Proposal to elect new release rc--2025-08-14_03-27

Governance NNS proposal discussions
,
1

Hello there!

We are happy to announce that voting is now open for a new GuestOS release.
The NNS proposal is here: IC NNS Proposal 137921.

Here is a summary of the changes since the last GuestOS release:

Release Notes for release-2025-08-14_03-27-base (1db8f933fdadc81a90e7db2389b081e21263a9b6)

This release is based on changes since release-2025-08-07_03-33-base (047925dfd8386aca91d154054149727131766084).

Please note that some commits may be excluded from this release if they’re not relevant, or not modifying the GuestOS image.
Additionally, descriptions of some changes might have been slightly modified to fit the release notes format.

To see a full list of commits added since last release, compare the revisions on GitHub.

Features:

  • da40cb4ea Crypto: Add support for subkey derivation to ic-ed25519 and ic-secp256k1 (#6173)
  • bd1393d54 Execution,Interface: Add snapshot source to canister history (#6163)
  • 5125d5e8b Execution,Interface: Implement pre-signature stash behind a feature flag (#6179)
  • f30890a84 Execution,Interface: Extend canister status endpoint (#6144)
  • 388980813 Interface(ledgers): fix the generic message, add FieldsDisplay (#5563)
  • 84538856c Interface: Add SEV measurements to ReplicaVersionRecord (#5966)
  • 70310a5fb Interface(ICP-Ledger): Implement endpoint to reset legacy approvals (#6121)
  • 6290490f9 Interface,Message Routing: Parallel traversal of files in finalize_checkpoint (#6185)
  • 1905e1dd8 Interface,Node: Move disk encryption logic to Rust and support SEV-based disk encryption (#6170)

Bugfixes:

  • 705ab6ab7 Consensus,Interface(orchestrator): Gracefully stop orchestrator tasks during replica upgrades (#5898)
  • 358c24213 Consensus,Interface: use /api/v2/subnet/<subnet_id>/read_state instead of /api/v2/canister/<effective_canister_id>/read_state when fetching nns delegation (#6178)

Performance improvements:

  • 8a9e16366 Consensus,Interface: Remove anyhow from P2P code (#6244)
  • 552295bb4 Consensus,Interface: Re-combine peer and user ingress channels (#5908)

Chores:

  • 09571b845 Consensus,Interface: Rename TestSigInputs (#6252)
  • 34f9ec20d Consensus,Interface: print the raw response when we fail to decode the read state response from the NNS (#6246)
  • da30c0d38 Consensus,Interface: drop unused logs (#6233)
  • 39c358e8a Consensus,Interface: Use the full pre-signature to determine “oldest registry version in use” (#6166)
  • 65bb95e42 Consensus,Interface: Report IDKG transcript resolution errors occurring during batch delivery (#6135)
  • 09a91114e Crypto,Interface,Message Routing: Extra helper functions for hash trees (#6182)
  • 4611dc7ad Execution,Interface: Upgrade Wasmtime 35 (#6100)
  • 3f7bba9a9 Execution,Interface,Message Routing(EXC): Remove unused call_responded method on CallContextManager (#6092)
  • cddf2f8a9 Interface(ICRC_Ledger): Clean up migration code (#5627)
  • 2ee6ac954 Interface(Ledgers): format did files with default formatter (#6235)
  • 853d5f2b6 Interface: Add types to utils (#6186)
  • 746c05b97 Owners: upgrade autocfg to 1.5.0 to fix reproducibility (#6236)
  • a417ed6be Owners: don’t use separate lockfile for fuzzers (#6184)
  • fde21389b Node: removing all mentions of filebeat and log pushing configuration and generation (#6153)
  • f718b7dbf Node: Update Base Image Refs [2025-08-07-0804] (#6176)

Refactoring:

Tests:

  • 1d53767ab Interface,Node(node): Scaffold initial structure for E2E NNS recovery test (#6168)

Full list of changes (including the ones that are not relevant to GuestOS) can be found on GitHub.

IC-OS Verification

To build and verify the IC-OS GuestOS disk image, after installing curl if necessary (sudo apt install curl), run:

# From https://github.com/dfinity/ic#verifying-releases
curl -fsSL https://raw.githubusercontent.com/dfinity/ic/master/ci/tools/repro-check | python3 - -c 1db8f933fdadc81a90e7db2389b081e21263a9b6 --guestos

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

While not required for this NNS proposal, as we are only electing a new GuestOS version here, you have the option to verify the build reproducibility of the HostOS by passing --hostos to the script above instead of --guestos, or the SetupOS by passing --setupos.

2 Likes
2

Hello there!

We are happy to announce that voting is now open for a new HostOS release.
The NNS proposal is here: IC NNS Proposal 137922.

Here is a summary of the changes since the last HostOS release:

Release Notes for release-2025-08-14_03-27-base (1db8f933fdadc81a90e7db2389b081e21263a9b6)

This release is based on changes since release-2025-08-07_03-33-base (047925dfd8386aca91d154054149727131766084).

Please note that some commits may be excluded from this release if they’re not relevant, or not modifying the HostOS image. Additionally, descriptions of some changes might have been slightly modified to fit the release notes format.

To see a full list of commits added since last release, compare the revisions on GitHub.

Features:

  • 1905e1dd8 Interface,Node: Move disk encryption logic to Rust and support SEV-based disk encryption (#6170)

Chores:

  • 7f8ccf7b3 Interface,Node: HostOS SEV improvements (#6249)
  • 746c05b97 Owners: upgrade autocfg to 1.5.0 to fix reproducibility (#6236)
  • fde21389b Node: removing all mentions of filebeat and log pushing configuration and generation (#6153)
  • f718b7dbf Node: Update Base Image Refs [2025-08-07-0804] (#6176)

Full list of changes (including the ones that are not relevant to HostOS) can be found on GitHub.

IC-OS Verification

To build and verify the IC-OS HostOS disk image, after installing curl if necessary (sudo apt install curl), run:

# From https://github.com/dfinity/ic#verifying-releases
curl -fsSL https://raw.githubusercontent.com/dfinity/ic/master/ci/tools/repro-check | python3 - -c 1db8f933fdadc81a90e7db2389b081e21263a9b6 --hostos

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

While not required for this NNS proposal, as we are only electing a new HostOS version here, you have the option to verify the build reproducibility of the GuestOS by passing --guestos to the script above instead of --hostos, or the SetupOS by passing --setupos.

1 Like
3

Based on proposal execution history, I’d expect Proposal: 137922 to fail to execute.

It proposes to unelect a large number of HostOS versions from the registry, including 68fc31a141b25f842f078c600168d8211339f422.

Who is familar with why proposal Proposal: 137073 and Proposal: 136983 failed to execute?

cc @DRE-Team

1 Like
4

Proposal 137921 & 137922 - Hamish | CodeGov

Vote: Adopt
Reason: I have successfully run the build script and in my opinion all the commits listed look fine and match their descriptions.

Screenshot 2025-08-16 at 23.37.30
Screenshot 2025-08-16 at 23.37.301914×966 204 KB

Features:

  • da40cb4ea Crypto: Add support for subkey derivation to ic-ed25519 and ic-secp256k1 (#6173)
    Review: Looks fine + matches description
    Notes: Hardcodes the various mainnet public keys for Ed25519 and Secp256, then exposes helper functions to generate derived keys. This allows these derived keys to be calculated without having to call into the management canister (eg. while offline).

  • bd1393d54 Execution,Interface: Add snapshot source to canister history (#6163)
    Review: Looks fine + matches description
    Notes: Adds the snapshot source to each CanisterLoadSnapshot event that gets written to the canister history whenever a snapshot is loaded. Also modifies the SnapshotSource variants to be of type candid::Reserved so that if fields are added in the future those new values would be backward compatible with the old versions.

  • 5125d5e8b Execution,Interface: Implement pre-signature stash behind a feature flag (#6179)
    Review: Looks fine + matches description
    Notes: Implements storing pre-signatures in the replicated state, appending new pre-signatures as they are delivered and popping them out of the state as they are required. This functionality is hidden behind the store_pre_signatures_in_state which is currently disabled.

