Merge tag 'v0.45.15' into julien/v0.45.15-ics

Release v0.45.15

.github/workflows/sims.yml

@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - run: make build
@@ -26,7 +26,7 @@ jobs:
     steps:
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - name: Install runsim
@@ -43,7 +43,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - uses: technote-space/get-diff-action@v4
@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - uses: technote-space/get-diff-action@v4
@@ -97,7 +97,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - uses: technote-space/get-diff-action@v4
@@ -125,7 +125,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - uses: technote-space/get-diff-action@v4

.github/workflows/tag.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Install Go
         uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Unshallow
         run: git fetch --prune --unshallow
       - name: Create release

.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - name: install tparse
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - uses: technote-space/get-diff-action@v4
         id: git_diff
         with:
@@ -49,7 +49,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Display go version
         run: go version
       - uses: technote-space/get-diff-action@v4
@@ -102,7 +102,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - uses: technote-space/get-diff-action@v4
         with:
           PATTERNS: |
@@ -180,7 +180,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - uses: technote-space/get-diff-action@v4
         with:
           PATTERNS: |
@@ -224,7 +224,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/[email protected]
         with:
-          go-version: 1.18
+          go-version: 1.19
       - uses: technote-space/get-diff-action@v4
         id: git_diff
         with:

CHANGELOG.md

@@ -37,6 +37,14 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ## [Unreleased]
 
+## [v0.45.15](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.15) - 2023-03-22
+
+## Improvements
+
+* (deps) Migrate to [CometBFT](https://github.com/cometbft/cometbft). Follow the instructions in the [release notes](./RELEASE_NOTES.md).
+* (deps) [#15127](https://github.com/cosmos/cosmos-sdk/pull/15127) Bump btcd.
+* (store) [#14410](https://github.com/cosmos/cosmos-sdk/pull/14410) `rootmulti.Store.loadVersion` has validation to check if all the module stores' height is correct, it will error if any module store has incorrect height.
+
 ## [v0.45.14](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.14) - 2023-02-16
 
 ### Features

Makefile

@@ -400,7 +400,7 @@ proto-check-breaking:
 	@$(DOCKER_BUF) breaking --against $(HTTPS_GIT)#branch=master
 
 
-TM_URL              = https://raw.githubusercontent.com/tendermint/tendermint/v0.34.22/proto/tendermint
+TM_URL              = https://raw.githubusercontent.com/cometbft/cometbft/v0.34.27/proto/tendermint
 GOGO_PROTO_URL      = https://raw.githubusercontent.com/regen-network/protobuf/cosmos
 COSMOS_PROTO_URL    = https://raw.githubusercontent.com/regen-network/cosmos-proto/master
 CONFIO_URL          = https://raw.githubusercontent.com/confio/ics23/v0.6.3

README.md

@@ -45,7 +45,7 @@ The Cosmos SDK is a framework for building blockchain applications. [Tendermint
 **WARNING**: The Cosmos SDK has mostly stabilized, but we are still making some
 breaking changes.
 
-**Note**: Requires [Go 1.18+](https://golang.org/dl/)
+**Note**: Requires [Go 1.19+](https://golang.org/dl/)
 
 ## Quick Start
 

RELEASE_NOTES.md

@@ -1,14 +1,47 @@
-# Cosmos SDK v0.45.14 Release Notes
+# Cosmos SDK v0.45.15 Release Notes
 
-This release fixes a possible way to DoS a node.
-
-**NOTE**: Add or update the following replace in the `go.mod` of your application:
+This release includes the migration to [CometBFT v0.34.27](https://github.com/cometbft/cometbft/blob/v0.34.27/CHANGELOG.md#v03427).
+This migration should be minimally breaking for chains.
+From `v0.45.15`+, the following replace is *mandatory* in the `go.mod` of your application:
 
 ```go
-// use informal system fork of tendermint
-replace github.com/tendermint/tendermint => github.com/informalsystems/tendermint v0.34.26
+// use cometbft
+replace github.com/tendermint/tendermint => github.com/cometbft/cometbft v0.34.27
 ```
 
+Additionally, the SDK sets its minimum version to Go 1.19. This is not because the SDK uses new Go 1.19 functionalities, but to signal that we recommend chains to upgrade to Go 1.19 — Go 1.18 is not supported by the Go Team anymore.
+Note, that SDK recommends chains to use the same Go version across all of their network.
+We recommend, as well, chains to perform a **coordinated upgrade** when migrating from Go 1.18 to Go 1.19.
+
 Please see the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.45.x/CHANGELOG.md) for an exhaustive list of changes.
 
