Summary

This release include changes to our build process and a migration from the staking-deposit-cli internals to the ethstaker-deposit-cli internals.

A security issue was discovered during a security review of the ethstaker-deposit-cli project by Trail of Bits. This vulnerability affects users who previously generated multiple keystore files in a single run using staking-deposit-cli (formerly eth2-deposit-cli), ethstaker-deposit-cli, or Wagyu Key Gen. If a malicious actor obtains your keystore files, there is a risk of exposing the private keys. While a small number of leaked keystore files would require significant computing power to exploit, the attack becomes increasingly feasible as more files are compromised from a single tool run.

We strongly recommend using the updated version of Wagyu Key Gen to create new validator keys if you want to add more validators to an existing setup or if you are starting from scratch. If you believe your previously generated keystore files were not leaked or exposed to any malicious actor, no further action is necessary. However, if you suspect a large number of keystore files from a single tool run may have been potentially exposed, you should assume the keystore private keys have been compromised.

Known Issues

This version doesn't include all the changes we wanted. Don't use this version. We are working on fixing a few remaining issues. Please use version 1.11.1 instead or a more recent release.

All changes

What's Changed

Material v4-v5 upgrade and wagyu refactor by @valefar-on-discord in #189
Migrate to using ethstaker-deposit-cli for key creation internals by @remyroy in #194

Full Changelog: v1.10.0...v1.11.0

How to use

On Windows

Download and run the Wagyu.Key.Gen.X.X.X.exe asset.

On macOS

Download and run the Wagyu.Key.Gen-X.X.X.dmg asset. Run the Wagyu Key Gen app from within Applications by right clicking and clicking Open. You will get a warning stating macOS cannot verify the developer of “Wagyu Key Gen.app”. Are you sure you want to open it?. Click Open and the app will open.

On Linux

Download the Wagyu.Key.Gen-X.X.X.AppImage asset, make it executable and launch it from your desktop environment, often by double clicking on it, or from your terminal.

On Ubuntu 22.04 or later, you might need to install libfuse2 first before running the AppImage asset with something like:

sudo add-apt-repository universe
sudo apt install libfuse2

As an alternative to having FUSE, you can manually extract the AppImage asset and run it. In a Terminal, it would look like:

chmod 777 Wagyu.Key.Gen-1.10.0.AppImage
./Wagyu.Key.Gen-1.10.0.AppImage --appimage-extract
cd squashfs-root
./AppRun

Building process

Release assets were built using Github Actions and this workflow run. You can establish the provenance of this build using our artifact attestations.

With the GitHub CLI installed, a simple way to verify these assets is to run this command while replacing [filename] with the path to the downloaded asset:

gh attestation verify [filename] --repo stake-house/wagyu-key-gen

This step requires you to be online. If you want to perform this offline, follow these instructions from GitHub.

Binaries

Removed

License

By downloading and using this software, you agree to the license.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Version 1.11.0