  • f30890a84 Execution,Interface: Extend canister status endpoint (#6144)
    Review: Looks fine + matches description
    Notes: Adds version and ready_for_migration fields to canister status responses as needed for the upcoming canister migration feature.

  • 388980813 Interface(ledgers): fix the generic message, add FieldsDisplay (#5563)
    Review: Looks fine + matches description
    Notes: Updates the ICRC ledger’s implementation of ICRC-21 consent messages to conform with the latest formats as specified in the spec.

  • 84538856c Interface: Add SEV measurements to ReplicaVersionRecord (#5966)
    Review: Looks fine + matches description
    Notes: Adds the guest_launch_measurements field to ReplicaVersionRecord which contains a launch measurement per command line string used to launch the guest.

  • 70310a5fb Interface(ICP-Ledger): Implement endpoint to reset legacy approvals (#6121)
    Review: Looks fine + matches description
    Notes: Implements remove_approval on the ICP ledger which allows users to reset approvals by specifying the spender’s account identifier, rather than having to pass in the ICRC account.

  • 6290490f9 Interface,Message Routing: Parallel traversal of files in finalize_checkpoint (#6185)
    Review: Looks fine + matches description
    Notes: Updates dir_list_recursive to iterates directories in parallel by re-using the readily available thread pool as used at many other stages of checkpointing.

  • 1905e1dd8 Interface,Node: Move disk encryption logic to Rust and support SEV-based disk encryption (#6170)
    Review: Looks fine + matches description
    Notes: Introduces the guest_disk tool which can be used to generate keys for encrypted disk partitions. This tool can generate SEV-based keys for where it is enabled, or can generate random keys to match the existing behaviour where it is not enabled.

Bugfixes:

  • 705ab6ab7 Consensus,Interface(orchestrator): Gracefully stop orchestrator tasks during replica upgrades (#5898)
    Review: Looks fine + matches description
    Notes: Updates the orchestrator to pass a cancellation token to each of its tasks which get cancelled when a replica upgrade occurs, allowing the tasks to shut down gracefully, whereas previously when an upgrade was detected the process would be terminated.

  • 358c24213 Consensus,Interface: use /api/v2/subnet/<subnet_id>/read_state instead of /api/v2/canister/<effective_canister_id>/read_state when fetching nns delegation (#6178)
    Review: Looks fine + matches description
    Notes: Updates the url used by the NNS delegation manager to fetch delegations.

Performance improvements:

  • 8a9e16366 Consensus,Interface: Remove anyhow from P2P code (#6244)
    Review: Looks fine + matches description
    Notes: Removes usages of anyhow from the P2P layer because it captured backtraces which are expensive and were unused, replaced by the new P2PError type which can wrap any error and crucially doesn’t capture backtraces.

  • 552295bb4 Consensus,Interface: Re-combine peer and user ingress channels (#5908)
    Review: Looks fine + matches description
    Notes: Modifies the P2P artifact manager by merging the 2 inbound streams into a single bounded stream. Previously the ingress message stream was unbounded so this commit updates all usages of the unbounded stream over to using a bounded stream.

Chores:

  • 09571b845 Consensus,Interface: Rename TestSigInputs (#6252)
    Review: Looks fine + matches description
    Notes: Renames the TestSigInputs struct to TestPreSigRef and also similarly renames a few function and variable names.

  • 34f9ec20d Consensus,Interface: print the raw response when we fail to decode the read state response from the NNS (#6246)
    Review: Looks fine + matches description
    Notes: Updates the NNS delegation manager to include the raw response in the error message whenever the response from the NNS fails to be decoded in order to aid with debugging.

  • da30c0d38 Consensus,Interface: drop unused logs (#6233)
    Review: Looks fine + matches description
    Notes: Removes 2 unused cases where info would be written to the logs.

  • 39c358e8a Consensus,Interface: Use the full pre-signature to determine “oldest registry version in use” (#6166)
    Review: Looks fine + matches description
    Notes: Simplifies get_oldest_idkg_state_registry_version by making it read the registry version of each key transcript and then take the minimum.

  • 65bb95e42 Consensus,Interface: Report IDKG transcript resolution errors occurring during batch delivery (#6135)
    Review: Looks fine + matches description
    Notes: Updates get_idkg_subnet_public_keys_and_pre_signatures, so that any time a transcript fails to be loaded or a public key cannot be found, the new transcript_resolution_errors field of the IDkgPayloadStats struct is incremented. Then adds the idkg_transcript_resolution_errors counter metric which is incremented by the transcript_resolution_errors counts.

  • 09a91114e Crypto,Interface,Message Routing: Extra helper functions for hash trees (#6182)
    Review: Looks fine + matches description
    Notes: Adds 2 new helper functions to hash trees, lookup_lower_bound, which looks up a label or returns the next smaller label if not found, and filter_builder/filter, which can be used to prune everything away except paths within the specified filter.

  • 4611dc7ad Execution,Interface: Upgrade Wasmtime 35 (#6100)
    Review: Looks fine + matches description
    Notes: Bumps wasmtime from 34.0.1 to 35.0.0 plus bumps a few other related dependencies.

  • 3f7bba9a9 Execution,Interface,Message Routing(EXC): Remove unused call_responded method on CallContextManager (#6092)
    Review: Looks fine + matches description
    Notes: Simply removes some unused code.

  • cddf2f8a9 Interface(ICRC_Ledger): Clean up migration code (#5627)
    Review: Looks fine + matches description
    Notes: Removes the code which populated the ledger index values for SNS and chain fusion ledgers since this was only needed as a one-time thing.

  • 2ee6ac954 Interface(Ledgers): format did files with default formatter (#6235)
    Review: Looks fine + matches description
    Notes: No functional change, just reformats a few candid files.

  • 853d5f2b6 Interface: Add types to utils (#6186)
    Review: Looks fine + matches description
    Notes: Replaces many cases where replica version was passed around as a String to instead use the ReplicaVersion struct.

  • 746c05b97 Owners: upgrade autocfg to 1.5.0 to fix reproducibility (#6236)
    Review: Looks fine + matches description
    Notes: Bumps almost all usages of autocfg from 1.1.0 to 1.5.0 to pull in a fix for a build reproducibility issue.

  • a417ed6be Owners: don’t use separate lockfile for fuzzers (#6184)
    Review: Looks fine + matches description
    Notes: Removes the Cargo.Bazel.Fuzzing.json.lock file and instead adds rustc flags to Cargo.Bazel.json.lock where required for the fuzz tests.

  • fde21389b Node: removing all mentions of filebeat and log pushing configuration and generation (#6153)
    Review: Looks fine + matches description
    Notes: Removes the last remaining mentions of Filebeat and other log pushing code now that all logs use a pull model.

  • f718b7dbf Node: Update Base Image Refs [2025-08-07-0804] (#6176)
    Review: Looks fine + matches description
    Notes: Updates the base IC-OS image references.

Refactoring:

  • 3fc9c04dd Consensus,Interface: Remove ThresholdSigInputsRef (#6157)
    Review: Looks fine + matches description
    Notes: Simplifies a lot of IDKG code and removes many errors cases that are no longer possible by removing the ThresholdSigInputsRef type in favour of ThresholdSigInputs which contains the full pre-signature. This is possible because the full pre-signature is readily available rather than needing to be looked up by height.

Tests:

  • 1d53767ab Interface,Node(node): Scaffold initial structure for E2E NNS recovery test (#6168)
    Review: Looks fine + matches description
    Notes: This commit only touches code that is used for testing. It adds more log entries to the test driver, allows specifying the number of hosts when setting up the test environment, and introduces the new nns_recovery_test test.
About CodeGov - reliable, credible, and sensible NNS governance
CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron's Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.
5

I don’t think @DRE-Team is a monitored account. I usually tag try to tag individual team members.

@dmanu Do you know what the issue was with version 68fc31a that caused these earlier proposals to fail? (Tagging you as you were part of a recent discussion on unelecting versions.)

2 Likes
6

Thanks @timk11.

Based on IC-OS election proposal history, there currently appear to be 18 blessed replica versions registered, 14 of which would be unelected by this proposal.

