerfile.

Executing local build

To execute a local build using fleek/dfxrust image, in your local folder run GithubActionPlugin/dockers/docker-build.sh to generate wasm files inside of folder ./dfx-build.

You can tweak the docker-build.sh and the entrypoint.sh scripts to your needs. Just make sure that the entrypoint.sh matches your Buld.WASM section in github actions.

Checking canister status

After a few minutes, you should be able to query the Cover canister. You can either call it directly

dfx canister --network=ic call iftvq-niaaa-aaaai-qasga-cai get_verification_by_canister_id '(principal"rrkah-fqaaa-aaaaa-aaaaq-cai")'

or you can save the cover canister id in canister_ids.json:

{
  "cover": {
    "ic": "iftvq-niaaa-aaaai-qasga-cai"
  }
}

And enquire about any canister id:

dfx canister --network=ic call cover get_verification_by_canister_id '(principal"rrkah-fqaaa-aaaaa-aaaaq-cai")'

( opt record { 
  wasm_checksum = "0xecb74c834fcd93d27dd2c0e35410c3b34cf9f7c45e4721a2fbd92a7babf11eaf"; 
  updated_at = "2021-11-19T15:00:00.280+00:00"; 
  updated_by = principal "6cu3r-liw3y-hmevf-e74z4-ogury-e7ur6-xpyka-764on-gcaqs-cbjps-7qe"; 
  source_snapshot_url = "NA"; 
  canister_id = principal "rrkah-fqaaa-aaaaa-aaaaq-cai"; 
  created_at = "2021-11-19T15:00:00.280+00:00"; 
  created_by = principal "6cu3r-liw3y-hmevf-e74z4-ogury-e7ur6-xpyka-764on-gcaqs-cbjps-7qe";
  git_repo = "Psychedeleic/cover"; 
  git_ref = "refs/heads/main"; 
  git_sha = "ef9ff448ad0973a193d479e7842aa0f7e2bccfdf"; 
  build_log_url = "NA"; 
}, )

Now you can compare the returned wasm_checksum against the deployed canister Module hash. To get the canister module hash run:

dfx canister --no-wallet --network ic info iftvq-niaaa-aaaai-qasga-cai          

Controllers: ique5-maaaa-aaaai-qasfq-cai rftgd-dz3se-hrufx-kwtpc-bc5hj-ha54l-lhxnm-chz5z-5tfmq-6th4y-eqe s4jec-wiaaa-aaaah-qch4q-cai
Module hash: 0xecb74c834fcd93d27dd2c0e35410c3b34cf9f7c45e4721a2fbd92a7babf11eaf

You can see that the checksums are equal. You can also use a tool called cover verification.

cover-verification rrkah-fqaaa-aaaaa-aaaaq-cai

Wasm checksum: 0xecb74c834fcd93d27dd2c0e35410c3b34cf9f7c45e4721a2fbd92a7babf11eaf
Module hash: 0xecb74c834fcd93d27dd2c0e35410c3b34cf9f7c45e4721a2fbd92a7babf11eaf
Status: Verified
Comments
  • feat: serverless lambda setup

    feat: serverless lambda setup

    Why?

    Serverless setup for deploying cover lambdas

    How?

    • implemented consume function (example of pulling data from cover canister)
    • added createActor with plug identity import
    • added publish template, to be extended with a call to cover.add_validation call

    Tickets

    JS-Client

    Demo

    1. Create and deploy cover canister yarn dfx:full
    2. Add 1+ requests using:
      dfx canister --network=local call cover create_request '(record {canister_id=principal"rrkah-fqaaa-aaaaa-aaaaq-cai"; build_settings=record{git_ref="git1"; git_tag="abc";}})'            
    
    1. Set PEM env variable
    export IDENTITY_PEM_PATH=path/plug_identity.pem
    OR 
    export IDENTITY_PEM=`cat plug_identity.pem`
    
    1. Call the lambda locally:
    cd serverless/app
    yarn sls invoke local -f consume
    yarn sls invoke local -f publish --path src/functions/publish/mock.json      
    yarn sls invoke local -f publish --path src/functions/publish/mock-error.json      
    
    opened by studna 4
  • feat: Extended github store params

    feat: Extended github store params

    Why?

