Commit-Boost · JasonVranek · Jul 27, 2025 · Jul 30, 2025 · Jul 31, 2025 · Aug 12, 2025
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,27 @@
+# RUSTSEC-2026-0049: CRL revocation checking bug in rustls-webpki 0.101.7.
+#
+# Background: CRL (Certificate Revocation List) checking is an optional TLS
+# feature where a client fetches a list of revoked certificates from URLs
+# embedded in the cert itself, to confirm it hasn't been invalidated since
+# issuance. This is distinct from normal certificate validation.
+#
+# The bug: when a cert lists multiple CRL distribution point URLs, only the
+# first URL is checked; the rest are silently ignored. This matters only when
+# CRL checking is enabled AND the UnknownStatusPolicy is set to Allow (meaning
+# "if I can't determine revocation status, accept the cert anyway"). With that
+# combination, a revoked certificate from a compromised CA could be accepted.
+#
+# Why this does not affect Commit-Boost: the vulnerable code path is never
+# reached because no code in this codebase enables CRL checking at all.
+# TLS is used in four places: (1) relay communication via reqwest with
+# rustls-tls uses default CA validation with no CRL configured; (2) the signer
+# server presents a TLS certificate but does not check client revocation;
+# (3) the signer client pins a single self-signed certificate via
+# add_root_certificate — CRL is irrelevant for self-signed certs; (4) the Dirk
+# remote signer uses mTLS with a custom CA but again no CRL. In all cases the
+# buggy CRL code in rustls-webpki is never invoked.
+#
+# Blocked on sigp/lighthouse upgrading past v8.0.1 without a compilation
+# regression (SseEventSource missing cfg guard in eth2 error.rs).
+[advisories]
+ignore = ["RUSTSEC-2026-0049"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: nightly-2025-06-26
+          toolchain: nightly-2026-01-01
           components: clippy, rustfmt
 
       - name: Install protoc

diff --git a/.gitignore b/.gitignore
@@ -16,6 +16,7 @@ targets.json
 .idea/
 logs
 .vscode/
+certs/
 
 # Nix
 .direnv/
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ targets.json @@
     .idea/
     logs
     .vscode/
+    certs/
     # Nix
     .direnv/
@@ Expand Down @@