I’ve listed these below, ordered by elected date, and crossed out the versions that would be unelected.

  • e268b98, elected 2023-11-06 (proposal 125506), UNELECTION PROPOSED, running on 0 nodes
  • 2e269c7, elected 2024-07-01 (proposal 130813), UNELECTION PROPOSED, running on 0 nodes
  • 68fc31a, elected 2025-04-07 (proposal 136070), UNELECTION PROPOSED, running on 0 nodes
  • c9210f4, elected 2025-04-21 (proposal 136311), UNELECTION PROPOSED, running on 0 nodes
  • f8131bf, elected 2025-04-28 (proposal 136367), UNELECTION PROPOSED, running on 0 nodes
  • f195ba7, elected 2025-05-08 (proposal 136447), UNELECTION PROPOSED, running on 0 nodes
  • 2f52f29, elected 2025-05-12 (proposal 136568), UNELECTION PROPOSED, running on 0 nodes
  • 59ad18a, elected 2025-05-19 (proposal 136669), UNELECTION PROPOSED, running on 0 nodes
  • 16825c5, elected 2025-05-26 (proposal 136740), UNELECTION PROPOSED, running on 0 nodes
  • ed3650d, elected 2025-06-02 (proposal 136790), UNELECTION PROPOSED, running on 0 nodes
  • 8f1ef8c, elected 2025-06-09 (proposal 136888), UNELECTION PROPOSED, running on 0 nodes
  • 60fb469, elected 2025-06-30 (proposal 137153), UNELECTION PROPOSED, running on 0 nodes
  • e915efe, elected 2025-07-07 (proposal 137226), UNELECTION PROPOSED, running on 0 nodes
  • 5128134, elected 2025-07-14 (proposal 137350), UNELECTION PROPOSED, running on 0 nodes
  • 143a635, elected 2025-07-21 (proposal 137498), running on 1448 nodes
  • 615045e, elected 2025-07-28 (proposal 137579), running on 0 nodes
  • 21a02f4, elected 2025-08-04 (proposal 137679), running on 0 nodes
  • 047925d, elected 2025-08-11 (proposal 137796), running on 0 nodes

Based on this analysis, 68fc31a should indeed reside within the registry. It seems it must have been a bug that led to the prior two proposals failing (the ones that tried to unelect this version prevously).

@dmanu could you point me to the fix and the proposal that introduced it?

1 Like
7

An interesting bit of trivia I thought I’d share - version e268b98 is so old (elected by Proposal: 125506) that the hash doesn’t actually represent a verified build (it’s the commit hash).

1 Like
8

Proposal: 137921 & 137922 - Ipsita | ZenithCode

Summary:

  1. Build Hash: Build has from the proposal, local build and CDN matches and is “267364ce03a95444a5c9e5c5193a9244fb51025536c2fb9d4ff434a247531a2b”.
  2. Summary: The release notes matches the code changes.
  3. Vote: I vote to adopt the proposals.

image
image1944×958 184 KB

Commits

Features:

  • da40cb4ea Crypto: Add support for subkey derivation to ic-ed25519 and ic-secp256k1 (#6173)
    Notes: Adds offline subkey derivation support for ic-ed25519 and ic-secp256k1 by adding master public keys, MasterPublicKeyId enums, and derive_mainnet_key methods.
    Review: Code changes look good and match release notes.

  • bd1393d54 Execution,Interface: Add snapshot source to canister history (#6163)
    Notes: This commit adds a SnapshotSource field to canister history and refactors connected structs, protobuf definitions, and tests to separate snapshots that were taken from a canister (TakenFromCanister(Reserved)) from manually uploaded (MetadataUpload(Reserved)) ones, so that audits can detect their source.
    Review: Code changes look good and match release notes.

  • 5125d5e8b Execution,Interface: Implement pre-signature stash behind a feature flag (#6179)
    Notes: This commit introduces the store_pre_signatures_in_state feature flag, adds logic to purge the stash on key transcript change, merge delivered pre-signatures into the stash, and pop them for pairing with requests, with updates to pre_signatures.rs, stash data structures, and unit tests to validate the new flow.
    Review: Code changes look good and match release notes.

  • f30890a84 Execution,Interface: Extend canister status endpoint (#6144)
    Notes: Extends the canister_status endpoint to include version and ready_for_migration fields, updating CanisterStatusResultV2, CanisterManager, and related tests. Adds handling in the execution environment and management types, ensuring backward-compatible Candid changes.
    Review: Code changes look good and match release notes.

  • 388980813 Interface(ledgers): fix the generic message, add FieldsDisplay (#5563)
    Notes: Fixes ledger ICRC-21 messages to be in line with standard by replacing LineDisplay with FieldsDisplay and removing all unused references to LineDisplay.
    Review: Code changes look good and match release notes.

  • 84538856c Interface: Add SEV measurements to ReplicaVersionRecord (#5966)
    Notes: Replaces deprecated guest_launch_measurement_sha256_hex with GuestLaunchMeasurements in ReplicaVersionRecord, including SEV measurement calculation in IC-OS, ic-admin integration, and test updates.
    Review: Code changes look good and match release notes.

  • 70310a5fb Interface(ICP-Ledger): Implement endpoint to reset legacy approvals (#6121)
    Notes: This commit adds a new remove_approval endpoint to the ICP ledger allowing principals to remove existing approvals by specifying from_subaccount and spender’s AccountIdentifier, modifies icrc2_approve_not_async to support optional override of the spender, and adds tests to validate removal of approvals.
    Review: Code changes look good and match release notes.

  • 6290490f9 Interface,Message Routing: Parallel traversal of files in finalize_checkpoint (#6185)
    Notes: Adds parallel traversal of files in finalize_checkpoint by updating dir_list_recursive to optionally use a thread pool, modifies state_layout.rs to collect directory paths concurrently, and replaces the recursive function with a parallel iterative approach.
    Review: Code changes look good and match release notes.

  • 1905e1dd8 Interface,Node: Move disk encryption logic to Rust and support SEV-based disk encryption (#6170)
    Notes: Moves disk encryption logic from shell commands to Rust by introducing a new guest_disk tool with crypt-open and crypt-format subcommands, implements key generation in Rust (including SEV-based keys), removes generate-store-key.service, and adds unit tests covering both static and SEV encryption paths.
    Review: Code changes look good and match release notes.

Bugfixes:

  • 705ab6ab7 Consensus,Interface(orchestrator): Gracefully stop orchestrator tasks during replica upgrades (#5898)
    Notes: This commit replaces tokio::sync::watch::Receiver with tokio_util::sync::CancellationToken to signal orchestrator tasks to terminate gracefully, and replaces exit(42) with Ok(Rebooting) to allow proper shutdown during replica upgrades.
    Review: Code changes look good and match release notes.

  • 358c24213 Consensus,Interface: use /api/v2/subnet/<subnet_id>/read_state instead of /api/v2/canister/<effective_canister_id>/read_state when fetching nns delegation (#6178)
    Notes: Updates the read_state fetch to use /api/v2/subnet/<subnet_id>/read_state instead of /api/v2/canister/<effective_canister_id>/read_state to align with recommended API usage and avoid future deprecation.
    Review: Code changes look good and match release notes.

Performance improvements:

  • 8a9e16366 Consensus,Interface: Remove anyhow from P2P code (#6244)
    Notes: This commit removes the anyhow dependency from all P2P crates (Cargo.toml, BUILD.bazel, and Cargo.lock) and replaces usages of anyhow::Error with a new lightweight custom P2PError type which includes updating function signatures and test mocks to return P2PError instead of anyhow, eliminating expensive backtrace capturing and improving performance.
    Review: Code changes look good and match release notes.

  • 552295bb4 Consensus,Interface: Re-combine peer and user ingress channels (#5908)
    Notes: The user and peer ingress are merged into a single bounded mpsc::channel, replacing the unbounded stream approach to improve batch processing efficiency and enable load-shedding when the channel is full.
    Review: Code changes look good and match release notes.

Chores:

  • 09571b845 Consensus,Interface: Rename TestSigInputs (#6252)
    Notes: Renames TestSigInputs to TestPreSigRef and updates all related test utilities to use pre-signature refs and their IDkg transcripts instead of full signature inputs.
    Review: Code changes look good and match release notes.

