Fix SRI hash mismatch in export-and-sign

export-and-sign/dist/index.html

@@ -1 +1 @@
-<!doctype html><html class="no-js"><head><link rel="icon" type="image/svg+xml" href="./favicon.svg"/><meta charset="utf-8"/><title>Turnkey Export</title><meta name="viewport" content="width=device-width,initial-scale=1"/><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; object-src 'none'; form-action 'none'"><link href="/styles.e084a69a94c0575bc6ba.css" rel="stylesheet" integrity="sha384-uIrxQTbBoDAwjgotQ+GUHgbxFM2iajB5QKNa4WuL9wn/Ou+2383e3dM2FCWOAq9m" crossorigin="anonymous"></head><body><h2>Export Key Material</h2><p><em>This public key will be sent along with a private key ID or wallet ID inside of a new <code>EXPORT_PRIVATE_KEY</code> or <code>EXPORT_WALLET</code> activity</em></p><form><label>Embedded key</label> <input name="embedded-key" id="embedded-key" disabled="disabled"/> <button id="reset">Reset Key</button></form><br/><br/><br/><h2>Inject Key Export Bundle</h2><p><em>The export bundle comes from the parent page and is composed of a public key and an encrypted payload. The payload is encrypted to this document's embedded key (stored in local storage and displayed above). The scheme relies on <a target="_blank" href="https://datatracker.ietf.org/doc/rfc9180/">HPKE (RFC 9180)</a></em>.</p><form><label>Bundle</label> <input name="key-export-bundle" id="key-export-bundle"/> <button id="inject-key">Inject Bundle</button><br/><label>Key Format</label> <select id="key-export-format" name="key-export-format"><option value="HEXADECIMAL">Hexadecimal (Default)</option><option value="SOLANA">Solana</option></select><br/><label>Organization Id</label> <input name="key-organization-id" id="key-organization-id"/></form><br/><br/><h2>Inject Wallet Export Bundle</h2><p><em>The export bundle comes from the parent page and is composed of a public key and an encrypted payload. The payload is encrypted to this document's embedded key (stored in local storage and displayed above). The scheme relies on <a target="_blank" href="https://datatracker.ietf.org/doc/rfc9180/">HPKE (RFC 9180)</a></em>.</p><form><label>Bundle</label> <input name="wallet-export-bundle" id="wallet-export-bundle"/> <button id="inject-wallet">Inject Bundle</button><br/><label>Organization Id</label> <input name="wallet-organization-id" id="wallet-organization-id"/></form><br/><br/><h2>Sign Transaction</h2><p><em>Input a serialized transaction to sign.</em></p><form><label>Transaction</label> <input name="transaction-to-sign" id="transaction-to-sign"/> <button id="sign-transaction">Sign</button></form><br/><br/><h2>Sign Message</h2><p><em>Input a serialized message to sign.</em></p><form><label>Message</label> <input name="message-to-sign" id="message-to-sign"/> <button id="sign-message">Sign</button></form><br/><br/><h2>Message log</h2><p><em>Below we display a log of the messages sent / received. The forms above send messages, and the code communicates results by sending events via the <code>postMessage</code> API.</em></p><div id="message-log"></div><div id="key-div"></div><script defer="defer" src="/bundle.a4914ea66ee78b95f2e4.js" integrity="sha384-m+x1rhXXvkLoGv9xomRsrJbUk7MLDp/73HeX5mp9nUtuVwRJr/fqj2i0+cgwS8tY" crossorigin="anonymous"></script><script defer="defer" src="/bundle.097e0ebaa457290cf7ae.js" integrity="sha384-D+pFv2oBVVDPOi5euMko5l16r/lvWCZQB8YqIo8IasJIforNx2BGNsP1XlrOS1dw" crossorigin="anonymous"></script></body></html>
+<!doctype html><html class="no-js"><head><link rel="icon" type="image/svg+xml" href="./favicon.svg"/><meta charset="utf-8"/><title>Turnkey Export</title><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="turnkey-signer-environment" content="__TURNKEY_SIGNER_ENVIRONMENT__"/><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; object-src 'none'; form-action 'none'"><link href="/styles.e084a69a94c0575bc6ba.css" rel="stylesheet" integrity="sha384-uIrxQTbBoDAwjgotQ+GUHgbxFM2iajB5QKNa4WuL9wn/Ou+2383e3dM2FCWOAq9m" crossorigin="anonymous"></head><body><h2>Export Key Material</h2><p><em>This public key will be sent along with a private key ID or wallet ID inside of a new <code>EXPORT_PRIVATE_KEY</code> or <code>EXPORT_WALLET</code> activity</em></p><form><label>Embedded key</label> <input name="embedded-key" id="embedded-key" disabled="disabled"/> <button id="reset">Reset Key</button></form><br/><br/><br/><h2>Inject Key Export Bundle</h2><p><em>The export bundle comes from the parent page and is composed of a public key and an encrypted payload. The payload is encrypted to this document's embedded key (stored in local storage and displayed above). The scheme relies on <a target="_blank" href="https://datatracker.ietf.org/doc/rfc9180/">HPKE (RFC 9180)</a></em>.</p><form><label>Bundle</label> <input name="key-export-bundle" id="key-export-bundle"/> <button id="inject-key">Inject Bundle</button><br/><label>Key Format</label> <select id="key-export-format" name="key-export-format"><option value="HEXADECIMAL">Hexadecimal (Default)</option><option value="SOLANA">Solana</option></select><br/><label>Organization Id</label> <input name="key-organization-id" id="key-organization-id"/></form><br/><br/><h2>Inject Wallet Export Bundle</h2><p><em>The export bundle comes from the parent page and is composed of a public key and an encrypted payload. The payload is encrypted to this document's embedded key (stored in local storage and displayed above). The scheme relies on <a target="_blank" href="https://datatracker.ietf.org/doc/rfc9180/">HPKE (RFC 9180)</a></em>.</p><form><label>Bundle</label> <input name="wallet-export-bundle" id="wallet-export-bundle"/> <button id="inject-wallet">Inject Bundle</button><br/><label>Organization Id</label> <input name="wallet-organization-id" id="wallet-organization-id"/></form><br/><br/><h2>Sign Transaction</h2><p><em>Input a serialized transaction to sign.</em></p><form><label>Transaction</label> <input name="transaction-to-sign" id="transaction-to-sign"/> <button id="sign-transaction">Sign</button></form><br/><br/><h2>Sign Message</h2><p><em>Input a serialized message to sign.</em></p><form><label>Message</label> <input name="message-to-sign" id="message-to-sign"/> <button id="sign-message">Sign</button></form><br/><br/><h2>Message log</h2><p><em>Below we display a log of the messages sent / received. The forms above send messages, and the code communicates results by sending events via the <code>postMessage</code> API.</em></p><div id="message-log"></div><div id="key-div"></div><script defer="defer" src="/bundle.a4914ea66ee78b95f2e4.js" integrity="sha384-m+x1rhXXvkLoGv9xomRsrJbUk7MLDp/73HeX5mp9nUtuVwRJr/fqj2i0+cgwS8tY" crossorigin="anonymous"></script><script defer="defer" src="/bundle.38a42ea04bc431371fe4.js" integrity="sha384-JqjL1e4hr89AdN1ACVdHOtizN0IiYS+A08WFjfL3vdQdIZWSfZJnqaIo7otR1vQd" crossorigin="anonymous"></script></body></html>

