From eb39792a12055ea56503f16be81a3be5b60d42c3 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Fri, 13 Sep 2024 09:55:27 +0200
Subject: [PATCH 01/28] Add PCK to server info

---
 Cargo.lock                   |  1 +
 pallets/staking/Cargo.toml   |  1 +
 pallets/staking/src/lib.rs   |  4 +-
 pallets/staking/src/mock.rs  |  7 ++-
 pallets/staking/src/tests.rs | 88 ++++++++++++++++++++++++++++--------
 5 files changed, 78 insertions(+), 23 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 520bb046d..f50dcd201 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -7402,6 +7402,7 @@ dependencies = [
  "frame-support 29.0.2",
  "frame-system",
  "log",
+ "p256",
  "pallet-bags-list",
  "pallet-balances",
  "pallet-parameters",
diff --git a/pallets/staking/Cargo.toml b/pallets/staking/Cargo.toml
index 60beae497..281e1e334 100644
--- a/pallets/staking/Cargo.toml
+++ b/pallets/staking/Cargo.toml
@@ -17,6 +17,7 @@ scale-info ={ version="2.11", default-features=false, features=["derive"] }
 log        ={ version="0.4.22", default-features=false }
 serde      ={ version="1.0.210", default-features=false }
 rand_chacha={ version="0.3", default-features=false }
+p256       ={ version="0.13.2", default-features=false, features=["ecdsa", "alloc"] }
 
 frame-benchmarking={ version="29.0.0", default-features=false, optional=true }
 frame-support     ={ version="29.0.0", default-features=false }
diff --git a/pallets/staking/src/lib.rs b/pallets/staking/src/lib.rs
index f6ea6f16a..85b51ae5a 100644
--- a/pallets/staking/src/lib.rs
+++ b/pallets/staking/src/lib.rs
@@ -115,6 +115,7 @@ pub mod pallet {
         pub tss_account: AccountId,
         pub x25519_public_key: X25519PublicKey,
         pub endpoint: TssServerURL,
+        pub provisioning_certification_key: VerifyingKey,
     }
     /// Info that is requiered to do a proactive refresh
     #[derive(Clone, Encode, Decode, Eq, PartialEq, RuntimeDebug, TypeInfo, Default)]
@@ -238,7 +239,7 @@ pub mod pallet {
     /// A type used to simplify the genesis configuration definition.
     pub type ThresholdServersConfig<T> = (
         <T as pallet_session::Config>::ValidatorId,
-        (<T as frame_system::Config>::AccountId, X25519PublicKey, TssServerURL),
+        (<T as frame_system::Config>::AccountId, X25519PublicKey, TssServerURL, VerifyingKey),
     );
 
     #[pallet::genesis_config]
@@ -265,6 +266,7 @@ pub mod pallet {
                     tss_account: server_info_tuple.0.clone(),
                     x25519_public_key: server_info_tuple.1,
                     endpoint: server_info_tuple.2.clone(),
+                    provisioning_certification_key: server_info_tuple.3.clone(),
                 };
 
                 ThresholdServers::<T>::insert(validator_stash, server_info.clone());
diff --git a/pallets/staking/src/mock.rs b/pallets/staking/src/mock.rs
index 0d1fe7159..9ab987bfd 100644
--- a/pallets/staking/src/mock.rs
+++ b/pallets/staking/src/mock.rs
@@ -400,8 +400,11 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
         balances: vec![(1, 100), (2, 100), (3, 100), (4, 100)],
     };
     let pallet_staking_extension = pallet_staking_extension::GenesisConfig::<Test> {
-        // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL))
-        threshold_servers: vec![(5, (7, NULL_ARR, vec![20])), (6, (8, NULL_ARR, vec![40]))],
+        // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL, VerifyingKey))
+        threshold_servers: vec![
+            (5, (7, NULL_ARR, vec![20], BoundedVec::with_max_capacity())),
+            (6, (8, NULL_ARR, vec![40], BoundedVec::with_max_capacity())),
+        ],
         proactive_refresh_data: (vec![], vec![]),
         mock_signer_rotate: (false, vec![], vec![]),
     };
diff --git a/pallets/staking/src/tests.rs b/pallets/staking/src/tests.rs
index a6639b9f5..7f1c21ba1 100644
--- a/pallets/staking/src/tests.rs
+++ b/pallets/staking/src/tests.rs
@@ -22,6 +22,7 @@ use frame_support::{assert_noop, assert_ok};
 use frame_system::{EventRecord, Phase};
 use pallet_parameters::SignersSize;
 use pallet_session::SessionManager;
+use sp_runtime::BoundedVec;
 const NULL_ARR: [u8; 32] = [0; 32];
 
 #[test]
@@ -29,11 +30,21 @@ fn basic_setup_works() {
     new_test_ext().execute_with(|| {
         assert_eq!(
             Staking::threshold_server(5).unwrap(),
-            ServerInfo { tss_account: 7, x25519_public_key: NULL_ARR, endpoint: vec![20] }
+            ServerInfo {
+                tss_account: 7,
+                x25519_public_key: NULL_ARR,
+                endpoint: vec![20],
+                provisioning_certification_key: BoundedVec::with_max_capacity()
+            }
         );
         assert_eq!(
             Staking::threshold_server(6).unwrap(),
-            ServerInfo { tss_account: 8, x25519_public_key: NULL_ARR, endpoint: vec![40] }
+            ServerInfo {
+                tss_account: 8,
+                x25519_public_key: NULL_ARR,
+                endpoint: vec![40],
+                provisioning_certification_key: BoundedVec::with_max_capacity()
+            }
         );
         assert_eq!(Staking::threshold_to_stash(7).unwrap(), 5);
         assert_eq!(Staking::threshold_to_stash(8).unwrap(), 6);
@@ -51,8 +62,12 @@ fn it_takes_in_an_endpoint() {
             pallet_staking::RewardDestination::Account(1),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 3, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 3,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(1),
             pallet_staking::ValidatorPrefs::default(),
@@ -68,6 +83,7 @@ fn it_takes_in_an_endpoint() {
             tss_account: 3,
             x25519_public_key: NULL_ARR,
             endpoint: vec![20, 20, 20, 20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
         };
         assert_noop!(
             Staking::validate(
@@ -78,8 +94,12 @@ fn it_takes_in_an_endpoint() {
             Error::<Test>::EndpointTooLong
         );
 
-        let server_info =
-            ServerInfo { tss_account: 5, x25519_public_key: NULL_ARR, endpoint: vec![20, 20] };
+        let server_info = ServerInfo {
+            tss_account: 5,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20, 20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_noop!(
             Staking::validate(
                 RuntimeOrigin::signed(4),
@@ -100,8 +120,12 @@ fn it_will_not_allow_validator_to_use_existing_tss_account() {
             pallet_staking::RewardDestination::Account(1),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 3, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 3,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(1),
             pallet_staking::ValidatorPrefs::default(),
@@ -134,8 +158,12 @@ fn it_changes_endpoint() {
             pallet_staking::RewardDestination::Account(1),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 3, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 3,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(1),
             pallet_staking::ValidatorPrefs::default(),
@@ -161,8 +189,12 @@ fn it_changes_threshold_account() {
             pallet_staking::RewardDestination::Account(1),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 3, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 3,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(1),
             pallet_staking::ValidatorPrefs::default(),
@@ -185,8 +217,12 @@ fn it_changes_threshold_account() {
             pallet_staking::RewardDestination::Account(2),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 5, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 5,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(2),
             pallet_staking::ValidatorPrefs::default(),
@@ -209,8 +245,12 @@ fn it_will_not_allow_existing_tss_account_when_changing_threshold_account() {
             pallet_staking::RewardDestination::Account(1),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 3, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 3,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(1),
             pallet_staking::ValidatorPrefs::default(),
@@ -224,8 +264,12 @@ fn it_will_not_allow_existing_tss_account_when_changing_threshold_account() {
             pallet_staking::RewardDestination::Account(2),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 5, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 5,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(2),
             pallet_staking::ValidatorPrefs::default(),
@@ -250,8 +294,12 @@ fn it_deletes_when_no_bond_left() {
             pallet_staking::RewardDestination::Account(1),
         ));
 
-        let server_info =
-            ServerInfo { tss_account: 3, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info = ServerInfo {
+            tss_account: 3,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
         assert_ok!(Staking::validate(
             RuntimeOrigin::signed(2),
             pallet_staking::ValidatorPrefs::default(),

From 664c1fcb5d579aed0febde7a6117d4c40f11226f Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 08:35:18 +0200
Subject: [PATCH 02/28] Add PCK to chainspec