  • 7f8ccf7b3 Interface,Node: HostOS SEV improvements (#6249)
    Notes: This commit enables outgoing SOCKS proxy connections on TCP port 1080 in the IPv6 nftables filter table and removes locked memory from SEV GuestOS XML templates to prevent problems during VM boot time.
    Review: Code changes look good and match release notes.

  • 34f9ec20d Consensus,Interface: print the raw response when we fail to decode the read state response from the NNS (#6246)
    Notes: Updates try_fetch_delegation_from_nns to include the raw NNS response in the error message when decoding HttpReadStateResponse fails, replacing a debug log with a more informative map_err for improved error visibility.
    Review: Code changes look good and match release notes.

  • da30c0d38 Consensus,Interface: drop unused logs (#6233)
    Notes: Removes unused info! logs in QueryContext for composite query transforms and in CanisterHttpAdapterClientImpl for oversized HTTP transform results.
    Review: Code changes look good and match release notes.

  • 39c358e8a Consensus,Interface: Use the full pre-signature to determine “oldest registry version in use” (#6166)
    Notes: Adds full pre-signature pairing in request contexts by updating the code to use the complete PreSignature object instead of just the ID, modifies functions handling registry version lookups from ongoing signature requests, and updates related CUP calculations to reference the full pre-signature transcript directly.
    Review: Code changes look good and match release notes.

  • 65bb95e42 Consensus,Interface: Report IDKG transcript resolution errors occurring during batch delivery (#6135)
    Notes: Adds critical error tracking for IDKG transcript resolution failures during batch delivery by moving IDkgStats into the idkg crate and making create_available_pre_signature_with_key_transcript height-parameterizable to enable testing of invalid transcript references.
    Review: Code changes look good and match release notes.

  • 09a91114e Crypto,Interface,Message Routing: Extra helper functions for hash trees (#6182)
    Notes: Adds helper functions for hash trees: LabeledTree::lookup_lower_bound for fuzzy label lookups returning the next smaller label, and MixedHashTree::filter_builder/FilterBuilder::filtered to prune tree.
    Review: Code changes look good and match release notes.

  • 4611dc7ad Execution,Interface: Upgrade Wasmtime 35 (#6100)
    Notes: This commit upgrades the wasmtime dependency from version 34.0.1 to 35.0.0, updating Cargo.lock and Bazel lock files with new version and checksum entries, ensuring all builds use the latest runtime.
    Review: Code changes look good and match release notes.

  • 3f7bba9a9 Execution,Interface,Message Routing(EXC): Remove unused call_responded method on CallContextManager (#6092)
    Notes: This commit cleans up dead code by removing the unused call_responded method from CallContextManager.
    Review: Code changes look good and match release notes.

  • cddf2f8a9 Interface(ICRC_Ledger): Clean up migration code (#5627)
    Notes: This commit removes ICRC-106 migration code, including set_index_principal, other related migration functions, and their associated tests.
    Review: Code changes look good and match release notes.

  • 2ee6ac954 Interface(Ledgers): format did files with default formatter (#6235)
    Notes: Reformats DID-related files in the Ledgers module, mainly removing trailing semicolons and adjusting indentation and spacing, while preserving all existing logic and types.
    Review: Code changes look good and match release notes.

  • 853d5f2b6 Interface: Add types to utils (#6186)
    Notes: Updates utils to use explicit types and pass structured parameters by reference (&Type) instead of by value to enforce safer type usage.
    Review: Code changes look good and match release notes.

  • 746c05b97 Owners: upgrade autocfg to 1.5.0 to fix reproducibility (#6236)
    Notes: Upgrades the autocfg crate from 1.1.0/1.4.0 to 1.5.0 across lockfiles and dependency references, updates corresponding checksums and version fields, and removes the previous exclusion for non-reproducible autocfg generated files to ensure reproducible builds in dependent crates like num-traits.
    Review: Code changes look good and match release notes.

  • a417ed6be Owners: don’t use separate lockfile for fuzzers (#6184)
    Notes: Deletes the Cargo.Bazel.Fuzzing.json.lock lockfile used for SANITIZERS_ENABLED builds and updates Bazel crate annotations and selects to specify the required rustc flags for fuzzing to eliminate the need for a separate lockfile.
    Review: Code changes look good and match release notes.

  • fde21389b Node: removing all mentions of filebeat and log pushing configuration and generation (#6153)
    Notes: This commit removes all references to filebeat, including its configs SELinux rules, and deployment scripts and this cleanup finalizes the migration to a log pull model, ensuring no leftover filebeat or log-pushing setup remains.
    Review: Code changes look good and match release notes.

  • f718b7dbf Node: Update Base Image Refs [2025-08-07-0804] (#6176)
    Notes: Updates the base container image references to newer versions to have secure container images.
    Review: Code changes look good and match release notes.

Refactoring:

  • 3fc9c04dd Consensus,Interface: Remove ThresholdSigInputsRef (#6157)
    Notes: Removes ThresholdSigInputsRef and its indirection by directly using full pre-signature and key transcripts from the request context to build ThresholdSigInputs to simplify signature assembly and tests.
    Review: Code changes look good and match release notes.

Tests:

  • 1d53767ab Interface,Node(node): Scaffold initial structure for E2E NNS recovery test (#6168)
    Notes: Increases INITIAL_NODE_ALLOWANCE_MULTIPLIER from 2 to 4, refactors nested VM setup to support multi-VM groups, updates SystemTestGroup test setups for host/guest OS upgrades, NNS recovery, and registration.
    Review: Code changes look good and match release notes.
About Zenith Code

Zenith Code is a comprehensive platform dedicated to advancing the Internet Computer ecosystem. It offers an interactive live coding and learning environment tailored for Motoko and ICP, making it easy for new developers to onboard through hands-on challenges and real-time code execution. Beyond education, Zenith Code actively supports the decentralization and governance of the Internet Computer. As a registered node provider, we help run the network’s infrastructure, and through our known neuron, we actively review and vote on IC OS version election proposals. Explore more at zenithcode.ai.

9

Proposal 137921 & 137922 | Yuvika - Zentih Code

Summary

  1. Vote: Adopt
  2. Hash: Hashes match
  3. Reasons to adopt: Builds fine + hashes match + release notes match the commits.

image
image1972×958 176 KB

Commits

Features:

  • da40cb4ea
    Summary: Add support for subkey derivation to ic-ed25519 and ic-secp256k1.
    Notes: Enable production of public master keys and add a convenience function for performing fully offline subkey derivation.
    Review: The description matches the code changes.
  • bd1393d54
    Summary: Add snapshot source to canister history.
    Notes: Add a candid::Reserved type field SnapshotSource to each CanisterLoadSnapshot event to distinguish between snapshots taken from a canister and a manually uploaded snapshot.
    Review: The description matches the code changes.
  • 5125d5e8b
    Summary: Implement pre-signature stash behind a feature flag.
    Notes: Add a new feature flag store_pre_signatures_in_state. If disabled, the functionality of pairing signature requests with pre-signatures would be the same as before, and if enabled, the delivered pre-signatures would be stored in the pre-signature stash and paired with incoming requests. The full feature hasn’t been implemented yet and hence is disabled.
    Review: The description matches the code changes.
  • f30890a84
    Summary: Extend canister status endpoint.
    Notes: To enable the canister migration feature, add additional fields to canister_status, such as version to indicate the canister version and ready_for_migration to indicate whether the canister is ready for migration.
    Review: The description matches the code changes.
  • 388980813
    Summary: fix the generic message, add FieldsDisplay.
    Notes: Fix the generic ICRC-21 message returned by the ledgers to conform to the spec: wg-identity-authentication/topics/ICRC-21/examples at main · dfinity/wg-identity-authentication · GitHub.
    And add FieldsDisplay and remove LineDisplay.
    Review: The description matches the code changes.
  • 84538856c
    Summary: Add SEV measurements to ReplicaVersionRecord.
    Notes: Replace the deprecated field guest_launch_measurement_sha256_hex
    with GuestLaunchMeasurements message in ReplicateVersionRecord and update various tests. Additionally, add logic in the IC-OS build to calculate the SEV measurement and propagate this to the system tests.
    Review: The description matches the code changes.
  • 70310a5fb
    Summary: Implement endpoint to reset legacy approvals.
    Notes: Add a new type RemoveApprovalArgs and method remove_approval which allows a principal to remove an approval by specifying the from_subaccount and spender’s AccountIdentifier.
    Review: The description matches the code changes.
  • 6290490f9
    Summary: Parallel traversal of files in finalize_checkpoint.
    Notes: Refactor dir_list_recursive to traverse files/directories in parallel and use a thread pool.
    Review: The description matches the code changes.
  • 1905e1dd8
    Summary: Move disk encryption logic to Rust and support SEV-based disk encryption.
    Notes: Replace cryptsetup luksOpen and cryptsetup luksFormat calls with a Rust binary that supports SEV-based disk encryption. Add guest_disk tool which supports crypt-open and
    crypt-format subcommands and can be used to generate keys for encrypted disk partitions. It also implements the current static key generation method when SEV is off as implemented in generated_key.rs.
    Review: The description matches the code changes.

