RFC: Add --sign-only flag to solana program deploy

[qpwo]

Problem

The update authority for a contract is one of the most important secret values in any solana project. To deploy or update a contract, the authority key currently has to be stored on an internet-connected computer during deployment.

If a malicious actor ever gets access to a contract's update authority then they can update the contract to e.g. transfer all assets out to the hacker's wallet.

Proposed Solution

Add a --sign-only and a --signers argument to solana program deploy so that contract authorities can be kept on offline cold laptops. (Similar to e.g. spl-token mint.)

See also

• Description of what's currently involved for an offline authority: https://stackoverflow.com/a/71651698
• List of commands supporting offline signing: https://docs.solana.com/offline-signing#commands-supporting-offline-signing

[giogam]

I'd like to work on that, I'm relatively new to the project so I might need some guidance but I'm up for the challenge!

[pakkeiC]

Hello, this is Jayden. I would like to work on that too. I am pretty new to the project so I would need some guidance on the task.

@qpwo I guess the starting point will be here to add the flag
https://github.com/solana-labs/solana/blob/master/cli/src/cli.rs#L161

[qpwo]

Hope you can get it but i think it's going to very tricky because when i deploy rn it takes like four minutes and seems to go back and forth with the computer a few times (maybe multiple sigs?) but i can't really tell

[norwnd]

Hi @joncinque, I'd like to implement this feature (if it's still desirable),

I've noticed there is also program-v4 being currently developed (but is barely mentioned in the docs, as of now), so should I implement offline signing for program, program-v4, or both ? For program-v4 looks like write-buffer and set-buffer-authority sub-commands are missing though, probably need to add these (or equivalent) first.

cc @pgarg66 JFYI

Update: I've been thinking about it some more ... and starting to doubt the usefulness of this feature (especially for large programs) given blockhash expires pretty rapidly, WDYT ? Never mind, looks like it's just 1 final transaction that needs to be "signed offline" (and broadcasted later) - because program data is uploaded into buffer ahead of time - so, overall sounds reasonable.

[joncinque]

Hi there, it's definitely still desirable! To answer your questions:

should I implement offline signing for program, program-v4, or both?

I'd say start with program and program-v4 can come later

Never mind, looks like it's just 1 final transaction that needs to be "signed offline" (and broadcasted later)

That's exactly it

[norwnd]

Hi @joncinque I've got a mostly working PR (for creating/upgrading program, while signing offline) - #33860 - things that are left to do are:

• need to add constraints binding different params user can input (because otherwise he might encounter random errors/panics if some params but not others are specified)
• looks like there is related functionality (such as "making program final", "setting upgrade authority", etc) that needs to be compatible with offline signing, I currently left it out, but can easily add it on top of what I have
• I probably need to add some auto-tests (just discovered solana/cli/tests/program.rs dedicated to testing), tested manually so far

PR is in Draft because of it, but is ready for initial review otherwise.