---
 crates/shared/src/types.rs                   |  3 +++
 node/cli/src/chain_spec/dev.rs               | 22 ++++++++++++++------
 node/cli/src/chain_spec/integration_tests.rs |  6 +++++-
 node/cli/src/chain_spec/mod.rs               | 13 ++++++++++++
 node/cli/src/chain_spec/testnet.rs           |  6 ++++--
 5 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/crates/shared/src/types.rs b/crates/shared/src/types.rs
index 49b558186..c303a8fee 100644
--- a/crates/shared/src/types.rs
+++ b/crates/shared/src/types.rs
@@ -110,6 +110,9 @@ pub enum HashingAlgorithm {
 /// A compressed, serialized [synedrion::ecdsa::VerifyingKey<k256::Secp256k1>]
 pub type EncodedVerifyingKey = [u8; VERIFICATION_KEY_LENGTH as usize];
 
+pub type BoundedVecEncodedVerifyingKey =
+    sp_runtime::BoundedVec<u8, sp_runtime::traits::ConstU32<VERIFICATION_KEY_LENGTH>>;
+
 /// Input data to be included in a TDX attestation
 pub struct QuoteInputData(pub [u8; 64]);
 
diff --git a/node/cli/src/chain_spec/dev.rs b/node/cli/src/chain_spec/dev.rs
index 5f33a1b44..f04a8bbae 100644
--- a/node/cli/src/chain_spec/dev.rs
+++ b/node/cli/src/chain_spec/dev.rs
@@ -13,7 +13,7 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-use crate::chain_spec::{get_account_id_from_seed, ChainSpec};
+use crate::chain_spec::{get_account_id_from_seed, provisioning_certification_key, ChainSpec};
 use crate::endowed_accounts::endowed_accounts_dev;
 
 use entropy_runtime::{
@@ -24,9 +24,9 @@ use entropy_runtime::{
 };
 use entropy_runtime::{AccountId, Balance};
 use entropy_shared::{
-    X25519PublicKey as TssX25519PublicKey, DEVICE_KEY_AUX_DATA_TYPE, DEVICE_KEY_CONFIG_TYPE,
-    DEVICE_KEY_HASH, DEVICE_KEY_PROXY, INITIAL_MAX_INSTRUCTIONS_PER_PROGRAM, SIGNER_THRESHOLD,
-    TOTAL_SIGNERS,
+    EncodedVerifyingKey, X25519PublicKey as TssX25519PublicKey, DEVICE_KEY_AUX_DATA_TYPE,
+    DEVICE_KEY_CONFIG_TYPE, DEVICE_KEY_HASH, DEVICE_KEY_PROXY,
+    INITIAL_MAX_INSTRUCTIONS_PER_PROGRAM, SIGNER_THRESHOLD, TOTAL_SIGNERS,
 };
 use grandpa_primitives::AuthorityId as GrandpaId;
 use itertools::Itertools;
@@ -38,23 +38,26 @@ use sp_core::{sr25519, ByteArray};
 use sp_runtime::{BoundedVec, Perbill};
 
 pub fn devnet_three_node_initial_tss_servers(
-) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String)> {
+) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String, EncodedVerifyingKey)> {
     let alice = (
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "127.0.0.1:3001".to_string(),
+        provisioning_certification_key::ALICE,
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "127.0.0.1:3002".to_string(),
+        provisioning_certification_key::BOB,
     );
 
     let charlie = (
         crate::chain_spec::tss_account_id::CHARLIE.clone(),
         crate::chain_spec::tss_x25519_public_key::CHARLIE,
         "127.0.0.1:3003".to_string(),
+        provisioning_certification_key::CHARLIE,
     );
 
     vec![alice, bob, charlie]
@@ -66,18 +69,21 @@ pub fn devnet_local_docker_three_node_initial_tss_servers(
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "alice-tss-server:3001".to_string(),
+        provisioning_certification_key::ALICE,
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "bob-tss-server:3002".to_string(),
+        provisioning_certification_key::BOB,
     );
 
     let charlie = (
         crate::chain_spec::tss_account_id::CHARLIE.clone(),
         crate::chain_spec::tss_x25519_public_key::CHARLIE,
         "charlie-tss-server:3003".to_string(),
+        provisioning_certification_key::CHARLIE,
     );
 
     vec![alice, bob, charlie]
@@ -89,24 +95,28 @@ pub fn devnet_local_docker_four_node_initial_tss_servers(
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "alice-tss-server:3001".to_string(),
+        provisioning_certification_key::ALICE,
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "bob-tss-server:3002".to_string(),
+        provisioning_certification_key::BOB,
     );
 
     let dave = (
         crate::chain_spec::tss_account_id::DAVE.clone(),
         crate::chain_spec::tss_x25519_public_key::DAVE,
         "dave-tss-server:3003".to_string(),
+        provisioning_certification_key::DAVE,
     );
 
     let eve = (
         crate::chain_spec::tss_account_id::EVE.clone(),
         crate::chain_spec::tss_x25519_public_key::EVE_TSS,
         "eve-tss-server:3004".to_string(),
+        provisioning_certification_key::EVE,
     );
 
     vec![alice, bob, dave, eve]
@@ -272,7 +282,7 @@ pub fn development_genesis_config(
                 .iter()
                 .zip(initial_tss_servers.iter())
                 .map(|(auth, tss)| {
-                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec()))
+                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec(), tss.3))
                 })
                 .collect::<Vec<_>>(),
             proactive_refresh_data: (vec![], vec![]),
diff --git a/node/cli/src/chain_spec/integration_tests.rs b/node/cli/src/chain_spec/integration_tests.rs
index b45dfe5de..48cca40bb 100644
--- a/node/cli/src/chain_spec/integration_tests.rs
+++ b/node/cli/src/chain_spec/integration_tests.rs
@@ -13,7 +13,7 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-use crate::chain_spec::{get_account_id_from_seed, ChainSpec};
+use crate::chain_spec::{get_account_id_from_seed, provisioning_certification_key, ChainSpec};
 use crate::endowed_accounts::endowed_accounts_dev;
 
 use entropy_runtime::{
@@ -158,6 +158,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::ALICE.clone(),
                         crate::chain_spec::tss_x25519_public_key::ALICE,
                         "127.0.0.1:3001".as_bytes().to_vec(),
+                        provisioning_certification_key::ALICE,
                     ),
                 ),
                 (
@@ -166,6 +167,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::BOB.clone(),
                         crate::chain_spec::tss_x25519_public_key::BOB,
                         "127.0.0.1:3002".as_bytes().to_vec(),
+                        provisioning_certification_key::BOB,
                     ),
                 ),
                 (
@@ -174,6 +176,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::CHARLIE.clone(),
                         crate::chain_spec::tss_x25519_public_key::CHARLIE,
                         "127.0.0.1:3003".as_bytes().to_vec(),
+                        provisioning_certification_key::CHARLIE,
                     ),
                 ),
                 (
@@ -182,6 +185,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::DAVE.clone(),
                         crate::chain_spec::tss_x25519_public_key::DAVE,
                         "127.0.0.1:3004".as_bytes().to_vec(),
+                        provisioning_certification_key::DAVE,
                     ),
                 ),
             ],
diff --git a/node/cli/src/chain_spec/mod.rs b/node/cli/src/chain_spec/mod.rs
index 79485d720..b67d2ed95 100644
--- a/node/cli/src/chain_spec/mod.rs
+++ b/node/cli/src/chain_spec/mod.rs
@@ -126,6 +126,19 @@ pub mod tss_x25519_public_key {
     ];
 }
 
+pub mod provisioning_certification_key {
+    use entropy_shared::BoundedVecEncodedVerifyingKey;
+    use sp_runtime::BoundedVec;
+
+    lazy_static::lazy_static! {
+    pub const ALICE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub const BOB: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub const CHARLIE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub const DAVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub const EVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    }
+}
+
 fn entropy_properties() -> Properties {
     json!({"tokenDecimals": 10, "tokenSymbol": "BITS" }).as_object().unwrap().clone()
 }
diff --git a/node/cli/src/chain_spec/testnet.rs b/node/cli/src/chain_spec/testnet.rs
index fb5848420..0007fec31 100644
--- a/node/cli/src/chain_spec/testnet.rs
+++ b/node/cli/src/chain_spec/testnet.rs
@@ -13,7 +13,7 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-use crate::chain_spec::{get_account_id_from_seed, ChainSpec};
+use crate::chain_spec::{get_account_id_from_seed, provisioning_certification_key, ChainSpec};
 use crate::endowed_accounts::endowed_testnet_accounts;
 
 use entropy_runtime::{
@@ -182,12 +182,14 @@ pub fn testnet_local_initial_tss_servers() -> Vec<(TssAccountId, TssX25519Public
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "alice-tss-server:3001".to_string(),
+        provisioning_certification_key::ALICE,
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "bob-tss-server:3002".to_string(),
+        provisioning_certification_key::BOB,
     );
 
     vec![alice, bob]
@@ -410,7 +412,7 @@ pub fn testnet_genesis_config(
                 .iter()
                 .zip(initial_tss_servers.iter())
                 .map(|(auth, tss)| {
-                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec()))
+                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec(), tss.3))
                 })
                 .collect::<Vec<_>>(),
             proactive_refresh_data: (vec![], vec![]),