Bugfixes:

  • 705ab6ab7
    Summary: Gracefully stop orchestrator tasks during replica upgrades.
    Notes: Gracefully stop the upgrade loop and tell other tasks to stop as well instead of calling exit(42).
    Review: The description matches the code changes.
  • 358c24213
    Summary: use /api/v2/subnet/<subnet_id>/read_state instead of /api/v2/canister/<effective_canister_id>/read_state when fetching nns delegation.
    Notes: Request paths with prefix /api/v2/subnet instead of /subnet
    (which we are) via /api/v2/canister url, as it might be deprecated in the
    future.
    Review: The description matches the code changes.

Performance improvements:

  • 8a9e16366
    Summary: Remove anyhow from P2P code.
    Notes: Remove anyhow from all P2P crates, replace it with P2PError as we don’t need backtraces. anyhow captures backtraces and can be expensive, as well as lead to performance regression after updating the libunwind version.
    Review: The description matches the code changes.
  • 552295bb4
    Summary: Re-combine peer and user ingress channels.
    Notes: Revert #3419, recombine the peer and user ingress channels into a single bounded mpsc::channel, and read incoming artifacts from the Receiver directly. Switch over from using an unbounded ingress message stream to a bounded stream.
    Review: The description matches the code changes.

Chores:

  • 09571b845
    Summary: Rename TestSigInputs.
    Notes: Rename TestSigInputs to TestPreSigRef since it only contains the pre-signature ref now, and rename a few other functions, such as create_pre_sig_ref_with_height, and variables. Review: The description matches the code changes.
  • 34f9ec20d
    Summary: print the raw response when we fail to decode the read state response from the NNS.
    Notes: Output the actual response from the NNS instead of expected struct HttpReadStateResponse errors while trying to decode the response.
    Review: The description matches the code changes.
  • da30c0d38
    Summary: drop unused logs.
    Notes: Remove logs about canister behaviour since they are not necessary and relevant from 2 files.
    Review: The description matches the code changes.
  • 39c358e8a
    Summary: Use the full pre-signature to determine “oldest registry version in use”.
    Notes: Refactor get_oldest_idkg_state_registry_version to return the oldest registry version of transcripts that were matched to signature request contexts, as request contexts are paired with the full pre-signature, and we can determine the registry versions referenced by ongoing signature requests.
    Review: The description matches the code changes.
  • 65bb95e42
    Summary: Report IDKG transcript resolution errors occurring during batch delivery.
    Notes: Move the IDkgPayloadStats into the idkg crate and increment transcript_resolution_errors counter if the resolution of an IDKG transcript ref ever fails during batch delivery. And add a new metric idkg_transcript_resolution_errors which depends on transcript_resolution_errors.
    Review: The description matches the code changes.
  • 09a91114e
    Summary: Extra helper functions for hash trees.
    Notes: Add 2 helper functions LabeledTree::lookup_lower_bound and MixedHashTree::filter_builder/FilterBuilder::filtered.
    Review: The description matches the code changes.
  • 4611dc7ad
    Summary: Upgrade Wasmtime 35.
    Notes: Upgrade wasmtime version 35.0.0 from 34.0.1 and some other dependancies.
    Review: The description matches the code changes.
  • 3f7bba9a9
    Summary: Remove unused call_responded method on CallContextManager.
    Notes: Remove call_responded method since it is not needed.
    Review: The description matches the code changes.
  • cddf2f8a9
    Summary: Clean up migration code.
    Notes: Remove migration code related to ICRC-106 for setting the index canister principal in the chain fusion and SNS ledgers.
    Review: The description matches the code changes.
  • 2ee6ac954
    Summary: format did files with default formatter.
    Notes: format files with default formatter.
    Review: The description matches the code changes.
  • 853d5f2b6
    Summary: Add types to utils.
    Notes: Update type of replica version from String to a user-defined struct ReplicaVersion.
    Review: The description matches the code changes.
  • 7f8ccf7b3
    Summary: HostOS SEV improvements.
    Notes: Enable outgoing SOCKS proxy connections via TCP 1080 port, and remove locked memory from the SEV config (guestos_vm_sev.xml, upgrade_guestos.xml, guestos_vm_template.xml) since it was preventing the VM from starting.
    Review: The description matches the code changes.
  • 746c05b97
    Summary: upgrade autocfg to 1.5.0 to fix reproducibility.
    Notes: Upgrade autocfg crate to 1.5.0 in most places to fix a reproducibility issue in the num-traits crate.
    Review: The description matches the code changes.
  • a417ed6be
    Summary: don’t use separate lockfile for fuzzers.
    Notes: Remove Cargo.Bazel.Fuzzing.json.lock lockfile, and instead use crate annotations to specify the rustc_flags required for fuzzing.
    Review: The description matches the code changes.
  • fde21389b
    Summary: removing all mentions of filebeat and log pushing configuration and generation.
    Notes: Remove all mentions of filebeat, and all of its configuration and SELinux policies, as now the testnets have been migrated to a pull model for logs.
    Review: The description matches the code changes.
  • f718b7dbf
    Summary: Update Base Image Refs [2025-08-07-0804].
    Notes: Update the base image references used for IC OS.
    Review: The description matches the code changes.

Refactoring:

  • 3fc9c04dd
    Summary: Remove ThresholdSigInputsRef.
    Notes: Remove ThresholdSigInputsRef, and directly populate the ThresholdSigInputs using only the data stored in the context.
    Review: The description matches the code changes.

Tests:

  • 1d53767ab
    Summary: Scaffold initial structure for E2E NNS recovery test.
    Notes: Add a NNS recovery test rs/tests/nested/nns_recovery_test.rs. Increase INITIAL_NODE_ALLOWANCE_MULTIPLIER from 2 to 4, allowing for nested VM(s).
    Review: The description matches the code changes.
About Zenith Code

Zenith Code is a comprehensive platform dedicated to advancing the Internet Computer ecosystem. It offers an interactive live coding and learning environment tailored for Motoko and ICP, making it easy for new developers to onboard through hands-on challenges and real-time code execution. Beyond education, Zenith Code actively supports the decentralization and governance of the Internet Computer. As a registered node provider, we help run the network’s infrastructure, and through our known neuron, we actively review and vote on IC OS version election proposals. Explore more at zenithcode.ai.

10

Proposal: 137921 & 137922 - Manvick | ZenithCode

Summary:

  1. Build Hash: The build hash matches
  2. Summary: The release notes matches the code changes
  3. Vote: Adopt

137921 & 137922
137921 & 1379221956×958 175 KB

Commits

Features:

  • da40cb4ea Crypto: Add support for subkey derivation to ic-ed25519 and ic-secp256k1 (#6173)
    Review: Matches description + changes are appropriate
    Notes: Adds subkey derivation support for ic-ed25519 and ic-secp256k1, enabling generation of multiple related keys from a root key. Also embeds the production public master keys for both Ed25519 and secp256k1, enabling fully offline key derivation.

