sphinx-key: secure boot

adds two layers of signature checks
one done by sphinx-key in ota.rs via secp256k1
another done by esp-idf via espsecure.py

see docs below:
https://docs.espressif.com/projects/esptool/en/latest/esp32c3/espsecure/index.html#remote-signing-using-an-external-hsm
https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/security/secure-boot-v2.html#signed-app-verification-without-hardware-secure-boot
https://docs.rs/secp256k1/latest/secp256k1/

.gitignore

@@ -10,3 +10,8 @@ test-flash
 .env
 teststore
 teststore2
+*.pem
+*.txt
+*.bin
+*.md
+*.diff

broker/Cargo.lock

@@ -1691,7 +1691,7 @@ dependencies = [
 [[package]]
 name = "lss-connector"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "lightning-storage-server",
@@ -2693,7 +2693,7 @@ dependencies = [
 [[package]]
 name = "rmp-utils"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "log",
@@ -3268,7 +3268,7 @@ dependencies = [
 [[package]]
 name = "sphinx-auther"
 version = "0.1.12"
-source = "git+https://github.com/stakwork/sphinx-rs?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "base64 0.21.2",
@@ -3280,7 +3280,7 @@ dependencies = [
 [[package]]
 name = "sphinx-glyph"
 version = "0.1.2"
-source = "git+https://github.com/stakwork/sphinx-rs?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "hex",
@@ -3326,7 +3326,7 @@ dependencies = [
 [[package]]
 name = "sphinx-signer"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "bip39",

broker/Cargo.toml

@@ -39,8 +39,8 @@ vls-proxy           = { git = "https://gitlab.com/lightning-signer/validating-li
 # vls-protocol-client = { path = "../../vls/vls-protocol-client" }
 # vls-proxy           = { path = "../../vls/vls-proxy" }
 
-lss-connector = { git = "https://github.com/stakwork/sphinx-rs", rev = "db9f902750742c1aa4dc96ebc97f7c0e69b015a5" }
+lss-connector = { git = "https://github.com/stakwork/sphinx-rs", rev = "9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e" }
-sphinx-signer = { git = "https://github.com/stakwork/sphinx-rs", rev = "db9f902750742c1aa4dc96ebc97f7c0e69b015a5" }
+sphinx-signer = { git = "https://github.com/stakwork/sphinx-rs", rev = "9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e" }
 # lss-connector = { path = "../../sphinx-rs/lss-connector" }
 # sphinx-signer = { path = "../../sphinx-rs/signer" }
 

deploy.sh

@@ -1,15 +1,3 @@
-# MODE=debug
-MODE=release
-
-BIN=sphinx-key
-
-if [[ $1 = "clear" ]]
-then
-BIN=clear
-fi
-
-echo "building and flashing $BIN"
-
 check_exists() {
     command -v "$1" > /dev/null
 }
@@ -49,42 +37,15 @@ then
     echo "Please set PASS to a password longer than 7 characters."
     exit 1
 fi
-for FILE in /dev/tty.*
+cargo espflash erase-flash
-do
-    # Check for port on macOS
-    if check_port $FILE 
-    then
-        PORT=$FILE
-        break
-    fi
-done
-if [ -z "$PORT" ]
-then
-    # Check for port on linux
-    if check_port /dev/ttyUSB0
-    then
-        PORT=/dev/ttyUSB0
-    fi
-fi
-if [ -z "$PORT" ]
-then
-    echo "ESP likely not connected! Exiting now."
-    echo "Make sure the ESP is connected with a data USB cable, and try again."
-    exit 1
-fi
-esptool.py erase_flash &&
 git pull &&
 cd factory &&
-cargo espflash flash --release --port $PORT &&
+cargo espflash flash --release &&
+cargo espflash save-image --release --chip esp32c3 factory.bin &&
+espsecure.py sign_data factory.bin --version 2 --keyfile ../secure_boot_signing_key.pem &&
+espflash write-bin 0x10000 factory.bin &&
 cd ../sphinx-key &&
-
+cargo espflash save-image --bin sphinx-key --release --chip esp32c3 sphinx-key.bin &&
-if [ $MODE = "release" ]
+espsecure.py sign_data sphinx-key.bin --version 2 --keyfile ../secure_boot_signing_key.pem &&
-then
+espflash write-bin 0x50000 sphinx-key.bin &&
-    cargo build --release --bin $BIN
+cargo espflash monitor
-else
-    cargo build --bin $BIN
-fi &&
-
-esptool.py --chip esp32-c3 elf2image target/riscv32imc-esp-espidf/$MODE/$BIN &&
-esptool.py --chip esp32c3 -b 460800 --before=default_reset --after=hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x50000 target/riscv32imc-esp-espidf/$MODE/$BIN.bin &&
-cargo espflash monitor --port $PORT