From 96453a3b2ca8bbd8cc0af000026794e58bc15f02 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 09:17:13 +0200
Subject: [PATCH 03/28] Update chainspec genesis config to include PCKs for all
 TSSs

---
 node/cli/src/chain_spec/dev.rs               | 37 +++++++++++---------
 node/cli/src/chain_spec/integration_tests.rs |  8 ++---
 node/cli/src/chain_spec/mod.rs               | 10 +++---
 node/cli/src/chain_spec/testnet.rs           | 29 ++++++++++-----
 4 files changed, 50 insertions(+), 34 deletions(-)

diff --git a/node/cli/src/chain_spec/dev.rs b/node/cli/src/chain_spec/dev.rs
index f04a8bbae..6e6aaa186 100644
--- a/node/cli/src/chain_spec/dev.rs
+++ b/node/cli/src/chain_spec/dev.rs
@@ -24,7 +24,7 @@ use entropy_runtime::{
 };
 use entropy_runtime::{AccountId, Balance};
 use entropy_shared::{
-    EncodedVerifyingKey, X25519PublicKey as TssX25519PublicKey, DEVICE_KEY_AUX_DATA_TYPE,
+    BoundedVecEncodedVerifyingKey, X25519PublicKey as TssX25519PublicKey, DEVICE_KEY_AUX_DATA_TYPE,
     DEVICE_KEY_CONFIG_TYPE, DEVICE_KEY_HASH, DEVICE_KEY_PROXY,
     INITIAL_MAX_INSTRUCTIONS_PER_PROGRAM, SIGNER_THRESHOLD, TOTAL_SIGNERS,
 };
@@ -38,85 +38,85 @@ use sp_core::{sr25519, ByteArray};
 use sp_runtime::{BoundedVec, Perbill};
 
 pub fn devnet_three_node_initial_tss_servers(
-) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String, EncodedVerifyingKey)> {
+) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String, BoundedVecEncodedVerifyingKey)> {
     let alice = (
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "127.0.0.1:3001".to_string(),
-        provisioning_certification_key::ALICE,
+        provisioning_certification_key::ALICE.clone(),
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "127.0.0.1:3002".to_string(),
-        provisioning_certification_key::BOB,
+        provisioning_certification_key::BOB.clone(),
     );
 
     let charlie = (
         crate::chain_spec::tss_account_id::CHARLIE.clone(),
         crate::chain_spec::tss_x25519_public_key::CHARLIE,
         "127.0.0.1:3003".to_string(),
-        provisioning_certification_key::CHARLIE,
+        provisioning_certification_key::CHARLIE.clone(),
     );
 
     vec![alice, bob, charlie]
 }
 
 pub fn devnet_local_docker_three_node_initial_tss_servers(
-) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String)> {
+) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String, BoundedVecEncodedVerifyingKey)> {
     let alice = (
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "alice-tss-server:3001".to_string(),
-        provisioning_certification_key::ALICE,
+        provisioning_certification_key::ALICE.clone(),
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "bob-tss-server:3002".to_string(),
-        provisioning_certification_key::BOB,
+        provisioning_certification_key::BOB.clone(),
     );
 
     let charlie = (
         crate::chain_spec::tss_account_id::CHARLIE.clone(),
         crate::chain_spec::tss_x25519_public_key::CHARLIE,
         "charlie-tss-server:3003".to_string(),
-        provisioning_certification_key::CHARLIE,
+        provisioning_certification_key::CHARLIE.clone(),
     );
 
     vec![alice, bob, charlie]
 }
 
 pub fn devnet_local_docker_four_node_initial_tss_servers(
-) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String)> {
+) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String, BoundedVecEncodedVerifyingKey)> {
     let alice = (
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "alice-tss-server:3001".to_string(),
-        provisioning_certification_key::ALICE,
+        provisioning_certification_key::ALICE.clone(),
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "bob-tss-server:3002".to_string(),
-        provisioning_certification_key::BOB,
+        provisioning_certification_key::BOB.clone(),
     );
 
     let dave = (
         crate::chain_spec::tss_account_id::DAVE.clone(),
         crate::chain_spec::tss_x25519_public_key::DAVE,
         "dave-tss-server:3003".to_string(),
-        provisioning_certification_key::DAVE,
+        provisioning_certification_key::DAVE.clone(),
     );
 
     let eve = (
         crate::chain_spec::tss_account_id::EVE.clone(),
         crate::chain_spec::tss_x25519_public_key::EVE_TSS,
         "eve-tss-server:3004".to_string(),
-        provisioning_certification_key::EVE,
+        provisioning_certification_key::EVE.clone(),
     );
 
     vec![alice, bob, dave, eve]
@@ -204,7 +204,12 @@ pub fn development_genesis_config(
     )>,
     initial_nominators: Vec<AccountId>,
     root_key: AccountId,
-    initial_tss_servers: Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String)>,
+    initial_tss_servers: Vec<(
+        sp_runtime::AccountId32,
+        TssX25519PublicKey,
+        String,
+        BoundedVecEncodedVerifyingKey,
+    )>,
 ) -> serde_json::Value {
     // Note that any endowed_accounts added here will be included in the `elections` and
     // `technical_committee` genesis configs. If you don't want that, don't push those accounts to
@@ -282,7 +287,7 @@ pub fn development_genesis_config(
                 .iter()
                 .zip(initial_tss_servers.iter())
                 .map(|(auth, tss)| {
-                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec(), tss.3))
+                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec(), tss.3.clone()))
                 })
                 .collect::<Vec<_>>(),
             proactive_refresh_data: (vec![], vec![]),
diff --git a/node/cli/src/chain_spec/integration_tests.rs b/node/cli/src/chain_spec/integration_tests.rs
index 48cca40bb..5d7fc54ed 100644
--- a/node/cli/src/chain_spec/integration_tests.rs
+++ b/node/cli/src/chain_spec/integration_tests.rs
@@ -158,7 +158,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::ALICE.clone(),
                         crate::chain_spec::tss_x25519_public_key::ALICE,
                         "127.0.0.1:3001".as_bytes().to_vec(),
-                        provisioning_certification_key::ALICE,
+                        provisioning_certification_key::ALICE.clone(),
                     ),
                 ),
                 (
@@ -167,7 +167,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::BOB.clone(),
                         crate::chain_spec::tss_x25519_public_key::BOB,
                         "127.0.0.1:3002".as_bytes().to_vec(),
-                        provisioning_certification_key::BOB,
+                        provisioning_certification_key::BOB.clone(),
                     ),
                 ),
                 (
@@ -176,7 +176,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::CHARLIE.clone(),
                         crate::chain_spec::tss_x25519_public_key::CHARLIE,
                         "127.0.0.1:3003".as_bytes().to_vec(),
-                        provisioning_certification_key::CHARLIE,
+                        provisioning_certification_key::CHARLIE.clone(),
                     ),
                 ),
                 (
@@ -185,7 +185,7 @@ pub fn integration_tests_genesis_config(
                         crate::chain_spec::tss_account_id::DAVE.clone(),
                         crate::chain_spec::tss_x25519_public_key::DAVE,
                         "127.0.0.1:3004".as_bytes().to_vec(),
-                        provisioning_certification_key::DAVE,
+                        provisioning_certification_key::DAVE.clone(),
                     ),
                 ),
             ],
diff --git a/node/cli/src/chain_spec/mod.rs b/node/cli/src/chain_spec/mod.rs
index b67d2ed95..cccc9954a 100644
--- a/node/cli/src/chain_spec/mod.rs
+++ b/node/cli/src/chain_spec/mod.rs
@@ -131,11 +131,11 @@ pub mod provisioning_certification_key {
     use sp_runtime::BoundedVec;
 
     lazy_static::lazy_static! {
-    pub const ALICE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub const BOB: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub const CHARLIE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub const DAVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub const EVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub static ref ALICE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub static ref BOB: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub static ref CHARLIE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub static ref DAVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+    pub static ref EVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
     }
 }
 
diff --git a/node/cli/src/chain_spec/testnet.rs b/node/cli/src/chain_spec/testnet.rs
index 0007fec31..9dd3c1f5f 100644
--- a/node/cli/src/chain_spec/testnet.rs
+++ b/node/cli/src/chain_spec/testnet.rs
@@ -24,9 +24,9 @@ use entropy_runtime::{
 };
 use entropy_runtime::{AccountId, Balance};
 use entropy_shared::{
-    X25519PublicKey as TssX25519PublicKey, DEVICE_KEY_AUX_DATA_TYPE, DEVICE_KEY_CONFIG_TYPE,
-    DEVICE_KEY_HASH, DEVICE_KEY_PROXY, INITIAL_MAX_INSTRUCTIONS_PER_PROGRAM, SIGNER_THRESHOLD,
-    TOTAL_SIGNERS,
+    BoundedVecEncodedVerifyingKey, X25519PublicKey as TssX25519PublicKey, DEVICE_KEY_AUX_DATA_TYPE,
+    DEVICE_KEY_CONFIG_TYPE, DEVICE_KEY_HASH, DEVICE_KEY_PROXY,
+    INITIAL_MAX_INSTRUCTIONS_PER_PROGRAM, SIGNER_THRESHOLD, TOTAL_SIGNERS,
 };
 use grandpa_primitives::AuthorityId as GrandpaId;
 use hex_literal::hex;
@@ -177,19 +177,20 @@ pub fn testnet_local_config() -> crate::chain_spec::ChainSpec {
         .build()
 }
 