    Need to store git repo and standardize git params

    How?

    • Added git_repo
    • Renamed git_checksum to git_sha

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [ ] Documentation has been updated to reflect the changes
    • [x] Tests have been added or updated to reflect the changes
    • [x] All code formatting pass
    • [x] All lints pass
    • [x] All tests pass
    opened by rbialek 2
  • feat: 🎸 cover owner authentication

    feat: 🎸 cover owner authentication

    Why?

    Cover owner authentication

    How?

    Tickets?

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [x] Documentation has been updated to reflect the changes
    • [x] Tests have been added or updated to reflect the changes
    • [x] All code formatting pass
    • [x] All lints pass
    • [x] All tests pass

    Security checklist?

    • [ ] Injection has been prevented (parameterized queries, no eval or system calls)
    • [ ] The UI is escaping output (to prevent XSS)
    • [ ] Sensitive data has been identified and is being protected properly

    Demo?


    MODE: IC - Production

    image image

    MODE: Local replica

    image

    opened by scott-dn 2
  • feat: 🎸 provider

    feat: 🎸 provider

    Why?

    Need provider management api.

    How?

    • Implement provider management api

    Tickets?

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [x] Documentation has been updated to reflect the changes
    • [x] Tests have been added or updated to reflect the changes
    • [x] All code formatting pass
    • [x] All lints pass
    • [x] All tests pass

    Security checklist?

    • [ ] Injection has been prevented (parameterized queries, no eval or system calls)
    • [ ] The UI is escaping output (to prevent XSS)
    • [ ] Sensitive data has been identified and is being protected properly

    Demo?

    Optionally, provide any screenshot, gif or small video.

    opened by scott-dn 2
  • feat: 🎸 verification

    feat: 🎸 verification

    Why?

    Provide verification canister information.

    How?

    • Implement Update/Get verification

    Tickets?

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [x] Documentation has been updated to reflect the changes
    • [x] Tests have been added or updated to reflect the changes
    • [x] All code formatting pass
    • [x] All lints pass
    • [x] All tests pass

    Security checklist?

    • [ ] Injection has been prevented (parameterized queries, no eval or system calls)
    • [ ] The UI is escaping output (to prevent XSS)
    • [ ] Sensitive data has been identified and is being protected properly

    Demo?

    Optionally, provide any screenshot, gif or small video.

    opened by scott-dn 2
  • feat: 🎸 timestamp

    feat: 🎸 timestamp

    Why?

    System need audit timestamp.

    How?

    • Use ic_cdk::api::time for ic environment
    • On test environment, use chrono

    Tickets?

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [x] Documentation has been updated to reflect the changes
    • [x] Tests have been added or updated to reflect the changes
    • [x] All code formatting pass
    • [x] All lints pass
    • [x] All tests pass

    Security checklist?

    • [ ] Injection has been prevented (parameterized queries, no eval or system calls)
    • [ ] The UI is escaping output (to prevent XSS)
    • [ ] Sensitive data has been identified and is being protected properly

    Demo?

    Optionally, provide any screenshot, gif or small video.

    opened by scott-dn 2
  • refactor: 💡 better naming

    refactor: 💡 better naming

    Why?

    Meaningful naming

    How?

    • Meaningful naming

    Tickets?

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [x] Documentation has been updated to reflect the changes
    • [x] Tests have been added or updated to reflect the changes
    • [x] All code formatting pass
    • [x] All lints pass
    • [x] All tests pass

    Security checklist?

    • [ ] Injection has been prevented (parameterized queries, no eval or system calls)
    • [ ] The UI is escaping output (to prevent XSS)
    • [ ] Sensitive data has been identified and is being protected properly

    Demo?

