statement store: sync dht feature branch with master

.github/workflows/build-publish-images.yml

@@ -786,9 +786,8 @@ jobs:
     runs-on: ubuntu-latest
     name: All zombienet tests passed
     needs:
-      # Disabled until zombienet polkadot/cumulus flows are stable
-      # - trigger-zombienet-polkadot
-      # - trigger-zombienet-cumulus
+      - trigger-zombienet-polkadot
+      - trigger-zombienet-cumulus
       - trigger-zombienet-substrate
       - trigger-zombienet-parachain-template
     if: always() && !cancelled()

.github/workflows/docs.yml

@@ -122,6 +122,8 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: gh-pages
+          fetch-depth: 0
+          persist-credentials: false
       - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         id: app-token
         with:
@@ -164,12 +166,8 @@ jobs:
           echo "${Green}Add new remote with gh app token${NC}"
           git remote set-url origin $(git config remote.origin.url | sed "s|github.com|x-access-token:${TOKEN}@github.com|g")
 
-          echo "${Green}Remove http section that causes issues with gh app auth token${NC}"
-          sed -i.bak '/\[http/d' ./.git/config
-          sed -i.bak '/extraheader/d' ./.git/config
-
           echo "${Green}Git push${NC}"
           git config user.email "ci@parity.io"
           git config user.name "${APP_NAME}"
-          git commit --amend -m "___Updated docs" || echo "___Nothing to commit___"
-          git push origin gh-pages --force
+          git commit -m "Updated docs for ${REF_NAME}" || echo "___Nothing to commit___"
+          git push origin gh-pages

Cargo.toml

@@ -160,6 +160,7 @@ members = [
 	"polkadot/erasure-coding",
 	"polkadot/erasure-coding/fuzzer",
 	"polkadot/jemalloc-shim",
+	"polkadot/node/clock",
 	"polkadot/node/collation-generation",
 	"polkadot/node/core/approval-voting",
 	"polkadot/node/core/approval-voting-parallel",
@@ -189,6 +190,7 @@ members = [
 	"polkadot/node/network/bitfield-distribution",
 	"polkadot/node/network/bridge",
 	"polkadot/node/network/collator-protocol",
+	"polkadot/node/network/collator-protocol/test-sim-macros",
 	"polkadot/node/network/dispute-distribution",
 	"polkadot/node/network/gossip-support",
 	"polkadot/node/network/protocol",
@@ -201,6 +203,8 @@ members = [
 	"polkadot/node/subsystem-test-helpers",
 	"polkadot/node/subsystem-types",
 	"polkadot/node/subsystem-util",
+	"polkadot/node/test-sim",
+	"polkadot/node/test-sim/macros",
 	"polkadot/node/test/client",
 	"polkadot/node/test/service",
 	"polkadot/node/tracking-allocator",
@@ -1116,12 +1120,14 @@ polkadot-availability-distribution = { path = "polkadot/node/network/availabilit
 polkadot-availability-recovery = { path = "polkadot/node/network/availability-recovery", default-features = false }
 polkadot-cli = { path = "polkadot/cli", default-features = false }
 polkadot-collator-protocol = { path = "polkadot/node/network/collator-protocol", default-features = false }
+polkadot-collator-protocol-test-sim-macros = { path = "polkadot/node/network/collator-protocol/test-sim-macros" }
 polkadot-core-primitives = { path = "polkadot/core-primitives", default-features = false }
 polkadot-dispute-distribution = { path = "polkadot/node/network/dispute-distribution", default-features = false }
 polkadot-erasure-coding = { path = "polkadot/erasure-coding", default-features = false }
 polkadot-gossip-support = { path = "polkadot/node/network/gossip-support", default-features = false }
 polkadot-jemalloc-shim = { path = "polkadot/jemalloc-shim" }
 polkadot-network-bridge = { path = "polkadot/node/network/bridge", default-features = false }
+polkadot-node-clock = { path = "polkadot/node/clock", default-features = false }
 polkadot-node-collation-generation = { path = "polkadot/node/collation-generation", default-features = false }
 polkadot-node-core-approval-voting = { path = "polkadot/node/core/approval-voting", default-features = false }
 polkadot-node-core-approval-voting-parallel = { path = "polkadot/node/core/approval-voting-parallel", default-features = false }
@@ -1162,6 +1168,8 @@ polkadot-service = { path = "polkadot/node/service", default-features = false }
 polkadot-statement-distribution = { path = "polkadot/node/network/statement-distribution", default-features = false }
 polkadot-statement-table = { path = "polkadot/statement-table", default-features = false }
 polkadot-subsystem-bench = { path = "polkadot/node/subsystem-bench" }
+polkadot-subsystem-test-sim = { path = "polkadot/node/test-sim" }
+polkadot-subsystem-test-sim-macros = { path = "polkadot/node/test-sim/macros" }
 polkadot-test-client = { path = "polkadot/node/test/client" }
 polkadot-test-runtime = { path = "polkadot/runtime/test-runtime" }
 polkadot-test-service = { path = "polkadot/node/test/service" }

cumulus/pallets/aura-ext/Cargo.toml

@@ -13,6 +13,7 @@ workspace = true
 
 [dependencies]
 codec = { features = ["derive"], workspace = true }
+log = { workspace = true }
 scale-info = { features = ["derive"], workspace = true }
 