-pub fn testnet_local_initial_tss_servers() -> Vec<(TssAccountId, TssX25519PublicKey, TssEndpoint)> {
+pub fn testnet_local_initial_tss_servers(
+) -> Vec<(TssAccountId, TssX25519PublicKey, TssEndpoint, BoundedVecEncodedVerifyingKey)> {
     let alice = (
         crate::chain_spec::tss_account_id::ALICE.clone(),
         crate::chain_spec::tss_x25519_public_key::ALICE,
         "alice-tss-server:3001".to_string(),
-        provisioning_certification_key::ALICE,
+        provisioning_certification_key::ALICE.clone(),
     );
 
     let bob = (
         crate::chain_spec::tss_account_id::BOB.clone(),
         crate::chain_spec::tss_x25519_public_key::BOB,
         "bob-tss-server:3002".to_string(),
-        provisioning_certification_key::BOB,
+        provisioning_certification_key::BOB.clone(),
     );
 
     vec![alice, bob]
@@ -209,7 +210,8 @@ pub fn testnet_local_initial_tss_servers() -> Vec<(TssAccountId, TssX25519Public
 ///
 /// Note that if the KVDB of the TSS is deleted at any point during this process you will end up
 /// with different `AccountID`s and `PublicKey`s.
-pub fn testnet_initial_tss_servers() -> Vec<(TssAccountId, TssX25519PublicKey, TssEndpoint)> {
+pub fn testnet_initial_tss_servers(
+) -> Vec<(TssAccountId, TssX25519PublicKey, TssEndpoint, BoundedVecEncodedVerifyingKey)> {
     use std::str::FromStr;
 
     let node_1a = (
@@ -220,6 +222,7 @@ pub fn testnet_initial_tss_servers() -> Vec<(TssAccountId, TssX25519PublicKey, T
             198, 84, 61, 178, 36, 191, 56, 41, 39, 173, 70, 9, 67,
         ],
         "100.26.207.49:3001".to_string(),
+        provisioning_certification_key::ALICE.clone(),
     );
 
     let node_1b = (
@@ -230,6 +233,7 @@ pub fn testnet_initial_tss_servers() -> Vec<(TssAccountId, TssX25519PublicKey, T
             10, 107, 31, 67, 10, 98, 215, 34, 26, 10, 188, 59, 71, 100,
         ],
         "34.200.237.166:3001".to_string(),
+        provisioning_certification_key::BOB.clone(),
     );
 
     let node_1c = (
@@ -240,6 +244,7 @@ pub fn testnet_initial_tss_servers() -> Vec<(TssAccountId, TssX25519PublicKey, T
             36, 157, 25, 170, 72, 247, 152, 130, 139, 244, 4, 67, 162, 0,
         ],
         "184.72.189.154:3001".to_string(),
+        provisioning_certification_key::CHARLIE.clone(),
     );
 
     let node_2a = (
@@ -250,6 +255,7 @@ pub fn testnet_initial_tss_servers() -> Vec<(TssAccountId, TssX25519PublicKey, T
             196, 3, 154, 37, 23, 133, 28, 168, 221, 37, 204, 186, 61,
         ],
         "184.73.19.95:3001".to_string(),
+        provisioning_certification_key::DAVE.clone(),
     );
 
     vec![node_1a, node_1b, node_1c, node_2a]
@@ -295,7 +301,12 @@ pub fn testnet_genesis_config(
     )>,
     initial_nominators: Vec<AccountId>,
     root_key: AccountId,
-    initial_tss_servers: Vec<(TssAccountId, TssX25519PublicKey, TssEndpoint)>,
+    initial_tss_servers: Vec<(
+        TssAccountId,
+        TssX25519PublicKey,
+        TssEndpoint,
+        BoundedVecEncodedVerifyingKey,
+    )>,
 ) -> serde_json::Value {
     assert!(
         initial_authorities.len() == initial_tss_servers.len(),
@@ -412,7 +423,7 @@ pub fn testnet_genesis_config(
                 .iter()
                 .zip(initial_tss_servers.iter())
                 .map(|(auth, tss)| {
-                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec(), tss.3))
+                    (auth.0.clone(), (tss.0.clone(), tss.1, tss.2.as_bytes().to_vec(), tss.3.clone()))
                 })
                 .collect::<Vec<_>>(),
             proactive_refresh_data: (vec![], vec![]),

From d5fffa5e2a6dbf9072136b1d887cdb8632cb2b72 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 10:36:34 +0200
Subject: [PATCH 04/28] Add sp-runtime to wasm deps of entropy-shared

---
 crates/shared/Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/shared/Cargo.toml b/crates/shared/Cargo.toml
index 9583d256d..a03e6c1d0 100644
--- a/crates/shared/Cargo.toml
+++ b/crates/shared/Cargo.toml
@@ -27,7 +27,7 @@ subxt      ={ version="0.35.3", default-features=false, optional=true }
 [features]
 default    =["std"]
 std        =["codec/std", "scale-info/std", "serde/std", "sp-runtime/std", "sp-std/std"]
-wasm       =["codec/std", "scale-info/std", "serde/std", "sp-std/std"]
+wasm       =["codec/std", "scale-info/std", "serde/std", "sp-std/std", "sp-runtime/std"]
 wasm-no-std=["sp-runtime"]
 user-native=["dep:subxt", "subxt/native"]
 user-wasm  =["dep:subxt", "subxt/web"]

From 1a7759c5bcc28da97f16a60424494f7718c1cf82 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 10:38:49 +0200
Subject: [PATCH 05/28] Bump tdx-quote, check PCK signature when verifying
 quotes

---
 Cargo.lock                                   |  2 +-
 crates/threshold-signature-server/Cargo.toml |  4 +--
 pallets/attestation/Cargo.toml               |  4 +--
 pallets/attestation/src/lib.rs               | 34 +++++++++++++-------
 4 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f50dcd201..1039fa4be 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -14131,7 +14131,7 @@ checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f"
 [[package]]
 name = "tdx-quote"
 version = "0.1.0"
-source = "git+https://github.com/entropyxyz/tdx-quote?rev=f7968ff#f7968ff35ff744ff8c007cffe6ec8d709d7f18d9"
+source = "git+https://github.com/entropyxyz/tdx-quote?rev=0dca6b3#0dca6b353f6a119cd333530b2c85d1ea0eadc287"
 dependencies = [
  "nom",
  "p256",
diff --git a/crates/threshold-signature-server/Cargo.toml b/crates/threshold-signature-server/Cargo.toml
index a449540d8..46a65d88a 100644
--- a/crates/threshold-signature-server/Cargo.toml
+++ b/crates/threshold-signature-server/Cargo.toml
@@ -71,7 +71,7 @@ sha1="0.10.6"
 sha2="0.10.8"
 hkdf="0.12.4"
 project-root={ version="0.2.2", optional=true }
-tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="f7968ff", optional=true, features=[
+tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3", optional=true, features=[
   "mock",
 ] }
 
@@ -87,7 +87,7 @@ ethers-core ="2.0.14"
 schnorrkel  ={ version="0.11.4", default-features=false, features=["std"] }
 schemars    ={ version="0.8.21" }
 subxt-signer="0.35.3"
-tdx-quote   ={ git="https://github.com/entropyxyz/tdx-quote", rev="f7968ff", features=["mock"] }
+tdx-quote   ={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3", features=["mock"] }
 
 # Note: We don't specify versions here because otherwise we run into a cyclical dependency between
 # `entropy-tss` and `entropy-testing-utils` when we try and publish the `entropy-tss` crate.
diff --git a/pallets/attestation/Cargo.toml b/pallets/attestation/Cargo.toml
index 44d63ae1c..c18b1fe21 100644
--- a/pallets/attestation/Cargo.toml
+++ b/pallets/attestation/Cargo.toml
@@ -27,7 +27,7 @@ entropy-shared={ version="0.2.0", path="../../crates/shared", features=[
   "wasm-no-std",
 ], default-features=false }
 pallet-staking-extension={ version="0.2.0", path="../staking", default-features=false }
-tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="f7968ff" }
+tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3" }
 
 [dev-dependencies]
 pallet-session                 ={ version="29.0.0", default-features=false }
@@ -38,7 +38,7 @@ pallet-timestamp               ={ version="28.0.0", default-features=false }
 sp-npos-elections              ={ version="27.0.0", default-features=false }
 frame-election-provider-support={ version="29.0.0", default-features=false }
 pallet-staking-reward-curve    ={ version="11.0.0" }
-tdx-quote                      ={ git="https://github.com/entropyxyz/tdx-quote", rev="f7968ff", features=["mock"] }
+tdx-quote                      ={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3", features=["mock"] }
 rand_core                      ="0.6.4"
 