  • bd1393d54 Execution,Interface: Add snapshot source to canister history (#6163)
    Review: Matches description + changes are appropriate
    Notes: Adds support for tracking the SnapshotSource (TakenFromCanister vs MetadataUpload) and updates the serialization and deserialization logic, allowing system to record from which source a canister snapshot originated.

  • 5125d5e8b Execution,Interface: Implement pre-signature stash behind a feature flag (#6179)
    Review: Matches description + changes are appropriate
    Notes: Adds a store_pre_signatures_in_state flag to store pre-signatures in a stash instead of on-chain. Pre-signatures are matched with requests from the stash, and old ones are removed when keys rotate.

  • f30890a84 Execution,Interface: Extend canister status endpoint (#6144)
    Review: Matches description + changes are appropriate
    Notes: Updates canister_status endpoint to add two fields : version - current version of the canister and ready_for_migration - boolean indicating whether the canister is prepared for migration. Backward compatibility is ensured by adding ready_for_migration to canister_status instead of stopped variant.

  • 388980813 Interface(ledgers): fix the generic message, add FieldsDisplay (#5563)
    Review: Matches description + changes are appropriate
    Notes: Introdices new FieldsDisplay field and removes the deprecated LineDisplay field from the ICRC-21 message format returned by the ledger.

  • 84538856c Interface: Add SEV measurements to ReplicaVersionRecord (#5966)
    Review: Matches description + changes are appropriate
    Notes: Adds a new GuestLaunchMeasurements message in the ReplicaVersionRecord to replace the deprecated guest_launch_measurement_sha256_hex field. Also updates the IC-OS build process to calculate the SEV measurement. The ic-admin tool reads this measurement from a JSON file and adds it to proposals. Updates related tests.

  • 70310a5fb Interface(ICP-Ledger): Implement endpoint to reset legacy approvals (#6121)
    Review: Matches description + changes are appropriate
    Notes: Adds a new remove_approval endpoint, that allows a principal to remove an approval by specifying the from_subaccount and the spender’s AccountIdentifier. When this api is invoked, it generates a regular approval block and deducts a fee from the caller’s from_subaccount.

  • 6290490f9 Interface,Message Routing: Parallel traversal of files in finalize_checkpoint (#6185)
    Review: Matches description + changes are appropriate
    Notes: Updates finalize_checkpoint method to utilize a thread pool for concurrent traversal of checkpoint files, introducing parallel processing to the checkpoint finalization process and improving the efficiency and speed of checkpoint finalization.

  • 1905e1dd8 Interface,Node: Move disk encryption logic to Rust and support SEV-based disk encryption (#6170)
    Review: Matches description + changes are appropriate
    Notes: Moves disk encryption logic from shell scripts to Rust binary guest_disk which provides crypt-open and crypt-format subcommands for unlocking and formatting encrypted partitions. guest_disk supports both static key generation (when SEV is disabled) and SEV-based key derivation. Cleans up the old generate-store-key.service and updates tests.

Bugfixes:

  • 705ab6ab7 Consensus,Interface(orchestrator): Gracefully stop orchestrator tasks during replica upgrades (#5898)
    Review: Matches description + changes are appropriate
    Notes: Updates Orchestrator to gracefully stop its tasks during shutdown, preventing sudden termination by replacing tokio::watch::Sender/Receiver with CancellationToken. This ensures all tasks receive a stop signal and exit cleanly. Also removed the abrupt exit(42) call after triggering an upgrade

  • 358c24213 Consensus,Interface: use /api/v2/subnet/<subnet_id>/read_state instead of /api/v2/canister/<effective_canister_id>/read_state when fetching nns delegation (#6178)
    Review: Matches description + changes are appropriate
    Notes: Replacing path with prefix /api/v2/canister with /api/v2/subnet as the former is on the path to deprecation.

Performance improvements:

  • 8a9e16366 Consensus,Interface: Remove anyhow from P2P code (#6244)
    Review: Matches description + changes are appropriate
    Notes: Removed the usage of the anyhow crate from the peer-to-peer code. Clean up anyhow dependency and changes in related modules. anyhow captures a backtrace which is expensive and not required for P2P code.

  • 552295bb4 Consensus,Interface: Re-combine peer and user ingress channels (#5908)
    Review: Matches description + changes are appropriate
    Notes: Merges peer and user ingress channels into a single channel and makes it bounded by default. Reverts the split implementation that merged messages using tokio_stream - which caused inefficiencies. #3419.

Chores:

  • 09571b845 Consensus,Interface: Rename TestSigInputs (#6252)
    Review: Matches description + changes are appropriate
    Notes: Code refactoring to rename the struct TestSigInputs to TestPreSigRef that better describes its purpose of containing a pre-signature reference and its referenced IDkgTranscripts and related changes.

  • 34f9ec20d Consensus,Interface: print the raw response when we fail to decode the read state response from the NNS (#6246)
    Review: Matches description + changes are appropriate
    Notes: Updates the error message in nns_delegation_manager read state logic. Instead of a generic error, it now prints the raw response along with the decoding error on failure.

  • da30c0d38 Consensus,Interface: drop unused logs (#6233)
    Review: Matches description + changes are appropriate
    Notes: Removes unused log statements from query_context.rs and client.rs.

  • 39c358e8a Consensus,Interface: Use the full pre-signature to determine “oldest registry version in use” (#6166)
    Review: Matches description + changes are appropriate
    Notes: Updates the logic to determie the “oldest registry version in use” previously based on the key transcript component, now we consider the full pre-signature object. Updates get_oldest_idkg_state_registry_version to read registry versions from each key transcript’s full pre-signature and then picking the minimum.

  • 65bb95e42 Consensus,Interface: Report IDKG transcript resolution errors occurring during batch delivery (#6135)
    Review: Matches description + changes are appropriate
    Notes: Enhances error reporting and metrics collection related to IDkgTranscript resolution errors. Updates the get_idkg_subnet_public_keys_and_pre_signatures method - now we increment a transcript_resolution_errors counter within the IDkgPayloadStats struct when resolution of an IDKG transcript fails. Adds a new metric idkg_transcript_resolution_errors that tracks transcript_resolution_errors.

  • 09a91114e Crypto,Interface,Message Routing: Extra helper functions for hash trees (#6182)
    Review: Matches description + changes are appropriate
    Notes: Added new utility functions to improve operations over labeled and mixed hash trees - LabeledTree::lookup_lower_bound : performs a “fuzzy” lookup within a LabeledTree: if the exact label isn’t present, it returns the nearest smaller label instead. MixedHashTree::filter_builder / FilterBuilder::filtered : enables pruning of a MixedHashTree based on a given filter.

  • 4611dc7ad Execution,Interface: Upgrade Wasmtime 35 (#6100)
    Review: Matches description + changes are appropriate
    Notes: Upgrades Wasmtime runtime dependency from version 34 to version 35 and bumps up a few other dependencies.

  • 3f7bba9a9 Execution,Interface,Message Routing(EXC): Remove unused call_responded method on CallContextManager (#6092)
    Review: Matches description + changes are appropriate
    Notes: Code clean-up to remove unused call_responded method from call_context_manager.rs.

  • cddf2f8a9 Interface(ICRC_Ledger): Clean up migration code (#5627)
    Review: Matches description + changes are appropriate
    Notes: Code clean-up to remove migration logic for ICRC-106 in the ICRC ledger module - including the set_index_principal method used during chain fusions and SNS ledger transitions.

  • 2ee6ac954 Interface(Ledgers): format did files with default formatter (#6235)
    Review: Matches description + changes are appropriate
    Notes: Reformatted .did files using the default formatter.

  • 853d5f2b6 Interface: Add types to utils (#6186)
    Review: Matches description + changes are appropriate
    Notes: Adds adds TypeScript types to multiple modules to ensure type safety

  • 746c05b97 Owners: upgrade autocfg to 1.5.0 to fix reproducibility (#6236)
    Review: Matches description + changes are appropriate
    Notes: Updates autocfg crate to version from 1.1.0 to 1.5.0. Updates num-traits crate to use the updated autocfg version.