 # Substrate
@@ -26,13 +27,13 @@ sp-runtime = { workspace = true }
 
 # Cumulus
 cumulus-pallet-parachain-system = { workspace = true }
+cumulus-primitives-core = { workspace = true }
 
 [dev-dependencies]
 rstest = { workspace = true }
 
 # Cumulus
 cumulus-pallet-parachain-system = { workspace = true, default-features = true }
-cumulus-primitives-core = { workspace = true, default-features = true }
 cumulus-primitives-proof-size-hostfunction = { workspace = true, default-features = true }
 cumulus-test-relay-sproof-builder = { workspace = true, default-features = true }
 
@@ -49,8 +50,10 @@ default = ["std"]
 std = [
 	"codec/std",
 	"cumulus-pallet-parachain-system/std",
+	"cumulus-primitives-core/std",
 	"frame-support/std",
 	"frame-system/std",
+	"log/std",
 	"pallet-aura/std",
 	"pallet-timestamp/std",
 	"scale-info/std",

cumulus/pallets/aura-ext/src/lib.rs

@@ -40,10 +40,12 @@ use sp_runtime::traits::{Block as BlockT, Header as HeaderT, LazyBlock};
 
 pub mod consensus_hook;
 pub mod migration;
+pub mod signature_verifier;
 #[cfg(test)]
 mod test;
 
 pub use consensus_hook::FixedVelocityConsensusHook;
+pub use signature_verifier::AuraSchedulingVerifier;
 
 type Aura<T> = pallet_aura::Pallet<T>;
 

cumulus/pallets/aura-ext/src/signature_verifier.rs

@@ -0,0 +1,85 @@
+// Copyright (C) Parity Technologies (UK) Ltd.
+// This file is part of Cumulus.
+// SPDX-License-Identifier: Apache-2.0
+
+//! V3 scheduling signature verifier backed by parachain Aura authorities.
+//!
+//! Implements [`VerifySchedulingSignature`] for parachains running Aura: maps the relay slot
+//! at `internal_scheduling_parent` (supplied by the caller) to the parachain slot, looks up the
+//! eligible Aura author from this pallet's cached authority set, and verifies the 64-byte
+//! signature in [`SignedSchedulingInfo`] over the encoded `SchedulingInfoPayload`.
+
+use crate::{Authorities, Config};
+use codec::{Decode, Encode};
+use cumulus_primitives_core::{
+	relay_chain::RELAY_CHAIN_SLOT_DURATION_MILLIS, SignedSchedulingInfo, VerifySchedulingSignature,
+};
+use sp_application_crypto::RuntimeAppPublic;
+use sp_consensus_aura::Slot;
+
+/// Verifier for V3 [`SignedSchedulingInfo`] against parachain Aura authorities.
+///
+/// Wired by the parachain runtime as
+/// `type SchedulingSignatureVerifier = AuraSchedulingVerifier<Runtime>;` on
+/// [`cumulus_pallet_parachain_system::Config`]. The Aura crypto is taken from
+/// [`pallet_aura::Config::AuthorityId`].
+pub struct AuraSchedulingVerifier<T>(core::marker::PhantomData<T>);
+
+impl<T> VerifySchedulingSignature for AuraSchedulingVerifier<T>
+where
+	T: Config,
+	T: pallet_timestamp::Config,
+{
+	const V3_SCHEDULING_ENABLED: bool = true;
+
+	/// Verify that `signed_info` was produced by the Aura author eligible at the parachain slot
+	/// derived from `relay_slot` (the slot of the internal scheduling parent).
+	///
+	/// Returns `true` only when every step succeeds; all error paths return `false` (fail-closed)
+	/// so the PVF rejects the candidate without panicking on adversarial input.
+	fn verify(signed_info: &SignedSchedulingInfo, relay_slot: Slot) -> bool {
+		// 1. The relay slot at the internal scheduling parent gives the para slot that determines
+		//    the valid author.
+		let para_slot_duration: u64 =
+			match TryInto::<u64>::try_into(pallet_aura::Pallet::<T>::slot_duration()) {
+				Ok(d) if d > 0 => d,
+				_ => return false,
+			};
+
+		let para_slot: u64 = match u64::from(relay_slot)
+			.checked_mul(RELAY_CHAIN_SLOT_DURATION_MILLIS)
+			.map(|product| product / para_slot_duration)
+		{
+			Some(s) => s,
+			None => return false,
+		};
+
+		// 2. Look up the eligible Aura author.
+		let authorities = Authorities::<T>::get();
+		let author_idx = match pallet_aura::Pallet::<T>::slot_author_index(Slot::from(para_slot)) {
+			Some(idx) => idx as usize,
+			None => return false,
+		};
+		let author = match authorities.get(author_idx) {
+			Some(author) => author,
+			None => return false,
+		};
+
+		// 3. Decode the 64-byte signature blob as the authority's expected signature type and
+		//    verify over the encoded SchedulingInfoPayload.
+		let signature = match <T::AuthorityId as RuntimeAppPublic>::Signature::decode(
+			&mut &signed_info.signature[..],
+		) {
+			Ok(sig) => sig,
+			Err(e) => {
+				log::error!(
+					target: "aura-ext::scheduling-verifier",
+					"failed to decode scheduling signature: {e}",
+				);
+				return false;
+			},
+		};
+
+		author.verify(&signed_info.payload.encode(), &signature)
+	}
+}