 [features]
diff --git a/pallets/attestation/src/lib.rs b/pallets/attestation/src/lib.rs
index ebab0a19e..ae09ea549 100644
--- a/pallets/attestation/src/lib.rs
+++ b/pallets/attestation/src/lib.rs
@@ -51,7 +51,7 @@ pub mod pallet {
     use frame_support::pallet_prelude::*;
     use frame_system::pallet_prelude::*;
     use sp_std::vec::Vec;
-    use tdx_quote::Quote;
+    use tdx_quote::{decode_verifying_key, Quote};
 
     pub use crate::weights::WeightInfo;
 
@@ -123,6 +123,10 @@ pub mod pallet {
         NoServerInfo,
         /// Unacceptable VM image running
         BadMrtdValue,
+        /// Cannot decode verifying key (PCK)
+        CannotDecodeVerifyingKey,
+        /// Could not verify PCK signature
+        PckVerification,
     }
 
     #[pallet::call]
@@ -142,17 +146,15 @@ pub mod pallet {
             let nonce =
                 PendingAttestations::<T>::get(&who).ok_or(Error::<T>::UnexpectedAttestation)?;
 
-            // Parse the quote (which internally verifies the signature)
+            // Parse the quote (which internally verifies the attestation key signature)
             let quote = Quote::from_bytes(&quote).map_err(|_| Error::<T>::BadQuote)?;
 
-            // Get associated x25519 public key from staking pallet
-            let x25519_public_key = {
+            // Get associated server info from staking pallet
+            let server_info = {
                 let stash_account = pallet_staking_extension::Pallet::<T>::threshold_to_stash(&who)
                     .ok_or(Error::<T>::NoStashAccount)?;
-                let server_info =
-                    pallet_staking_extension::Pallet::<T>::threshold_server(&stash_account)
-                        .ok_or(Error::<T>::NoServerInfo)?;
-                server_info.x25519_public_key
+                pallet_staking_extension::Pallet::<T>::threshold_server(&stash_account)
+                    .ok_or(Error::<T>::NoServerInfo)?
             };
 
             // Get current block number
@@ -163,7 +165,7 @@ pub mod pallet {
 
             // Check report input data matches the nonce, TSS details and block number
             let expected_input_data =
-                QuoteInputData::new(&who, x25519_public_key, nonce, block_number);
+                QuoteInputData::new(&who, server_info.x25519_public_key, nonce, block_number);
             ensure!(
                 quote.report_input_data() == expected_input_data.0,
                 Error::<T>::IncorrectInputData
@@ -175,8 +177,18 @@ pub mod pallet {
             let accepted_mrtd_values = pallet_parameters::Pallet::<T>::accepted_mrtd_values();
             ensure!(accepted_mrtd_values.contains(&mrtd_value), Error::<T>::BadMrtdValue);
 
-            // TODO #982 Check that the attestation public key matches that from PCK certificate
-            let _attestation_key = quote.attestation_key;
+            // Check that the attestation public key is signed with the PCK
+            let provisioning_certification_key = decode_verifying_key(
+                &server_info
+                    .provisioning_certification_key
+                    .to_vec()
+                    .try_into()
+                    .map_err(|_| Error::<T>::CannotDecodeVerifyingKey)?,
+            )
+            .map_err(|_| Error::<T>::CannotDecodeVerifyingKey)?;
+            quote
+                .verify_with_pck(provisioning_certification_key)
+                .map_err(|_| Error::<T>::PckVerification)?;
 
             // Remove the entry from PendingAttestations
             PendingAttestations::<T>::remove(&who);

From d74f85ae64e4ea39323220fb2bf1874502bb9606 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 11:14:38 +0200
Subject: [PATCH 06/28] Update benchmarks

---
 pallets/attestation/src/benchmarking.rs |  2 ++
 pallets/registry/src/benchmarking.rs    |  8 ++++++--
 pallets/staking/src/benchmarking.rs     | 11 +++++++++--
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/pallets/attestation/src/benchmarking.rs b/pallets/attestation/src/benchmarking.rs
index f3c88604f..5b0a42fe0 100644
--- a/pallets/attestation/src/benchmarking.rs
+++ b/pallets/attestation/src/benchmarking.rs
@@ -15,6 +15,7 @@
 
 use entropy_shared::QuoteInputData;
 use frame_benchmarking::{benchmarks, impl_benchmark_test_suite, whitelisted_caller};
+use frame_support::BoundedVec;
 use frame_system::{EventRecord, RawOrigin};
 use pallet_staking_extension::{ServerInfo, ThresholdServers, ThresholdToStash};
 
@@ -63,6 +64,7 @@ benchmarks! {
         tss_account: attestee.clone(),
         x25519_public_key: [0; 32],
         endpoint: b"http://localhost:3001".to_vec(),
+        provisioning_certification_key: BoundedVec::with_max_capacity(),
     });
 
   }: _(RawOrigin::Signed(attestee.clone()), quote.clone())
diff --git a/pallets/registry/src/benchmarking.rs b/pallets/registry/src/benchmarking.rs
index 492009951..ae2b76863 100644
--- a/pallets/registry/src/benchmarking.rs
+++ b/pallets/registry/src/benchmarking.rs
@@ -51,8 +51,12 @@ pub fn add_non_syncing_validators<T: Config>(
 ) -> Vec<<T as pallet_session::Config>::ValidatorId> {
     let validators = create_validators::<T>(validator_amount, SEED);
     let account = account::<T::AccountId>("ts_account", 1, SEED);
-    let server_info =
-        ServerInfo { tss_account: account, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+    let server_info = ServerInfo {
+        tss_account: account,
+        x25519_public_key: NULL_ARR,
+        endpoint: vec![20],
+        provisioning_certification_key: BoundedVec::with_max_capacity(),
+    };
     for (c, validator) in validators.iter().enumerate() {
         <ThresholdServers<T>>::insert(validator, server_info.clone());
         if c >= syncing_validators.try_into().unwrap() {
diff --git a/pallets/staking/src/benchmarking.rs b/pallets/staking/src/benchmarking.rs
index 5fce1157b..088342a9a 100644
--- a/pallets/staking/src/benchmarking.rs
+++ b/pallets/staking/src/benchmarking.rs
@@ -21,6 +21,7 @@ use frame_support::{
     assert_ok, ensure,
     sp_runtime::traits::StaticLookup,
     traits::{Currency, Get},
+    BoundedVec,
 };
 use frame_system::{EventRecord, RawOrigin};
 use pallet_parameters::{SignersInfo, SignersSize};
@@ -77,8 +78,12 @@ fn prep_bond_and_validate<T: Config>(
         reward_destination,
     ));
 
-    let server_info =
-        ServerInfo { tss_account: threshold, x25519_public_key, endpoint: vec![20, 20] };
+    let server_info = ServerInfo {
+        tss_account: threshold,
+        x25519_public_key,
+        endpoint: vec![20, 20],
+        provisioning_certification_key: BoundedVec::with_max_capacity(),
+    };
 
     if validate_also {
         assert_ok!(<Staking<T>>::validate(
@@ -120,6 +125,7 @@ benchmarks! {
       endpoint: vec![20, 20],
       tss_account: _bonder.clone(),
       x25519_public_key: NULL_ARR,
+      provisioning_certification_key: BoundedVec::with_max_capacity(),
     };
     assert_last_event::<T>(Event::<T>::ThresholdAccountChanged(bonder, server_info).into());
   }
@@ -161,6 +167,7 @@ benchmarks! {
         tss_account: threshold.clone(),
         x25519_public_key: NULL_ARR,
         endpoint: vec![20],
+        provisioning_certification_key: BoundedVec::with_max_capacity(),
     };
 
   }:  _(RawOrigin::Signed(bonder.clone()), validator_preference, server_info)

From e3ad7fb6c5a633789434dadb497d9d2905f4031e Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 11:29:00 +0200
Subject: [PATCH 07/28] When mocking, derive PCK from TSS account id