-**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.13...v0.45.14
+**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.14...v0.45.15
+
+## End-of-Life Notice
+
+`v0.45.15` is the last release of the `v0.45.x` line. Per this version, the v0.45.x line reached its end-of-life.
+The SDK team maintains the two latest major versions of the SDK. This means no features, improvements or bug fixes will be backported to the `v0.45.x` line. Per our policy, the `v0.45.x` line will receive security patches only.
+
+We encourage all chains to upgrade to the latest release of the SDK, or the `v0.46.x` line.
+
+Refer to the [upgrading guide](https://github.com/cosmos/cosmos-sdk/blob/main/UPGRADING.md) for how to upgrade a chain to the latest release.
+
+## FAQ Migration to CometBFT v0.34.27
+
+### I use `tm-db` but I get an import error with `cometbft-db`
+
+For preventing API breaking changes, the SDK team has kept using `tm-db` for `v0.45.x` and `v0.46.x`.
+However, the CometBFT team kept using `cometbft-db` for their `v0.34.x` line.
+This means if your app directly interact with CometBFT (e.g. for a force pruning command), you will need to use `cometbft-db` there.
+When not interacting with CometBFT directly, you can use `tm-db` as usual.
+
+### I get import errors with `btcd`
+
+If you are using an old version of `btcd`, you will need to upgrade to the latest version.
+The previous versions had vulnerabilities so the SDK and CometBFT have upgraded to the latest version.
+In the latest version `btcsuite/btcd` and `btcsuite/btcd/btcec` are two separate go modules.
+
+### I encounter state sync issues
+
+Please ensure you have built the binary with the same Go version as the network.
+You can easily verify that by querying `/cosmos/base/tendermint/v1beta1/node_info` of a node in the network, and checking the `go_version` field.

contrib/images/simd-dlv/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine AS build
+FROM golang:1.19-alpine AS build
 RUN apk add build-base git linux-headers libc-dev
 RUN go install github.com/go-delve/delve/cmd/dlv@latest
 WORKDIR /work

contrib/images/simd-env/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine AS build
+FROM golang:1.19-alpine AS build
 RUN apk add build-base git linux-headers
 WORKDIR /work
 COPY go.mod go.sum /work/

contrib/rosetta/node/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine as build
+FROM golang:1.19-alpine as build
 
 RUN apk add --no-cache tar
 

contrib/rosetta/rosetta-cli/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine as build
+FROM golang:1.19-alpine as build
 
 RUN apk add git gcc libc-dev --no-cache
 

crypto/hd/hdpath.go

@@ -10,7 +10,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/btcsuite/btcd/btcec"
+	"github.com/btcsuite/btcd/btcec/v2"
 )
 
 // BIP44Params wraps BIP 44 params (5 level BIP 32 path).
@@ -237,7 +237,7 @@ func derivePrivateKey(privKeyBytes [32]byte, chainCode [32]byte, index uint32, h
 		data = append([]byte{byte(0)}, privKeyBytes[:]...)
 	} else {
 		// this can't return an error:
-		_, ecPub := btcec.PrivKeyFromBytes(btcec.S256(), privKeyBytes[:])
+		_, ecPub := btcec.PrivKeyFromBytes(privKeyBytes[:])
 		pubkeyBytes := ecPub.SerializeCompressed()
 		data = pubkeyBytes
 

crypto/keys/secp256k1/secp256k1.go

@@ -8,7 +8,7 @@ import (
 	"io"
 	"math/big"
 
-	secp256k1 "github.com/btcsuite/btcd/btcec"
+	secp256k1 "github.com/btcsuite/btcd/btcec/v2"
 	"github.com/tendermint/tendermint/crypto"
 	"golang.org/x/crypto/ripemd160" //nolint: staticcheck // necessary for Bitcoin address format
 