factory/sdkconfig.defaults

@@ -11,3 +11,6 @@ CONFIG_FATFS_LFN_STACK=y
 # Workaround for https://github.com/espressif/esp-idf/issues/7631
 #CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=n
 #CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL=n
+
+CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n

sphinx-key/Cargo.lock

@@ -1161,7 +1161,7 @@ checksum = "b06a4cde4c0f271a446782e3eff8de789548ce57dbc8eca9292c27f4a42004b4"
 [[package]]
 name = "lss-connector"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "log",
@@ -1530,7 +1530,7 @@ dependencies = [
 [[package]]
 name = "rmp-utils"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "log",
@@ -1728,7 +1728,7 @@ dependencies = [
 [[package]]
 name = "sphinx-auther"
 version = "0.1.12"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "base64",
@@ -1740,7 +1740,7 @@ dependencies = [
 [[package]]
 name = "sphinx-crypter"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "chacha20poly1305",
@@ -1751,7 +1751,7 @@ dependencies = [
 [[package]]
 name = "sphinx-glyph"
 version = "0.1.2"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "hex",
@@ -1783,7 +1783,7 @@ dependencies = [
 [[package]]
 name = "sphinx-signer"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "bip39",

sphinx-key/Cargo.toml

@@ -21,9 +21,9 @@ serde_urlencoded = "0.7.1"
 url              = "2"
 
 # sphinx-rs
-lss-connector  = { git = "https://github.com/stakwork/sphinx-rs.git", default-features = false, rev = "db9f902750742c1aa4dc96ebc97f7c0e69b015a5" }
+lss-connector  = { git = "https://github.com/stakwork/sphinx-rs.git", default-features = false, rev = "9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e" }
-sphinx-crypter = { git = "https://github.com/stakwork/sphinx-rs.git", rev = "db9f902750742c1aa4dc96ebc97f7c0e69b015a5" }
+sphinx-crypter = { git = "https://github.com/stakwork/sphinx-rs.git", rev = "9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e" }
-sphinx-signer  = { git = "https://github.com/stakwork/sphinx-rs.git", optional = true, rev = "db9f902750742c1aa4dc96ebc97f7c0e69b015a5" }
+sphinx-signer  = { git = "https://github.com/stakwork/sphinx-rs.git", optional = true, rev = "9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e" }
 # local
 # lss-connector  = { path = "../../sphinx-rs/lss-connector", default-features = false }
 # sphinx-crypter  = { path = "../../sphinx-rs/crypter" }

sphinx-key/sdkconfig.defaults

@@ -19,6 +19,9 @@ CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT=y
 
+CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n
+
 # All these settings below sum to a 60KB reduction in bin size
 CONFIG_MBEDTLS_HAVE_TIME=n
 CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n

sphinx-key/src/core/events.rs

@@ -249,7 +249,7 @@ pub fn make_event_loop(
                 let mut bb = ByteBuf::new();
                 serialize_controlresponse(&mut bb, &res).expect("failed serialize_lssresponse");
                 mqtt_pub(&mut mqtt, &client_id, topics::CONTROL_RES, bb.as_slice());
-                if let ControlResponse::OtaConfirm(params) = res {
+                if let ControlResponse::OtaConfirm(ref params) = res {
                     if let Err(e) = update_sphinx_key(params) {
                         log::error!("OTA update failed {:?}", e.to_string());
                     } else {
@@ -332,7 +332,7 @@ fn handle_control_response(
                         }
                     }
                 }
-                ControlMessage::Ota(params) => {
+                ControlMessage::Ota(ref params) => {
                     if let Err(e) = validate_ota_message(params) {
                         log::error!("OTA update cannot launch {:?}", e.to_string());
                         control_res =

sphinx-key/src/ota.rs

@@ -5,14 +5,19 @@ use esp_idf_svc::http::client::FollowRedirectsPolicy::FollowNone;
 use esp_idf_svc::http::Method;
 use esp_idf_svc::ota::EspOta;
 use log::{error, info};
-use sphinx_signer::lightning_signer::bitcoin::hashes::{self, Hash};
+use sphinx_signer::lightning_signer::bitcoin::hashes::{sha256, Hash};
+use sphinx_signer::lightning_signer::bitcoin::secp256k1::{
+    schnorr::Signature, Message, PublicKey, Secp256k1,
+};
 use sphinx_signer::sphinx_glyph::control::OtaParams;
 use std::fs::{remove_file, File};
 use std::io::Write;
 use std::io::{BufReader, BufWriter};
+use std::str::FromStr;
 
 const BUFFER_LEN: usize = 1024;
 const UPDATE_BIN_PATH: &str = "/sdcard/update.bin";
+const PUBLIC: &str = "039707459d92b1809a9f6f78feebf6f518e7319b851fe474a31d64307b86aaf38a";
 
 fn factory_reset() -> Result<()> {
     let mut ota = EspOta::new()?;
@@ -27,7 +32,7 @@ fn factory_reset() -> Result<()> {
     }
 }
 