export-and-sign/src/index.template.html

@@ -5,6 +5,10 @@
     <meta charset="utf-8" />
     <title>Turnkey Export</title>
     <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta
+      name="turnkey-signer-environment"
+      content="__TURNKEY_SIGNER_ENVIRONMENT__"
+    />
   </head>
 
   <body>

export-and-sign/src/turnkey-core.js

@@ -289,10 +289,23 @@ async function verifyEnclaveSignature(
       "04f3422b8afbe425d6ece77b8d2469954715a2ff273ab7ac89f1ed70e0a9325eaa1698b4351fd1b23734e65c0b6a86b62dd49d70b37c94606aac402cbd84353212",
   };
 
-  // Use window.__TURNKEY_SIGNER_ENVIRONMENT__ if available (for testing), otherwise use the webpack replacement
-  const environment =
-    (typeof window !== "undefined" && window.__TURNKEY_SIGNER_ENVIRONMENT__) ||
-    "__TURNKEY_SIGNER_ENVIRONMENT__";
+  // Read environment from meta tag (templated at deploy time), fall back to window variable (for testing)
+  let environment = null;
+  if (typeof document !== "undefined") {
+    const meta = document.querySelector(
+      'meta[name="turnkey-signer-environment"]'
+    );
+    if (
+      meta &&
+      meta.content &&
+      meta.content !== "__TURNKEY_SIGNER_ENVIRONMENT__"
+    ) {
+      environment = meta.content;
+    }
+  }
+  if (!environment && typeof window !== "undefined") {
+    environment = window.__TURNKEY_SIGNER_ENVIRONMENT__;
+  }
   const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY =
     TURNKEY_SIGNERS_ENCLAVES[environment];
 

export-and-sign/webpack.config.js

@@ -84,6 +84,9 @@ module.exports = (env, argv) => {
       },
     },
     optimization: {
+      // Reproducible builds so CI "dist matches committed" check passes
+      moduleIds: "deterministic",
+      chunkIds: "deterministic",
       splitChunks: {
         chunks: "all",
         cacheGroups: {

kustomize/base/resources.yaml

@@ -24,14 +24,15 @@ spec:
 
                 envsubst '${TURNKEY_SIGNER_ENVIRONMENT}' < export/index.template.html > templated/export/index.html;
 
-                # For export-and-sign, copy the webpack-built files and template the environment variable in JS files
+                # For export-and-sign, copy the webpack-built files and template the environment variable in HTML files
+                # Note: We template HTML instead of JS to preserve Subresource Integrity (SRI) hashes
                 if [ -d "export-and-sign" ]; then
                   cp -r export-and-sign/. templated/export-and-sign/;
                   ls -la templated/export-and-sign/
                 fi
 
-                # Template the environment variable in the built JavaScript files
-                for file in templated/export-and-sign/*.js; do
+                # Template the environment variable in the HTML files (not JS, to preserve SRI)
+                for file in templated/export-and-sign/*.html; do
                   if [ -f "$file" ]; then
                     if sed "s/__TURNKEY_SIGNER_ENVIRONMENT__/${TURNKEY_SIGNER_ENVIRONMENT}/g" "$file" > "$file.tmp"; then
                       mv "$file.tmp" "$file"