---
 Cargo.lock                                               | 3 ++-
 crates/threshold-signature-server/Cargo.toml             | 5 +++--
 crates/threshold-signature-server/src/attestation/api.rs | 9 +++++++--
 pallets/attestation/Cargo.toml                           | 4 ++--
 4 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1039fa4be..3343fe5df 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2782,6 +2782,7 @@ dependencies = [
  "num",
  "parity-scale-codec",
  "project-root",
+ "rand",
  "rand_core 0.6.4",
  "reqwest",
  "reqwest-eventsource",
@@ -14131,7 +14132,7 @@ checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f"
 [[package]]
 name = "tdx-quote"
 version = "0.1.0"
-source = "git+https://github.com/entropyxyz/tdx-quote?rev=0dca6b3#0dca6b353f6a119cd333530b2c85d1ea0eadc287"
+source = "git+https://github.com/entropyxyz/tdx-quote?rev=cb167f2#cb167f2aef1c7539c91082ee21c764eac60f6bef"
 dependencies = [
  "nom",
  "p256",
diff --git a/crates/threshold-signature-server/Cargo.toml b/crates/threshold-signature-server/Cargo.toml
index 46a65d88a..69b6abc2d 100644
--- a/crates/threshold-signature-server/Cargo.toml
+++ b/crates/threshold-signature-server/Cargo.toml
@@ -17,6 +17,7 @@ thiserror          ="1.0.63"
 blake2             ="0.10.4"
 x25519-dalek       ={ version="2.0.1", features=["static_secrets"] }
 rand_core          ="0.6.4"
+rand               ="0.8.5"
 zeroize            ="1.8.1"
 hex                ="0.4.3"
 reqwest-eventsource="0.6"
@@ -71,7 +72,7 @@ sha1="0.10.6"
 sha2="0.10.8"
 hkdf="0.12.4"
 project-root={ version="0.2.2", optional=true }
-tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3", optional=true, features=[
+tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="cb167f2", optional=true, features=[
   "mock",
 ] }
 
@@ -87,7 +88,7 @@ ethers-core ="2.0.14"
 schnorrkel  ={ version="0.11.4", default-features=false, features=["std"] }
 schemars    ={ version="0.8.21" }
 subxt-signer="0.35.3"
-tdx-quote   ={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3", features=["mock"] }
+tdx-quote   ={ git="https://github.com/entropyxyz/tdx-quote", rev="cb167f2", features=["mock"] }
 
 # Note: We don't specify versions here because otherwise we run into a cyclical dependency between
 # `entropy-tss` and `entropy-testing-utils` when we try and publish the `entropy-tss` crate.
diff --git a/crates/threshold-signature-server/src/attestation/api.rs b/crates/threshold-signature-server/src/attestation/api.rs
index ae97b2fab..195a5fecf 100644
--- a/crates/threshold-signature-server/src/attestation/api.rs
+++ b/crates/threshold-signature-server/src/attestation/api.rs
@@ -78,10 +78,11 @@ pub async fn create_quote(
     signer: &PairSigner<EntropyConfig, sp_core::sr25519::Pair>,
     x25519_secret: &StaticSecret,
 ) -> Result<Vec<u8>, AttestationErr> {
+    use rand::{rngs::StdRng, SeedableRng};
     use rand_core::OsRng;
     use sp_core::Pair;
 
-    // In the real thing this is the hardware key used in the quoting enclave
+    // In the real thing this is the key used in the quoting enclave
     let signing_key = tdx_quote::SigningKey::random(&mut OsRng);
 
     let public_key = x25519_dalek::PublicKey::from(x25519_secret);
@@ -93,7 +94,11 @@ pub async fn create_quote(
         block_number,
     );
 
-    let quote = tdx_quote::Quote::mock(signing_key.clone(), input_data.0).as_bytes().to_vec();
+    // This is generated deterministically from TSS account id
+    let mut pck_seeder = StdRng::from_seed(signer.signer().public().0);
+    let pck = tdx_quote::SigningKey::random(&mut pck_seeder);
+
+    let quote = tdx_quote::Quote::mock(signing_key.clone(), pck, input_data.0).as_bytes().to_vec();
     Ok(quote)
 }
 
diff --git a/pallets/attestation/Cargo.toml b/pallets/attestation/Cargo.toml
index c18b1fe21..ded3b1a93 100644
--- a/pallets/attestation/Cargo.toml
+++ b/pallets/attestation/Cargo.toml
@@ -27,7 +27,7 @@ entropy-shared={ version="0.2.0", path="../../crates/shared", features=[
   "wasm-no-std",
 ], default-features=false }
 pallet-staking-extension={ version="0.2.0", path="../staking", default-features=false }
-tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3" }
+tdx-quote={ git="https://github.com/entropyxyz/tdx-quote", rev="cb167f2" }
 
 [dev-dependencies]
 pallet-session                 ={ version="29.0.0", default-features=false }
@@ -38,7 +38,7 @@ pallet-timestamp               ={ version="28.0.0", default-features=false }
 sp-npos-elections              ={ version="27.0.0", default-features=false }
 frame-election-provider-support={ version="29.0.0", default-features=false }
 pallet-staking-reward-curve    ={ version="11.0.0" }
-tdx-quote                      ={ git="https://github.com/entropyxyz/tdx-quote", rev="0dca6b3", features=["mock"] }
+tdx-quote                      ={ git="https://github.com/entropyxyz/tdx-quote", rev="cb167f2", features=["mock"] }
 rand_core                      ="0.6.4"
 
 [features]

From f02c7c5357fe408b113e1febd0173dac46d3bbda Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 11:40:26 +0200
Subject: [PATCH 08/28] Get boundedvec from sp-core, not sp-runtime

---
 crates/shared/Cargo.toml   | 2 +-
 crates/shared/src/types.rs | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crates/shared/Cargo.toml b/crates/shared/Cargo.toml
index a03e6c1d0..9583d256d 100644
--- a/crates/shared/Cargo.toml
+++ b/crates/shared/Cargo.toml
@@ -27,7 +27,7 @@ subxt      ={ version="0.35.3", default-features=false, optional=true }
 [features]
 default    =["std"]
 std        =["codec/std", "scale-info/std", "serde/std", "sp-runtime/std", "sp-std/std"]
-wasm       =["codec/std", "scale-info/std", "serde/std", "sp-std/std", "sp-runtime/std"]
+wasm       =["codec/std", "scale-info/std", "serde/std", "sp-std/std"]
 wasm-no-std=["sp-runtime"]
 user-native=["dep:subxt", "subxt/native"]
 user-wasm  =["dep:subxt", "subxt/web"]
diff --git a/crates/shared/src/types.rs b/crates/shared/src/types.rs
index c303a8fee..42ff91873 100644
--- a/crates/shared/src/types.rs
+++ b/crates/shared/src/types.rs
@@ -111,7 +111,7 @@ pub enum HashingAlgorithm {
 pub type EncodedVerifyingKey = [u8; VERIFICATION_KEY_LENGTH as usize];
 
 pub type BoundedVecEncodedVerifyingKey =
-    sp_runtime::BoundedVec<u8, sp_runtime::traits::ConstU32<VERIFICATION_KEY_LENGTH>>;
+    sp_core::bounded_vec::BoundedVec<u8, sp_core::ConstU32<VERIFICATION_KEY_LENGTH>>;
 
 /// Input data to be included in a TDX attestation
 pub struct QuoteInputData(pub [u8; 64]);

From f70315cd99b0bca057be71a062da0005ed7f1d78 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 11:48:58 +0200
Subject: [PATCH 09/28] Ignore BoundedVec type when compiling for wasm with std

---
 crates/shared/src/types.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crates/shared/src/types.rs b/crates/shared/src/types.rs
index 42ff91873..12c29f492 100644
--- a/crates/shared/src/types.rs
+++ b/crates/shared/src/types.rs
@@ -110,8 +110,9 @@ pub enum HashingAlgorithm {
 /// A compressed, serialized [synedrion::ecdsa::VerifyingKey<k256::Secp256k1>]
 pub type EncodedVerifyingKey = [u8; VERIFICATION_KEY_LENGTH as usize];
 
+#[cfg(not(feature = "wasm"))]
 pub type BoundedVecEncodedVerifyingKey =
-    sp_core::bounded_vec::BoundedVec<u8, sp_core::ConstU32<VERIFICATION_KEY_LENGTH>>;
+    sp_runtime::BoundedVec<u8, sp_runtime::traits::ConstU32<VERIFICATION_KEY_LENGTH>>;
 
 /// Input data to be included in a TDX attestation
 pub struct QuoteInputData(pub [u8; 64]);

From 2f86ec81fb6bc0fa9f7943fb3d00d5ac220cb971 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 12:44:04 +0200
Subject: [PATCH 10/28] Update propagation pallet mock

---
 pallets/propagation/src/mock.rs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pallets/propagation/src/mock.rs b/pallets/propagation/src/mock.rs
index a87be8a69..7942818e3 100644
--- a/pallets/propagation/src/mock.rs
+++ b/pallets/propagation/src/mock.rs
@@ -28,7 +28,7 @@ use sp_runtime::{
     curve::PiecewiseLinear,
     testing::{TestXt, UintAuthorityId},
     traits::{BlakeTwo256, ConvertInto, IdentityLookup},
-    BuildStorage, Perbill,
+    BoundedVec, BuildStorage, Perbill,
 };
 use sp_staking::{EraIndex, SessionIndex};
 use std::cell::RefCell;
@@ -380,10 +380,10 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
     let pallet_staking_extension = pallet_staking_extension::GenesisConfig::<Test> {
         threshold_servers: vec![
             // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL))
-            (5, (7, NULL_ARR, vec![20])),
-            (6, (8, NULL_ARR, vec![40])),
-            (1, (3, NULL_ARR, vec![10])),
-            (2, (4, NULL_ARR, vec![11])),
+            (5, (7, NULL_ARR, vec![20], BoundedVec::with_max_capacity())),
+            (6, (8, NULL_ARR, vec![40], BoundedVec::with_max_capacity())),
+            (1, (3, NULL_ARR, vec![10], BoundedVec::with_max_capacity())),
+            (2, (4, NULL_ARR, vec![11], BoundedVec::with_max_capacity())),
         ],
         proactive_refresh_data: (vec![], vec![]),
         mock_signer_rotate: (false, vec![], vec![]),

