hyperledger Fabric 链码签名和安装如何工作?
[英]How hyperledger fabric chaincode signing and installation works?
问题描述
In a hyperledger fabric setup, various organizations that take part in network need to execute chaincode (assuming every org has an endorser).
在超级账本结构设置中,参与网络的各种组织需要执行链代码(假设每个组织都有一个背书人)。 My question is around signing of the chaincode to prevent tampering.我的问题是关于对链码进行签名以防止篡改。 I see any peer can create a signedCDS using (just for example)我看到任何对等方都可以使用(例如)创建一个签名的CDS
peer chaincode package -n mycc -p github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02 -v 0 -s -S -i "AND('OrgA.admin')" ccpack.out对等链码包 -n mycc -p github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02 -v 0 -s -S -i "AND('OrgA.admin')" ccpack.out
Now, my question is 1. How do we specify that chaincode should be signed by required number of owners, I don't see any argument where I can specify the owners?现在,我的问题是 1. 我们如何指定链码应由所需数量的所有者签名,我看不到任何可以指定所有者的参数? 2. How I can validate if a chaincode has been signed by owners, that is verification by looking at CDS? 2. 如何验证链码是否已由所有者签名,即通过查看 CDS 进行验证? 3. How can we ensure if every owner has deployed the actual signed version and not tampered with chaincode? 3. 我们如何确保每个所有者都部署了实际的签名版本并且没有篡改链码?
Thanks谢谢
2 个解决方案
解决方案1
0 2018-08-22 20:09:19
The -S option directs the process to sign the package using the MSP identified by the value of the localMspid property in your file .yaml. -S 选项指示进程使用由文件 .yaml 中的 localMspid 属性值标识的 MSP 对包进行签名。
The ChaincodeDeploymentSpec may be optionally be signed by the collective owners to create a SignedChaincodeDeploymentSpec (or SignedCDS). ChaincodeDeploymentSpec 可以选择由集体所有者签名以创建 SignedChaincodeDeploymentSpec(或 SignedCDS)。 The SignedCDS contains 3 elements: SignedCDS 包含 3 个元素:
The CDS contains the source code, the name, and version of the chaincode. CDS 包含链代码的源代码、名称和版本。 An instantiation policy of the chaincode, expressed as endorsement policies.链码的实例化策略,表示为背书策略。 The list of chaincode owners, defined by means of Endorsement.通过背书定义的链码所有者列表。 see: https://hyperledger-fabric.readthedocs.io/en/stable/chaincode4noah.html见: https : //hyperledger-fabric.readthedocs.io/en/stable/chaincode4noah.html
解决方案2
0 2020-06-25 22:26:45
Chaincode package signing has a bit different purposes than you assume. Chaincode 包签名的目的与您假设的略有不同。 Let's imagine that you are the main channel admin, and in your channel there is 50 organizations.假设您是主频道管理员,您的频道中有 50 个组织。 Only you can perform chaincode updates, however two organizations are very important, and you are not permitted to make any changes unless they approve them.只有您可以执行链码更新,但是两个组织非常重要,除非他们批准,否则您不得进行任何更改。 To ensure that this condition is met, you prepare a new chaincode package, where you set yourself as the only entity, that can instantiate it:为了确保满足这个条件,你准备了一个新的链码包,你将自己设置为唯一可以实例化它的实体:
peer chaincode package -n mycc -p github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02 -v 0 -s -S -i "AND('OrgA.admin')" ccpack.out
You send this package to those two organizations that have to accept it.您将此包裹发送给必须接受它的那两个组织。 After a week you get them back signed.一个星期后,你让他们重新签名。 You MANUALLY ensure, that the signature is correct, and package was not tampered (if it was you could immediately see it, as you had signed the package before sending it).您手动确保签名是正确的,并且包裹没有被篡改(如果被篡改,您可以立即看到它,因为您在发送之前已经签署了包裹)。 Signing them is also a signal for you, that those organizations have already installed the chaincode on their endorsing peers, and they are ready for instantiation.签署它们对您来说也是一个信号,这些组织已经在他们的背书节点上安装了链码,并且已经准备好进行实例化。 After ensuring, that everything is fine, you instantiate the chaincode.在确保一切正常后,您可以实例化链码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.