    Optionally, provide any screenshot, gif or small video.

    opened by scott-dn 2
  • feat: js client to cover

    feat: js client to cover

    Why?

    We need to connect from a js (lambda function) to cover.

    How?

    • Added import identity function (works only with plug identities)
    • Added serverless/poll-cover/src/consume-request

    Tickets?

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [ ] Documentation has been updated to reflect the changes
    • [ ] Tests have been added or updated to reflect the changes
    • [ ] All code formatting pass
    • [ ] All lints pass
    • [ ] All tests pass

    Demo?

    opened by rbialek 2
  • feat: 🎸 progress tracker

    feat: 🎸 progress tracker

    Why?

    Progress tracker for validation progress

    How?

    • Implement progress tracker service

    Tickets?

    Contribution checklist?

    • [x] The commit messages are detailed
    • [x] It does not break existing features (unless required)
    • [x] I have performed a self-review of my own code
    • [x] Documentation has been updated to reflect the changes
    • [x] Tests have been added or updated to reflect the changes
    • [x] All code formatting pass
    • [x] All lints pass
    • [x] All tests pass

    Security checklist?

    • [ ] Injection has been prevented (parameterized queries, no eval or system calls)
    • [ ] The UI is escaping output (to prevent XSS)
    • [ ] Sensitive data has been identified and is being protected properly

    Demo?

    Optionally, provide any screenshot, gif or small video.

    opened by scott-dn 2
  • RUSTSEC-2020-0071: Potential segfault in the time crate

    RUSTSEC-2020-0071: Potential segfault in the time crate

    Potential segfault in the time crate

    | Details | | | ------------------- | ---------------------------------------------- | | Package | time | | Version | 0.1.44 | | URL | https://github.com/time-rs/time/issues/293 | | Date | 2020-11-18 | | Patched versions | >=0.2.23 | | Unaffected versions | =0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6 |

    Impact

    Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

    The affected functions from time 0.2.7 through 0.2.22 are:

    • time::UtcOffset::local_offset_at
    • time::UtcOffset::try_local_offset_at
    • time::UtcOffset::current_local_offset
    • time::UtcOffset::try_current_local_offset
    • time::OffsetDateTime::now_local
    • time::OffsetDateTime::try_now_local

    The affected functions in time 0.1 (all versions) are:

    • at
    • at_utc
    • now

    Non-Unix targets (including Windows and wasm) are unaffected.

    Patches

    Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

    Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

    Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.

    Workarounds

    No workarounds are known.

    References

    time-rs/time#293

    See advisory page for additional details.

    opened by github-actions[bot] 1
  • RUSTSEC-2020-0159: Potential segfault in `localtime_r` invocations

    RUSTSEC-2020-0159: Potential segfault in `localtime_r` invocations

    Potential segfault in localtime_r invocations

    | Details | | | ------------------- | ---------------------------------------------- | | Package | chrono | | Version | 0.4.19 | | URL | https://github.com/chronotope/chrono/issues/499 | | Date | 2020-11-10 |

    Impact

    Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

    Workarounds

    No workarounds are known.

    References

    See advisory page for additional details.

    opened by github-actions[bot] 1
Owner
Psychedelic
Decentralized product studio focused on building products on Web3, Ethereum, and the Internet Computer.
Psychedelic
A rust-based command line tool to serve as a gateway for a Internet Computer replica.

icx-proxy A command line tool to serve as a gateway for a Internet Computer replica. Contributing Please follow the guidelines in the CONTRIBUTING.md

DFINITY 25 Sep 6, 2022
A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address.

innisfree A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address. Why? Most of the data I maintain is local,

Conor Schaefer 7 Mar 19, 2022
Final Project for "Computer Networking Security": A Layer-3 VPN implementation over TLS

Final Project for "Computer Networking Security": A Layer-3 VPN implementation over TLS

Siger Yang 2 Jun 7, 2022
MASQ Network 121 Dec 20, 2022
Simple DHCP client for the Wiznet W5500 internet offload chip.