From 574138582c405c5b64278ff652a5cb682d20c401 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 13:20:56 +0200
Subject: [PATCH 11/28] Update attestation pallet mock

---
 pallets/attestation/src/benchmarking.rs | 14 ++++++++++----
 pallets/attestation/src/mock.rs         |  4 ++--
 pallets/attestation/src/tests.rs        |  7 +++----
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/pallets/attestation/src/benchmarking.rs b/pallets/attestation/src/benchmarking.rs
index 5b0a42fe0..3dc2c4051 100644
--- a/pallets/attestation/src/benchmarking.rs
+++ b/pallets/attestation/src/benchmarking.rs
@@ -24,7 +24,11 @@ use super::*;
 use crate::Pallet as AttestationPallet;
 
 // This is a randomly generated secret p256 ECDSA key
-const ENCLAVE_SIGNING_KEY: [u8; 32] = [
+const ATTESTATION_KEY: [u8; 32] = [
+    167, 184, 203, 130, 240, 249, 191, 129, 206, 9, 200, 29, 99, 197, 64, 81, 135, 166, 59, 73, 31,
+    27, 206, 207, 69, 248, 56, 195, 64, 92, 109, 46,
+];
+const PCK: [u8; 32] = [
     167, 184, 203, 130, 240, 249, 191, 129, 206, 9, 200, 29, 99, 197, 64, 81, 135, 166, 59, 73, 31,
     27, 206, 207, 69, 248, 56, 195, 64, 92, 109, 46,
 ];
@@ -42,7 +46,9 @@ benchmarks! {
     let attestee: T::AccountId = whitelisted_caller();
     let nonce = [0; 32];
 
-    let signing_key = tdx_quote::SigningKey::from_bytes(&ENCLAVE_SIGNING_KEY.into()).unwrap();
+    let attestation_key = tdx_quote::SigningKey::from_bytes(&ATTESTATION_KEY.into()).unwrap();
+    let pck = tdx_quote::SigningKey::from_bytes(&PCK.into()).unwrap();
+    let pck_encoded = tdx::quote::encode_verifying_key(pck).unwrap();
 
     let input_data = QuoteInputData::new(
         &attestee, // TSS Account ID
@@ -50,7 +56,7 @@ benchmarks! {
         nonce,
         1, // Block number
     );
-    let quote = tdx_quote::Quote::mock(signing_key.clone(), input_data.0).as_bytes().to_vec();
+    let quote = tdx_quote::Quote::mock(signing_key.clone(), pck, input_data.0).as_bytes().to_vec();
 
     // Insert a pending attestation so that this quote is expected
     <PendingAttestations<T>>::insert(attestee.clone(), nonce);
@@ -64,7 +70,7 @@ benchmarks! {
         tss_account: attestee.clone(),
         x25519_public_key: [0; 32],
         endpoint: b"http://localhost:3001".to_vec(),
-        provisioning_certification_key: BoundedVec::with_max_capacity(),
+        provisioning_certification_key: BoundedVec::from(pck_encoded.to_vec()),
     });
 
   }: _(RawOrigin::Signed(attestee.clone()), quote.clone())
diff --git a/pallets/attestation/src/mock.rs b/pallets/attestation/src/mock.rs
index 086153d1f..478f31a41 100644
--- a/pallets/attestation/src/mock.rs
+++ b/pallets/attestation/src/mock.rs
@@ -344,8 +344,8 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
 
     let pallet_staking_extension = pallet_staking_extension::GenesisConfig::<Test> {
         threshold_servers: vec![
-            // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL))
-            (5, (0, NULL_ARR, vec![20])),
+            // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL, PCK))
+            (5, (0, NULL_ARR, vec![20], BoundedVec::default())),
         ],
         proactive_refresh_data: (vec![], vec![]),
         mock_signer_rotate: (false, vec![], vec![]),
diff --git a/pallets/attestation/src/tests.rs b/pallets/attestation/src/tests.rs
index 7e34966e2..aa206398b 100644
--- a/pallets/attestation/src/tests.rs
+++ b/pallets/attestation/src/tests.rs
@@ -27,9 +27,8 @@ fn attest() {
         let nonce = Attestation::pending_attestations(ATTESTEE).unwrap();
         assert_eq!(nonce, [0; 32]);
 
-        // For now it doesn't matter what this is, but once we handle PCK certificates this will
-        // need to correspond to the public key in the certificate
-        let signing_key = tdx_quote::SigningKey::random(&mut OsRng);
+        let attestation_key = tdx_quote::SigningKey::random(&mut OsRng);
+        let pck = tdx_quote::SigningKey::random(&mut OsRng);
 
         let input_data = QuoteInputData::new(
             ATTESTEE, // TSS Account ID
@@ -37,7 +36,7 @@ fn attest() {
             nonce, 0, // Block number
         );
 
-        let quote = tdx_quote::Quote::mock(signing_key.clone(), input_data.0);
+        let quote = tdx_quote::Quote::mock(attestation_key.clone(), pck, input_data.0);
         assert_ok!(
             Attestation::attest(RuntimeOrigin::signed(ATTESTEE), quote.as_bytes().to_vec(),)
         );

From 5cd50e4e43c4b7264c9a6d2823845771cb7ce220 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 13:21:46 +0200
Subject: [PATCH 12/28] Add helpers for deriving mock pcks

---
 crates/testing-utils/Cargo.toml     |  1 +
 crates/testing-utils/src/helpers.rs | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/crates/testing-utils/Cargo.toml b/crates/testing-utils/Cargo.toml
index 93217efcd..686c14f39 100644
--- a/crates/testing-utils/Cargo.toml
+++ b/crates/testing-utils/Cargo.toml
@@ -26,6 +26,7 @@ synedrion         ={ git="https://github.com/entropyxyz/synedrion", rev="1d210d1
 hex               ="0.4.3"
 rand_core         ="0.6.4"
 rand              ="0.8.5"
+tdx-quote         ={ git="https://github.com/entropyxyz/tdx-quote", rev="cb167f2", features=["mock"] }
 
 # Logging
 tracing           ="0.1.37"
diff --git a/crates/testing-utils/src/helpers.rs b/crates/testing-utils/src/helpers.rs
index 60194a153..deabd52b9 100644
--- a/crates/testing-utils/src/helpers.rs
+++ b/crates/testing-utils/src/helpers.rs
@@ -20,7 +20,8 @@ use crate::{
     ChainSpecType,
 };
 use entropy_protocol::PartyId;
-use subxt::{backend::legacy::LegacyRpcMethods, OnlineClient};
+use rand::{rngs::StdRng, SeedableRng};
+use subxt::{backend::legacy::LegacyRpcMethods, utils::AccountId32, OnlineClient};
 
 /// A helper for setting up tests which starts both a set of TS servers and a chain node and returns
 /// the chain API as well as IP addresses and PartyId of the started validators
@@ -52,3 +53,18 @@ pub async fn spawn_tss_nodes_and_start_chain(
     };
     (api, rpc, validator_ips, validator_ids)
 }
+
+/// Get the mock PCK that will be used for a given TSS account ID
+pub fn derive_mock_pck_verifying_key(tss_account_id: &AccountId32) -> tdx_quote::VerifyingKey {
+    let mut pck_seeder = StdRng::from_seed(tss_account_id.0);
+    let pck = tdx_quote::SigningKey::random(&mut pck_seeder);
+    tdx_quote::VerifyingKey::from(pck)
+}
+
+/// For each test TSS account, display the encoded mock PCK
+pub fn print_test_pck_verifying_keys() {
+    for tss_account in crate::constants::TSS_ACCOUNTS.iter() {
+        let pck = derive_mock_pck_verifying_key(tss_account);
+        println!("{:?}", tdx_quote::encode_verifying_key(&pck));
+    }
+}

From 32e0249bc3d908599c4828fb479785f9ceb49a80 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 13:32:31 +0200
Subject: [PATCH 13/28] Add actual PCK values to chainspec