-fn get_update(params: OtaParams) -> Result<()> {
+fn get_update(params: &OtaParams) -> Result<()> {
     let configuration = Configuration {
         buffer_size: Some(BUFFER_LEN),
         buffer_size_tx: Some(BUFFER_LEN / 3),
@@ -62,22 +67,34 @@ fn get_update(params: OtaParams) -> Result<()> {
     Ok(())
 }
 
-fn check_integrity(params: OtaParams) -> Result<()> {
+fn check_signature(params: &OtaParams) -> Result<()> {
+    let msg = Message::from_hashed_data::<sha256::Hash>(params.sha256_hash.as_bytes());
+    let sig = Signature::from_str(&params.schnorr_sig).unwrap();
+    let pbk = PublicKey::from_str(PUBLIC).unwrap().x_only_public_key().0;
+    let secp = Secp256k1::verification_only();
+    secp.verify_schnorr(&sig, &msg, &pbk).unwrap();
+    Ok(())
+}
+fn check_integrity(params: &OtaParams) -> Result<()> {
     let f = File::open(UPDATE_BIN_PATH)?;
     let mut reader = BufReader::new(f);
-    let mut engine = hashes::sha256::HashEngine::default();
+    let mut engine = sha256::HashEngine::default();
     std::io::copy(&mut reader, &mut engine)?;
-    let hash = hashes::sha256::Hash::from_engine(engine);
+    let hash = sha256::Hash::from_engine(engine);
     if hash.to_string() == params.sha256_hash {
         Ok(())
     } else {
-        Err(anyhow!("Integrity check failed!"))
+        Err(anyhow!(
+            "Integrity check failed! params: {} vs sdcard: {}",
+            params.sha256_hash,
+            hash.to_string()
+        ))
     }
 }
 
-pub fn update_sphinx_key(params: OtaParams) -> Result<()> {
+pub fn update_sphinx_key(params: &OtaParams) -> Result<()> {
     info!("Getting the update...");
-    get_update(params.clone())?;
+    get_update(params)?;
     info!("Update written to sd card, checking integrity...");
     check_integrity(params)?;
     info!("Integrity check passed, performing factory reset...");
@@ -86,7 +103,10 @@ pub fn update_sphinx_key(params: OtaParams) -> Result<()> {
     Ok(())
 }
 
-pub fn validate_ota_message(params: OtaParams) -> Result<()> {
+pub fn validate_ota_message(params: &OtaParams) -> Result<()> {
+    info!("Checking signature...");
+    check_signature(params)?;
+    info!("Good signature, checking url...");
     let configuration = Configuration {
         buffer_size: Some(BUFFER_LEN / 3),
         buffer_size_tx: Some(BUFFER_LEN / 3),
@@ -120,7 +140,7 @@ pub fn validate_ota_message(params: OtaParams) -> Result<()> {
     }
 }
 
-fn params_to_url(params: OtaParams) -> String {
+fn params_to_url(params: &OtaParams) -> String {
     let mut url = params.url.clone();
     url.push_str(&params.version.to_string());
     url

sphinx-key/up.sh

@@ -1,5 +1,3 @@
-# MODE=debug
-MODE=release
 check_exists() {
     command -v "$1" > /dev/null
 }
@@ -39,35 +37,8 @@ then
     echo "Please set PASS to a password longer than 7 characters."
     exit 1
 fi
-for FILE in /dev/tty.*
+cargo build --release --bin sphinx-key &&
-do
+cargo espflash save-image --bin sphinx-key --release --chip esp32c3 sphinx-key.bin &&
-    # Check for port on macOS
+espsecure.py sign_data sphinx-key.bin --version 2 --keyfile ../secure_boot_signing_key.pem &&
-    if check_port $FILE 
+espflash write-bin 0x50000 sphinx-key.bin &&
-    then
-        PORT=$FILE
-        break
-    fi
-done
-if [ -z "$PORT" ]
-then
-    # Check for port on linux
-    if check_port /dev/ttyUSB0
-    then
-        PORT=/dev/ttyUSB0
-    fi
-fi
-if [ -z "$PORT" ]
-then
-    echo "ESP likely not connected! Exiting now."
-    echo "Make sure the ESP is connected with a data USB cable, and try again."
-    exit 1
-fi
-if [ $MODE = "release" ]
-then
-    cargo build --release --bin sphinx-key
-else
-    cargo build --bin sphinx-key
-fi &&
-esptool.py --chip esp32-c3 elf2image target/riscv32imc-esp-espidf/$MODE/sphinx-key &&
-esptool.py --chip esp32c3 -b 460800 --before=default_reset --after=hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x50000 target/riscv32imc-esp-espidf/$MODE/sphinx-key.bin &&
 cargo espflash monitor --port $PORT

