sparrowwallet/UltrafastSecp256k1
sparrowwallet/UltrafastSecp256k1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
UltrafastSecp256k1/Dockerfile
shrec c6e5c1454b
security: erase secret nonces in CT sign/MuSig2/FROST + workdoc tasks B-F 
SECURITY FIXES (critical):
- ct_sign.cpp: erase k, k_inv, z, s in ecdsa_sign and ecdsa_sign_hedged
  (nonce leak = full private key recovery via k = (s*k_inv)^-1 * (z+r*d))
- musig2.cpp: erase k (effective nonce) and d (adjusted key) in partial_sign
- frost.cpp: erase polynomial coefficients in keygen_begin, erase d/ei/s_i
  in frost_sign (previously had ZERO secure_erase calls)

CI/WORKFLOWS:
- clang-tidy.yml, cppcheck.yml: remove path filters for reliable required checks
- ct-verif.yml: add dev to PR branches trigger

TESTS:
- test_adversarial_protocol.cpp: add A.8 MuSig2 abort/restart, B.6 FROST
  participant identity mismatch (195 tests, 0 failures)
- ci-evidence/: fuzz + adversarial execution proofs

NAMING FIX:
- Replace stale bench_comprehensive with bench_unified in 6 files:
  Dockerfile, local-ci.sh, PORTING.md, issue template, AUDIT_COVERAGE.md,
  unified_audit_runner.cpp (bench_comprehensive CMake target removed)

DOCS (8 new, 1 updated):
- BACKEND_PARITY.md: GPU operation parity matrix (CPU/CUDA/OpenCL/Metal)
- FEATURE_MATURITY.md: per-feature maturity classification
- PARSER_BOUNDARY_AUDIT.md: all C ABI parser entry points mapped
- FFI_HOSTILE_CALLER.md: 20 hostile-caller attack vectors documented
- SECRET_LIFECYCLE.md: secret material lifecycle and zeroization map
- CI_ENFORCEMENT.md: workflow enforcement levels and fail policy
- BENCHMARK_POLICY.md: canonical benchmark tool and regression policy
- local_ci_failure_playbook.md: diagnosis playbook for local CI failures
- FEATURE_ASSURANCE_LEDGER.md: fix 7 stale GPU matrix entries
2026-03-15 09:17:46 +00:00

47 lines
1.7 KiB
Docker
Raw Permalink Blame History

# ===========================================================================
# UltrafastSecp256k1 — Reproducible build + test container
# ===========================================================================
# Build: docker build -t ultrafastsecp256k1 .
# Test: docker run --rm ultrafastsecp256k1
# Bench: docker run --rm ultrafastsecp256k1 ./build/cpu/bench_unified --quick
# ===========================================================================
FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS builder
RUN apt-get update -qq && \
apt-get install -y --no-install-recommends \
cmake ninja-build g++ ca-certificates && \
rm -rf /var/lib/apt/lists/*
WORKDIR /src
COPY . .
RUN cmake -S . -B build -G Ninja \
-DCMAKE_BUILD_TYPE=Release \
-DSECP256K1_BUILD_TESTS=ON \
-DSECP256K1_BUILD_BENCH=ON \
-DSECP256K1_BUILD_SHARED=ON \
-DSECP256K1_INSTALL=ON \
-DSECP256K1_USE_ASM=ON && \
cmake --build build -j"$(nproc)"
# Run tests as build verification
RUN ctest --test-dir build --output-on-failure
# --------------------------------------------------------------------------
# Runtime image (minimal)
# --------------------------------------------------------------------------
FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS runtime
RUN apt-get update -qq && \
apt-get install -y --no-install-recommends libstdc++6 && \
rm -rf /var/lib/apt/lists/*
COPY --from=builder /src/build/cpu/libfastsecp256k1.so* /usr/lib/
COPY --from=builder /src/build/cpu/bench_unified /usr/bin/
COPY --from=builder /src/cpu/include/secp256k1 /usr/include/secp256k1/
RUN ldconfig
ENTRYPOINT ["bench_unified", "--quick"]
Reference in New Issue View Git Blame Copy Permalink