@@ -37,7 +37,7 @@ func (privKey *PrivKey) Bytes() []byte {
 // PubKey performs the point-scalar multiplication from the privKey on the
 // generator point to get the pubkey.
 func (privKey *PrivKey) PubKey() cryptotypes.PubKey {
-	_, pubkeyObject := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey.Key)
+	_, pubkeyObject := secp256k1.PrivKeyFromBytes(privKey.Key)
 	pk := pubkeyObject.SerializeCompressed()
 	return &PubKey{Key: pk}
 }

crypto/keys/secp256k1/secp256k1_internal_test.go

@@ -5,7 +5,7 @@ import (
 	"math/big"
 	"testing"
 
-	btcSecp256k1 "github.com/btcsuite/btcd/btcec"
+	btcSecp256k1 "github.com/btcsuite/btcd/btcec/v2"
 	"github.com/stretchr/testify/require"
 )
 

crypto/keys/secp256k1/secp256k1_nocgo.go

@@ -4,29 +4,22 @@
 package secp256k1
 
 import (
-	"math/big"
-
-	secp256k1 "github.com/btcsuite/btcd/btcec"
+	secp256k1 "github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/ecdsa"
 
 	"github.com/tendermint/tendermint/crypto"
 )
 
-// used to reject malleable signatures
-// see:
-//   - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
-//   - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39
-var secp256k1halfN = new(big.Int).Rsh(secp256k1.S256().N, 1)
-
 // Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg.
 // The returned signature will be of the form R || S (in lower-S form).
 func (privKey *PrivKey) Sign(msg []byte) ([]byte, error) {
-	priv, _ := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey.Key)
-	sig, err := priv.Sign(crypto.Sha256(msg))
+	priv, _ := secp256k1.PrivKeyFromBytes(privKey.Key)
+	sig, err := ecdsa.SignCompact(priv, crypto.Sha256(msg), false)
 	if err != nil {
 		return nil, err
 	}
-	sigBytes := serializeSig(sig)
-	return sigBytes, nil
+	// remove the first byte which is compactSigRecoveryCode
+	return sig[1:], nil
 }
 
 // VerifyBytes verifies a signature of the form R || S.
@@ -35,37 +28,32 @@ func (pubKey *PubKey) VerifySignature(msg []byte, sigStr []byte) bool {
 	if len(sigStr) != 64 {
 		return false
 	}
-	pub, err := secp256k1.ParsePubKey(pubKey.Key, secp256k1.S256())
+	pub, err := secp256k1.ParsePubKey(pubKey.Key)
 	if err != nil {
 		return false
 	}
 	// parse the signature:
 	signature := signatureFromBytes(sigStr)
 	// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
 	// see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
-	if signature.S.Cmp(secp256k1halfN) > 0 {
+	// Serialize() would negate S value if it is over half order.
+	// Hence, if the signature is different after Serialize() if should be rejected.
+	modifiedSignature, parseErr := ecdsa.ParseDERSignature(signature.Serialize())
+	if parseErr != nil {
+		return false
+	}
+	if !signature.IsEqual(modifiedSignature) {
 		return false
 	}
 	return signature.Verify(crypto.Sha256(msg), pub)
 }
 
 // Read Signature struct from R || S. Caller needs to ensure
 // that len(sigStr) == 64.
-func signatureFromBytes(sigStr []byte) *secp256k1.Signature {
-	return &secp256k1.Signature{
-		R: new(big.Int).SetBytes(sigStr[:32]),
-		S: new(big.Int).SetBytes(sigStr[32:64]),
-	}
-}
-
-// Serialize signature to R || S.
-// R, S are padded to 32 bytes respectively.
-func serializeSig(sig *secp256k1.Signature) []byte {
-	rBytes := sig.R.Bytes()
-	sBytes := sig.S.Bytes()
-	sigBytes := make([]byte, 64)
-	// 0 pad the byte arrays from the left if they aren't big enough.
-	copy(sigBytes[32-len(rBytes):32], rBytes)
-	copy(sigBytes[64-len(sBytes):64], sBytes)
-	return sigBytes
+func signatureFromBytes(sigStr []byte) *ecdsa.Signature {
+	var r secp256k1.ModNScalar
+	r.SetByteSlice(sigStr[:32])
+	var s secp256k1.ModNScalar
+	s.SetByteSlice(sigStr[32:64])
+	return ecdsa.NewSignature(&r, &s)
 }