  • a417ed6be Owners: don’t use separate lockfile for fuzzers (#6184)
    Review: Matches description + changes are appropriate
    Notes: Removes the Cargo.Bazel.Fuzzing.json.lock lockfile, which was used for builds with the SANITIZERS_ENABLED configuration. Fuzzing now relies on crate annotations and selects to specify the necessary rustc flags

  • fde21389b Node: removing all mentions of filebeat and log pushing configuration and generation (#6153)
    Review: Matches description + changes are appropriate
    Notes: Removes all references to Filebeat and its associated configurations as logging is now moving to pull-based model.

  • f718b7dbf Node: Update Base Image Refs [2025-08-07-0804] (#6176)
    Review: Matches description + changes are appropriate
    Notes: Update Base Image references.

  • 7f8ccf7b3 Interface,Node: HostOS SEV improvements (#6249)
    Review: Matches description + changes are appropriate
    Notes: Refines the SEV configurations for HostOS by opening TCP port 1080 for outgoing SOCKS proxy connections and removing locked memory settings from the SEV configuration, which was preventing the VM from starting.

Refactoring:

  • 3fc9c04dd Consensus,Interface: Remove ThresholdSigInputsRef (#6157)
    Review: Matches description + changes are appropriate
    Notes: Refactors the tECDSA/tSchnorr signature generation process by removing the ThresholdSigInputsRef struct and directly using the required transcripts.

Tests:

  • 1d53767ab Interface,Node(node): Scaffold initial structure for E2E NNS recovery test (#6168)
    Review: Matches description + changes are appropriate
    Notes: Adds end-to-end NNS recovery test framework in rs/tests/src/nns_recovery.rs
About Zenith Code

Zenith Code is a comprehensive platform dedicated to advancing the Internet Computer ecosystem. It offers an interactive live coding and learning environment tailored for Motoko and ICP, making it easy for new developers to onboard through hands-on challenges and real-time code execution.

Beyond education, Zenith Code actively supports the decentralization and governance of the Internet Computer. As a registered node provider, we help run the network’s infrastructure, and through our known neuron, we actively review and vote on IC OS version election proposals.

Explore more at zenithcode.ai.

11

Hi @Lorimer ! The proposals failed to execute because we had active nodes with this version of HostOS at the time. Due to a bug this wasn’t shown in the monitoring at the time, that’s why the proposals to remove them were submitted in the first place.

Since then the DRE team has been working tirelessly in the last few weeks to upgrade the fleet to a newer version of HostOS, which finally allows us to retire all of these versions :tada:

4 Likes
12

Confirming @timk11 guess that @DRE-Team currently isn’t a monitored account since it is only used via API to submit automated proposals. Feel free to tag me ( @alexu ) if you have a particular question.

2 Likes
13

Proposals 137921 & 137922 | Tim - CodeGov

Screenshot 2025-08-17 170923
Screenshot 2025-08-17 1709231240×326 15.5 KB

Vote: Adopt

Reason: Build is successful, hashes match, commits match descriptions and the reasoning behind the changes is sound. HostOS commits (proposal 137922) mostly overlap with GuestOS commits (proposal 137921) I’ve reviewed commits for Consensus, Crypto, Interface and Node as detailed below.

Review

Features:

[da40cb4ea]
Adds enum MasterPublicKeyId with key identifiers, and methods PublicKey::mainnet_key to return the public production master keys and PublicKey::derive_mainnet_key to derive a public key from the mainnet parameters (key ID, canister ID and derivation path) for both for Ed25519 signatures and for ECDSA and Schnorr keys over the secp256k1 curve.

[388980813]
Replaces type LineDisplayPage with FieldsDisplay, containing a set of standardised fields (TokenAmount etc), and expands and adapts the associated code so that messages returned by the ledgers can conform to ICRC-21, which implements human-readable consent messages for canister calls.

[84538856c]
Changes field guest_launch_measurement_sha256_hex to guest_launch_measurement within type ReviseElectedGuestosVersionsPayload. The changed field can be seen in the current GuestOS proposal (against the previous one for comparison). At its lowest level, the new field contains two subfields - measurement, representing the SEV-SNP measurement in a vector of 48 bytes, and metadata, optionally containing the command line string used to launch the guest. The value of this “measurement” is the hash of the replica image running on the virtual machine. Also related code and test changes as outlined in the commit description.

[70310a5fb]
Adds an update method remove_approval to the ICP ledger canister, which enables a user to revoke approval for another user (or other principal) to transfer tokens from their specified subaccount, as outlined further in the commit notes.

[6290490f9]
Applies parallel mapping to the code that is used for determining which files to set as read-only in CheckpointLayout::mark_files_readonly_and_sync.

[1905e1dd8]
Adds new directory os_tools/guest_disk/, comprising a tool which handles the formatting and activation of encrypted disk partitions in the GuestOS, using either SEV-based encryption or generated key-based encryption depending on whether the trusted execution environment is enabled, along with related changes as outlined in the commit description.

Bugfixes:

[705ab6ab7]
Adapts Orchestrator::start_tasks, ImageUpgrader::execute_upgrade and related code to ensure that the upgrade loop is stopped in conjunction with other orchestrator tasks after the orchestrator detects an upgrade.

[358c24213]
Changes the read state request format as explained in the commit notes and linked documentation.

Performance improvements:

[8a9e16366]
Removes anyhow as a dependency from 6 internal crates. Adds a custom error type P2PError, which is used to replace the anyhow::Error type in these crates for the sake of efficiency.

[552295bb4]
Re-combines message ingress channels for peers (other nodes on the same subnet) and users (accessing the subnet via boundary nodes), effectively reverting commit 5cce4f5cb. Amongst other changes, the old version of the create_ingress_handlers function takes channel and user_ingress_rx as two of its inputs, then merges channel.inbound_rx (containing peer messages) and user_ingress_rx (wrapped in a tokio stream) to pass to run_artifact_processor, whereas the new version just uses channel.inbound_rx for the same purpose. The channel parameter is of type AbortableBroadcastChannel, which in the new version has an added field inbound_tx to represent the user ingress channel. The reasoning for the change is explained at length in the commit description.

Chores:

[09571b845]
Renames type TestSigInputs to TestPreSigRef. Similarly renames various test functions - create_sig_inputs_with_height to create_pre_sig_ref_with_height and so on.

[34f9ec20d]
Modifies logging of response decoding in try_fetch_delegation_from_nns so that in the event of an error the error message also contains the raw response.

[da30c0d38]
Removes 2 unused logging messages relating to canister transforms.

[39c358e8a]
Adapts get_oldest_idkg_state_registry_version so that it considers the full ReplicatedState rather than being limited to the provided IDkgPayload (which is dropped as a parameter in the new version) when determining the oldest registry version of transcripts. This is then utilised in CatchUpPackageMaker::consider_block for determing which blocks should be included in catch-up package. This in turn affects when a node is allowed to leave the subnet as explained in the commit notes.

[65bb95e42]
Adds field transcript_resolution_errors to type IDkgStats, which is renamed to IDkgPayloadStats and moved from consensus/metrics.rs to idkg/src/metrics.rs. This field is then used as a counter for criticial key generation transcript errors during batch delivery.

[09a91114e]
Adds two sets of functions for dealing with hash trees. lookup_lower_bound takes as inputs t, to denote a hash tree, prefix, to denote a subtree within it, and label, expressed as a vector of bytes, then finds the largest label less than or equal to label within the subtree and returns (if successful) this label and its sub-subtree. MixedHashTree::filter_builder allows the construction of a set of filters which can then be used in subsequent methods to return a hash tree with leaves and branches pruned (or not) as determined by the set of filters. Also adds related tests and bench.

[cddf2f8a9]
Removes migration code that is no longer needed following implementation of the ICRC-106 standard, which allows for the discovery of the index canister from the corresponding ledger canister.

[2ee6ac954]
Format changes to .did files (mostly just indentations), no expected impact on code behaviour.

[853d5f2b6]
Various type changes in backup and recovery code and tests.

[fde21389b]
Removes code related to and all mentions of Filebeat, a tool formerly used to fetch and push testnet logs, now that it has been disabled.

[f718b7dbf]
Updates GuestOS, HostOS and SetupOS base image container references.