tester/Cargo.lock

@@ -1151,7 +1151,7 @@ dependencies = [
 [[package]]
 name = "lss-connector"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "log",
@@ -1702,7 +1702,7 @@ dependencies = [
 [[package]]
 name = "rmp-utils"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "log",
@@ -2085,7 +2085,7 @@ dependencies = [
 [[package]]
 name = "sphinx-auther"
 version = "0.1.12"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "base64 0.21.2",
@@ -2097,7 +2097,7 @@ dependencies = [
 [[package]]
 name = "sphinx-crypter"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "chacha20poly1305",
@@ -2108,7 +2108,7 @@ dependencies = [
 [[package]]
 name = "sphinx-glyph"
 version = "0.1.2"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "hex",
@@ -2147,7 +2147,7 @@ dependencies = [
 [[package]]
 name = "sphinx-signer"
 version = "0.1.0"
-source = "git+https://github.com/stakwork/sphinx-rs.git?rev=db9f902750742c1aa4dc96ebc97f7c0e69b015a5#db9f902750742c1aa4dc96ebc97f7c0e69b015a5"
+source = "git+https://github.com/stakwork/sphinx-rs.git?rev=9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e#9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e"
 dependencies = [
  "anyhow",
  "bip39",

tester/Cargo.toml

@@ -24,8 +24,8 @@ serde_json        = "1.0"
 tokio             = { version = "1.4.0", features = ["rt", "rt-multi-thread", "macros"] }
 urlencoding       = "2.1.0"
 
-sphinx-crypter = { git = "https://github.com/stakwork/sphinx-rs.git", rev = "db9f902750742c1aa4dc96ebc97f7c0e69b015a5" }
+sphinx-crypter = { git = "https://github.com/stakwork/sphinx-rs.git", rev = "9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e" }
-sphinx-signer = { git = "https://github.com/stakwork/sphinx-rs.git", rev = "db9f902750742c1aa4dc96ebc97f7c0e69b015a5" }
+sphinx-signer = { git = "https://github.com/stakwork/sphinx-rs.git", rev = "9dd17b98fbe6ce1e60969ef8ba32bb2313d55e1e" }
 # sphinx-crypter = { path = "../../sphinx-rs/crypter" }
 # sphinx-signer = { path = "../../sphinx-rs/signer" }
 

tester/cmd.json

@@ -2,6 +2,7 @@
   "Ota": {
     "url": "https://jolliness.ddns.net/sphinx-update-",
     "version": 0,
-    "sha256_hash": "f3da0b52a0d6b3de68c042ab8209179766021c7420fe631e5e487ebedfd9a10b"
+    "sha256_hash": "204534038f2aa84cb8fa435dd9d762309d33a9129eaacfb3986df144bf8008a7",
+    "schnorr_sig": "ff34c0a598329468f74a21704221b49fe6aacfd32f9090ba02252cb0f64058b12d619c5c6cd172087ae679d1d7402d3b77d53f4de889047597737fd425f63a34"
   }
 }

tester/ota_cmd.json

@@ -2,6 +2,7 @@
   "Ota": {
     "url": "https://jolliness.ddns.net/sphinx-update-",
     "version": 0,
-    "sha256_hash": "f3da0b52a0d6b3de68c042ab8209179766021c7420fe631e5e487ebedfd9a10b"
+    "sha256_hash": "bbd3e4a74564278bad1b9248799749ce64620dea34c3a5ca31fb3a8879f63aec",
+    "schnorr_sig": "2949f14399ddab8a59ddea33cc3e04079298fb9ffb5bb826537ed2a10fce4917f4e70e739bf8da6ecf29a5ed9221eb855828306b3918790838173fd9110658ea"
   }
 }

tester/src/ctrl.rs

@@ -20,6 +20,7 @@ async fn main() -> anyhow::Result<()> {
     let nonce: u64 = nonce_string.parse::<u64>().expect("failed to parse nonce");
 
     let broker_url: String = env::var("BROKER_URL").unwrap_or(DEFAULT_URL.to_string());
+    println!("{}", broker_url);
 
     let seed_string: String = env::var("SEED").expect("no seed");
     let seed = hex::decode(seed_string).expect("yo");
@@ -37,7 +38,7 @@ async fn main() -> anyhow::Result<()> {
         .expect("couldnt build reqwest client");
 
     let res = client
-        .post(format!("{}/control?msg={}&cid={}", broker_url, msg_hex, "2a79fae7f7c5349621242192f8a4a11d"))
+        .post(format!("{}/control?msg={}&cid={}", broker_url, msg_hex, "df106bf2092378bba4f49058cdbec2bf"))
         .header("Content-Type", "application/json")
         .send()
         .await?;