w5500-dhcp Simple DHCP client for the Wiznet W5500 SPI internet offload chip. Warning Please proceed with caution, and review the code before use in a

Alex 0 Mar 20, 2022
ZeroNS: a name service centered around the ZeroTier Central API

ZeroNS: a name service centered around the ZeroTier Central API ZeroNS provides names that are a part of ZeroTier Central's configured networks; once

ZeroTier, Inc. 327 Dec 20, 2022
Modular IPC-based desktop launcher service

Pop Launcher Modular IPC-based desktop launcher service, written in Rust. Desktop launchers may interface with this service via spawning the pop-launc

Pop!_OS 125 Dec 23, 2022
Prometheus instrumentation service for the NGINX RTMP module.

nginx-rtmp-exporter Prometheus instrumentation service for the NGINX RTMP module. Usage nginx-rtmp-exporter [OPTIONS] --scrape-url <SCRAPE_URL> O

kaylen ✨ 2 Jul 3, 2022
Simple CLI to manage your systemd clash.service and config subscriptions on Linux.

clashrup Simple CLI to manage your systemd clash.service and config subscriptions on Linux. Setup, update, apply overrides, and manage via systemctl.

Spencer (Shangbo Wu) 44 Jan 29, 2023
The best open source remote desktop software

The best open-source remote desktop software, written in Rust. Works out of the box, no configuration required. Great alternative to TeamViewer and AnyDesk! You have full control of your data, with no concerns about security. You can use our rendezvous/relay server, set up your own, or write your own rendezvous/relay server.

RustDesk 35.4k Jan 4, 2023
Filen.io is a cloud storage provider with an open-source desktop client.

Library to call Filen.io API from Rust Filen.io is a cloud storage provider with an open-source desktop client. My goal is to write a library which ca

Konstantin Zakharov 5 Nov 15, 2022
SpringQL: Open-source stream processor for IoT devices and in-vehicle computers

What is SpringQL? SpringQL is an open-source stream processor specialized in memory efficiency. It is supposed to run on embedded systems like IoT dev

SpringQL 25 Dec 26, 2022
A open port scanner.

opscan A open port scanner. Install With cargo cargo install --force opscan With docker docker run --rm -it sigoden/opscan opscan.nmap.org Binaries

null 17 Feb 19, 2023
The open source distributed web search engine that searches by meaning.

DawnSearch DawnSearch is an open source distributed web search engine that searches by meaning. It uses semantic search (searching on meaning), using

DawnSearch 4 Aug 8, 2023
Tiny CLI application in rust to scan ports from a given IP and find how many are open. You can also pass the amount of threads for that scan

Port Scanner A simple multi-threaded port scanner written in Rust. Usage Run the port scanner by providing the target IP address and optional flags. $

nicolas lopes 4 Aug 29, 2023
MuonFP is an enterprise ready, TCP passive fingerprinter written in Rust that has no external dependencies such as WireShark or other open source software.

MuonFP is a TCP passive fingerprinter written in Rust that has no external dependencies such as WireShark or other open source software. The program w

Sundruid 8 Sep 22, 2024
Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

tosh Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code... Inspired fro

Mark Vainomaa 409 Oct 23, 2022
Jex Compiler Server - Server that runs Jex code

Server that compiles and runs Jex code.

furetur 3 Nov 18, 2021
All the data an IC app needs to make seamless experiences, accessible directly on the IC. DAB is an open internet service for NFT, Token, Canister, and Dapp registries.

DAB ?? Overview An Internet Computer open internet service for data. All the data an IC app needs to make a seamless experience, accessible directly o

Psychedelic 58 Oct 6, 2022
Open Internet Service to store transaction history for NFTs/Tokens on the Internet Computer

CAP - Certified Asset Provenance Transaction history & asset provenance for NFT’s & Tokens on the Internet Computer CAP is an open internet service pr

Psychedelic 42 Nov 10, 2022