Refactoring:

[3fc9c04dd]
Removes types ThresholdEcdsaSigInputsRef and ThresholdSchnorrSigInputsRef (which hold transcript references instead of the actual transcripts) along with the corresponding error types, as these are part of a signature creation step that is no longer needed. Adapts build_signature_inputs and ThresholdSignatureBuilder::get_completed_signature to account for the eliminated step, along with related code and test changes as outlined in @eichhorl 's excellent commit notes.

Tests:

[1d53767ab]
Adds nns_recovery_test.rs, containing the initial structure for this test, and related code changes elsewhere.

HostOS-only commits:

[7f8ccf7b3]
Opens outgoing SOCKS proxy connections and removes memory locking as per description.

About CodeGov
CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, API Boundary API Boundary Node Management, Node Admin and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neurons' Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralisation of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.
14

proposals - [137921, 137922] Cyberowl | CodeGov

Screenshot 2025-08-16 at 8.15.46 PM
Screenshot 2025-08-16 at 8.15.46 PM1604×593 123 KB

Proposals:

137921
137922

Vote: [ADOPT, ADOPT]

Reason & Feedback:

I successfully built and verified the hash for GuestOS and HostOS. All the commit descriptions match their code changes.

Checks:

Hash Match: [PASS, PASS]
2 Urls: [PASS, PASS]
Proposer Check: [PASS, PASS]

Overall Summary:

The three most impactful changes are: 1) Merging peer/user ingress channels to boost ECDSA throughput by ~20% (commit 552295bb4); 2) Introducing SEV-based disk encryption with the new guest_disk tool (commit 1905e1dd8); 3) Implementing graceful shutdown for replica upgrades to avoid panics and alerts (commit 705ab6ab7).

Commits Summary

proposal/137921

da40cb4ea
Added subkey derivation support to ic-ed25519 and ic-secp256k1 packages, embedded prod master public keys for Ed25519, plus a handy offline key derivation fn.

bd1393d54
Added SnapshotSource to canister history to tell apart canister-taken vs manually uploaded snapshots. Added it into CanisterLoadSnapshot msg + tests, new enum in protobufs for MetadataUpload/TakenFromCanister.

5125d5e8b
Rolled out pre-signature stash behind store_pre_signatures_in_state flag. stores them in a stash instead of per-round delivery, purges on key rotation. Updated subnet_config/scheduler/tests, new metrics/configs, keeps it off by default for compat until consensus update

f30890a84
Extended canister status endpoint with version and ready_for_migration fields in CanisterStatusResultV2—for migration support. Update manager/execution_env/management_canister_types to fit, non-breaking Candid change for old clients.

388980813
Fixed generic ICRC-21 msg to match examples in wg-identity-authentication repo, added FieldsDisplay for better msg display opts. Removed unused LineDisplay (for Ledger wallet), updated structs/methods to support the new format.

84538856c
Added SEV measurements to ReplicaVersionRecord—swapped deprecated guest_launch_measurement_sha256_hex for GuestLaunchMeasurements msg, IC-OS build now calc’s 'em. ic-admin grabs/populates the JSON, tests/system-tests updated for compat/propagation.

70310a5fb
Added remove_approval endpoint to ICP Ledger.lets a principal zap an approval by from_subaccount + spender AccountIdentifier, spits a regular approve block + deducts fee from caller’s subaccount.

6290490f9
Made file traversal in finalize_checkpoint parallel—dir_list_recursive in state_layout.rs now uses a thread pool. Switched to parallel map for dir processing, better perf.

1905e1dd8
New Rust tool guest_disk replaces cryptsetup luksOpen/Format, adds SEV-based disk encryption support + key gen inside the tool, remov generate-store-key.service. Beefed up tests for static/SEV encryption, upgrade logic coming later.

705ab6ab7
Switched orchestrator to graceful shutdown on replica upgrades—instead of exit(42), signals tasks like registry replicator to stop nicely, avoids panics/alerts. Ditched tokio::sync::watch for tokio_util::sync::CancellationToken

358c24213
Swapped deprecated /api/v2/canister/<effective_canister_id>/read_state for /api/v2/subnet/<subnet_id>/read_state in nns_delegation_manager.rs for fetching NNS delegation. Small diff: -2/+1 on URI format.

8a9e16366
Removed anyhow from all P2P crates for perf, swapped to custom opaque error sans backtraces.

552295bb4
Merged back peer/user ingress channels (revert of PR #3419 separation)—direct Receiver read over polling async streams, boosts ECDSA throughput ~20%. Made user ingress bounded like new P2P layer (MAX_P2P_IO_CHANNEL_SIZE), load sheds when full.

09571b845
Renamed TestSigInputs to TestPreSigRef—now just holds pre-sig ref + IDkgTranscripts, not full threshold ECDSA/Schnorr inputs. Updated fns like create_sig_inputs_with_height to create_pre_sig_ref_with_height, wired through the code.

34f9ec20d
Upped logging in nns_delegation_manager.rs: removed debug fn, added raw response dump on read_state decode fail. Better error formatting for delegation cert parse.

da30c0d38
Dropped unused canister behavior logs.

39c358e8a
Switched to full pre-signature for “oldest registry version in use”—pulls registry versions straight from paired transcripts. Updated tests/utils, swapped fake_signature_request_context_with_pre_sig for with_registry_version.

65bb95e42
Added IDKG transcript resolution error reporting in batch delivery—increments critical error counter. Made IDkgStats part of idkg crate, tests now param’d by height to check non-existent block refs bump the counter.

09a91114e
Added hash tree helpers: LabeledTree::lookup_lower_bound for fuzzy labels, MixedHashTree::filter_builder with FilterBuilder::filtered for pruning—for canister migration + scalable routing HTTP endpoints. New benchmarks/impls/tests.

4611dc7ad
Bumped Wasmtime to 35 for EXC-2091.

3f7bba9a9
Removed unused call_responded from CallContextManager in call_context_manager.rs. -7 lines.

cddf2f8a9
Cleaned up ICRC-106 migration code for index canister principal in chain fusion/SNS ledgers (FI-1747). Removed set_index_principal from Ledger.

2ee6ac954
Formatted DID files in Ledgers with default formatter.

853d5f2b6
Added types to utils for NODE-1677—switched params like replica_version to refs (&ReplicaVersion) over values. Removed unneeded conversions/clones in backup_helper/file_sync_helper/tests.

746c05b97
Bumped autocfg to 1.5.0 for reproducibility fix in num-traits—most spots updated, but some old deps like rand-0.6.5 stick with 0.1.8. Removed non-repro autocfg refs from bazel action.yaml.

a417ed6be
Dropped separate Cargo.Bazel.Fuzzing.json.lock—consolidated fuzzing into main lockfile with crate annotations/selects for rustc flags. Removed env settings/build rules for the old lock.

fde21389b
Removed all filebeat/log pushing mentions/configs/scripts/services/SELinux—moving to pull model like mainnet. Deleted filebeat.service/yml.template/scripts, stripped from guestos.bzl/ic-node.conf

f718b7dbf
Updated base image refs for guestos/hostos/setupos (dev/prod). Swapped SHA256s in six spots, +6/-6.

3fc9c04dd
Removed ThresholdSigInputsRef + resolution indirection—now direct full pre-sig/key transcripts in request context. Dropped transcript resolution/pre-sig ref failure tests for simpler code/testing.

1d53767ab
Scaffolded E2E NNS recovery test—new test with four nested VMs registered to testnet in nns_recovery_test.rs. Upped INITIAL_NODE_ALLOWANCE_MULTIPLIER to 4 in internet_computer.rs, tweaked test configs/logging/setup in driver/bootstrap.rs.

proposal/137922

7f8ccf7b3
Improves HostOS SEV functionality by enabling outgoing SOCKS proxy connections via TCP port 1080, adding a new nftables rule to accept such traffic for IPv6 addresses in the template file. It also removes unnecessary locked memory configurations from GuestOS and upgrade XML files to resolve VM startup issues

About CodeGov
CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron's Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.
15

Screenshot From 2025-08-17 10-47-08
Screenshot From 2025-08-17 10-47-081774×748 157 KB