Sigp audit fixes (#438)

Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
Co-authored-by: Joe Clapis <jclapis@outlook.com>
Co-authored-by: eltitanb <lorenzo@gattaca.com>
Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com>

Author: 4 people

.cargo/audit.toml

@@ -0,0 +1,27 @@
+# RUSTSEC-2026-0049: CRL revocation checking bug in rustls-webpki 0.101.7.
+#
+# Background: CRL (Certificate Revocation List) checking is an optional TLS
+# feature where a client fetches a list of revoked certificates from URLs
+# embedded in the cert itself, to confirm it hasn't been invalidated since
+# issuance. This is distinct from normal certificate validation.
+#
+# The bug: when a cert lists multiple CRL distribution point URLs, only the
+# first URL is checked; the rest are silently ignored. This matters only when
+# CRL checking is enabled AND the UnknownStatusPolicy is set to Allow (meaning
+# "if I can't determine revocation status, accept the cert anyway"). With that
+# combination, a revoked certificate from a compromised CA could be accepted.
+#
+# Why this does not affect Commit-Boost: the vulnerable code path is never
+# reached because no code in this codebase enables CRL checking at all.
+# TLS is used in four places: (1) relay communication via reqwest with
+# rustls-tls uses default CA validation with no CRL configured; (2) the signer
+# server presents a TLS certificate but does not check client revocation;
+# (3) the signer client pins a single self-signed certificate via
+# add_root_certificate — CRL is irrelevant for self-signed certs; (4) the Dirk
+# remote signer uses mTLS with a custom CA but again no CRL. In all cases the
+# buggy CRL code in rustls-webpki is never invoked.
+#
+# Blocked on sigp/lighthouse upgrading past v8.0.1 without a compilation
+# regression (SseEventSource missing cfg guard in eth2 error.rs).
+[advisories]
+ignore = ["RUSTSEC-2026-0049"]

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: nightly-2025-06-26
+          toolchain: nightly-2026-01-01
           components: clippy, rustfmt
 
       - name: Install protoc

.gitignore

@@ -16,6 +16,7 @@ targets.json
 .idea/
 logs
 .vscode/
+certs/
 
 # Nix
 .direnv/