"solana program set-upgrade-authority" uses SetAuthorityChecked instruction by default #29190
Conversation
0xripleys
changed the title
| @@ -288,6 +293,13 @@ impl ProgramSubCommands for App<'_, '_> { | |||
| .conflicts_with("new_upgrade_authority") | |||
| .help("The program will not be upgradeable") | |||
| ) | |||
| .arg( | |||
There was a problem hiding this comment.
The new_upgrade_authority arg above (can't comment directly) should be updated to match how the upgrade_authority arg is defined
cli/src/program.rs
Outdated
| .arg( | ||
| Arg::with_name("no_sign_with_new_authority") | ||
| .long("no-sign-with-new-authority") | ||
| .conflicts_with("final") |
There was a problem hiding this comment.
final already conflicts with new_upgrade_authority so I think it's more clear to define this as requiring new_upgrade_authority to be present.
| .long("no-sign-with-new-authority") | ||
| .conflicts_with("final") | ||
| .takes_value(false) | ||
| .help("Set this flag if you don't want the new authority to sign the set-upgrade-authority transaction."), |
There was a problem hiding this comment.
Can you explain more that the default behavior requires the new authority to sign to prevent mistakes in setting the upgrade authority? You can also warn that by opting out of this default behavior, users must be confident that they are setting the correct authority. Furthermore, if they intentionally are setting a new authority that can never sign, they should be instructed to use final instead.
cli/src/program.rs
Outdated
| @@ -288,6 +293,13 @@ impl ProgramSubCommands for App<'_, '_> { | |||
| .conflicts_with("new_upgrade_authority") | |||
| .help("The program will not be upgradeable") | |||
| ) | |||
| .arg( | |||
| Arg::with_name("no_sign_with_new_authority") | |||
| .long("no-sign-with-new-authority") | |||
There was a problem hiding this comment.
How about skip-new-upgrade-authority-signer-check?
cli/src/program.rs
Outdated
| program_pubkey, | ||
| upgrade_authority_index: signer_info | ||
| .index_of(upgrade_authority_pubkey) | ||
| .unwrap(), |
There was a problem hiding this comment.
Can you use expect here and say "upgrade authority is missing from signers" or something to that effect? Ditto for new_upgrade_authority unwrap below
cli/src/program.rs
Outdated
| &tx, | ||
| config.commitment, | ||
| RpcSendTransactionConfig { | ||
| skip_preflight: true, |
There was a problem hiding this comment.
I see that other bpf loader transactions use true here but I don't see any reason for that. It'd be better to fail the transaction in preflight if the action isn't authorized or valid for some reason.
mergify
bot
removed
the
automerge
|
automerge label removed due to a CI failure |
|
@jstarry build failure seems unrelated to my PR? unclear. |
|
@0xripleys please merge master into your branch, the fix is in master already |
mergify
bot
dismissed
jstarry’s stale review
Pull request has been modified.
|
done |
|
automerge label removed due to a CI failure |
mergify
bot
removed
the
automerge
|
seemed like another flake to me so i just updated the branch. lmk if there's something else i should do |
|
Thanks, but most times there's no need to update the branch because most of the CI failures just require retrying an individual job. @yihau do you mind helping make sure this PR gets through CI? I don't have buildkite access at the moment |
|
sure. will keep my eyes on this 👁️ |
…uction by default (solana-labs#29190) * set-upgrade-authority uses checked instruction by default * remove print statements * PR fixes
Problem
Accompanying CLI change for #28424
(Original issue: #27932)
Summary of Changes
--no-sign-with-new-authorityAdded a basic unit test and also did some manual testing, note that the feature gate for SetAuthorityChecked doesn't seem to have been enabled yet.