---
 node/cli/src/chain_spec/mod.rs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/node/cli/src/chain_spec/mod.rs b/node/cli/src/chain_spec/mod.rs
index cccc9954a..418cae542 100644
--- a/node/cli/src/chain_spec/mod.rs
+++ b/node/cli/src/chain_spec/mod.rs
@@ -131,11 +131,11 @@ pub mod provisioning_certification_key {
     use sp_runtime::BoundedVec;
 
     lazy_static::lazy_static! {
-    pub static ref ALICE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub static ref BOB: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub static ref CHARLIE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub static ref DAVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
-    pub static ref EVE: BoundedVecEncodedVerifyingKey = BoundedVec::with_max_capacity();
+        pub static ref ALICE: BoundedVecEncodedVerifyingKey = vec![2, 137, 55, 65, 52, 103, 166, 204, 247, 160, 46, 220, 5, 113, 151, 217, 157, 196, 11, 240, 175, 82, 148, 230, 31, 245, 207, 194, 3, 74, 121, 184, 20].try_into().unwrap();
+        pub static ref BOB: BoundedVecEncodedVerifyingKey = vec![3, 83, 163, 234, 166, 114, 67, 146, 122, 122, 99, 236, 205, 116, 209, 45, 230, 107, 62, 55, 147, 38, 185, 203, 157, 147, 156, 173, 233, 58, 134, 162, 156].try_into().unwrap();
+        pub static ref CHARLIE: BoundedVecEncodedVerifyingKey = vec![2, 167, 50, 42, 76, 239, 190, 42, 72, 64, 110, 90, 172, 253, 252, 148, 115, 107, 34, 110, 2, 112, 184, 147, 87, 71, 63, 217, 238, 89, 253, 97, 176].try_into().unwrap();
+        pub static ref DAVE: BoundedVecEncodedVerifyingKey = vec![3, 68, 52, 130, 44, 84, 174, 32, 55, 213, 192, 7, 121, 188, 19, 231, 134, 47, 223, 166, 199, 118, 161, 203, 142, 75, 184, 108, 165, 70, 251, 249, 142].try_into().unwrap();
+        pub static ref EVE: BoundedVecEncodedVerifyingKey = vec![2, 60, 115, 185, 180, 118, 177, 23, 3, 49, 65, 92, 230, 60, 245, 1, 140, 149, 117, 238, 83, 69, 110, 30, 140, 31, 60, 69, 38, 34, 202, 242, 125].try_into().unwrap();
     }
 }
 

From 9b2384c2d11d1379452fd03a34d5596013a702a1 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 13:58:37 +0200
Subject: [PATCH 14/28] Rm unused import

---
 node/cli/src/chain_spec/mod.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/node/cli/src/chain_spec/mod.rs b/node/cli/src/chain_spec/mod.rs
index 418cae542..d8a7598ac 100644
--- a/node/cli/src/chain_spec/mod.rs
+++ b/node/cli/src/chain_spec/mod.rs
@@ -128,7 +128,6 @@ pub mod tss_x25519_public_key {
 
 pub mod provisioning_certification_key {
     use entropy_shared::BoundedVecEncodedVerifyingKey;
-    use sp_runtime::BoundedVec;
 
     lazy_static::lazy_static! {
         pub static ref ALICE: BoundedVecEncodedVerifyingKey = vec![2, 137, 55, 65, 52, 103, 166, 204, 247, 160, 46, 220, 5, 113, 151, 217, 157, 196, 11, 240, 175, 82, 148, 230, 31, 245, 207, 194, 3, 74, 121, 184, 20].try_into().unwrap();

From 101c6223639fabfbff876ac6ce89771938dffa43 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Tue, 17 Sep 2024 14:01:47 +0200
Subject: [PATCH 15/28] Update registry tests

---
 pallets/registry/src/mock.rs  | 12 ++++++------
 pallets/registry/src/tests.rs | 24 ++++++++++++++++++------
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/pallets/registry/src/mock.rs b/pallets/registry/src/mock.rs
index 3d2c10f19..3101f1760 100644
--- a/pallets/registry/src/mock.rs
+++ b/pallets/registry/src/mock.rs
@@ -366,12 +366,12 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
     let mut t = system::GenesisConfig::<Test>::default().build_storage().unwrap();
     let pallet_staking_extension = pallet_staking_extension::GenesisConfig::<Test> {
         threshold_servers: vec![
-            // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL))
-            (5, (7, NULL_ARR, vec![20])),
-            (6, (8, NULL_ARR, vec![40])),
-            (1, (3, NULL_ARR, vec![10])),
-            (2, (4, NULL_ARR, vec![11])),
-            (7, (4, NULL_ARR, vec![50])),
+            // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL, PCK))
+            (5, (7, NULL_ARR, vec![20], BoundedVec::with_max_capacity())),
+            (6, (8, NULL_ARR, vec![40], BoundedVec::with_max_capacity())),
+            (1, (3, NULL_ARR, vec![10], BoundedVec::with_max_capacity())),
+            (2, (4, NULL_ARR, vec![11], BoundedVec::with_max_capacity())),
+            (7, (4, NULL_ARR, vec![50], BoundedVec::with_max_capacity())),
         ],
         proactive_refresh_data: (vec![], vec![]),
         mock_signer_rotate: (false, vec![], vec![]),
diff --git a/pallets/registry/src/tests.rs b/pallets/registry/src/tests.rs
index 77a6517bb..8fa98ed9c 100644
--- a/pallets/registry/src/tests.rs
+++ b/pallets/registry/src/tests.rs
@@ -57,12 +57,24 @@ fn setup_programs(
 fn it_tests_get_validators_info() {
     new_test_ext().execute_with(|| {
         let result_1 = Registry::get_validators_info().unwrap();
-        let server_info_1 =
-            ServerInfo { tss_account: 3, x25519_public_key: NULL_ARR, endpoint: vec![10] };
-        let server_info_2 =
-            ServerInfo { tss_account: 4, x25519_public_key: NULL_ARR, endpoint: vec![11] };
-        let server_info_3 =
-            ServerInfo { tss_account: 7, x25519_public_key: NULL_ARR, endpoint: vec![20] };
+        let server_info_1 = ServerInfo {
+            tss_account: 3,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![10],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
+        let server_info_2 = ServerInfo {
+            tss_account: 4,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![11],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
+        let server_info_3 = ServerInfo {
+            tss_account: 7,
+            x25519_public_key: NULL_ARR,
+            endpoint: vec![20],
+            provisioning_certification_key: BoundedVec::with_max_capacity(),
+        };
 
         assert_eq!(result_1, vec![server_info_1, server_info_2, server_info_3]);
     });

From 52c4236ae7fcfc542a2eb6e96a2c3924a926cc3d Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 10:53:35 +0200
Subject: [PATCH 16/28] Update metadata

---
 crates/client/entropy_metadata.scale | Bin 207926 -> 208554 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/crates/client/entropy_metadata.scale b/crates/client/entropy_metadata.scale
index 2c9faa9d0e84c708ce08592872a63be6aa7fd84a..af01e645a2d9fbf0182bdd51ceeff0478be4ccab 100644
GIT binary patch
delta 16954
zcmb_^eOOgh_WxP?oco5LATM%x(TfTSLV<vSii(O!<qIkn72-{<dJVX|TvReLD`s*g
zO*&&cr%auO%w{Z+?5JtRl$A}SRF0VXRcExaG^KQAoXPxs_Bj{1YTxJi{_%UB!?}Cy
zz4qE`uf6wLYp=ZzZ*>H|c0ABr?(#Z&wKto;k|{_%FUL|yOAqBD(J}QWQv#h-2bgb{
zFVRnGyE#-{V4fiV`+7P_J!cL9^s{*a+0^ltsUV<Q5-3jHWl5%Z^=rHn)i7%sO;#sb
z2T`F~VNIoCb-nd=a;gWAc0FrLqbhZ%Ern{;Ie0HuSJ_f&g}T?4Oe@uMwqdN1cwisa
zPrbv|lV|r~L9|9K2`E(761~W)CQ%>tKtNyG-tv9GXksR&-WHfjww98>8Hx0TdM<M~
zlf=*8sY5+5YzGCaPYu6sC@rb1_AGMOxIGo_iuomTUDaOqJoj9u7a1iFx#|v5>MU2a
zdtMz%?{d{i(m~$ZN#laPkR;Y2b>J;Y$JC3%zfz}<4OLUVv$R~yDj_=EGHpbVOy4|v
zE=GMg=QLeZFOD9ot{**3Pp!jy)tFSg_l{BNv^ryKty+*9sh%90Naxgm+&kzTFL(m|
zapwlnMV{M0k?J$K_t7Qw-5;aW!x24OwoR;4)Yc#EI?#LEVnvAlN`Lk4yZSSt7SCN%
zOrb>J&O{O(NwG?il8tyPr<j)SrfG!Xd3pL+3Q<o_-yIqvFvCg0157(5OLnzoMnXg^
z(I{8x(9F!V>=7fT)jn9}o-0YQ>V+9e6xR|p^9?h_w|smbT1-^WKX3=7sF}qtP^Q{m
zyb9?#vxi2cfj~|5O$5@^S7#@MW{NhmNx~zz%ONR8Ju`b)LM~CvIA@u&Vy;V~K+oce
z8!{q2-UY7enmjePBsDk}Rn3u7o}iRZQog#pWO`43bZN4Bsw9mH)X+KS0}FsA2TPJ<
zl?qz|onM=%NWC;~HWjtZn4d%d9$oNTyaU{uSP=w;L1x9oV`3<>rPo4_OwN{N<&P1j
zspk`Nt1ne0P`P@^Q+z#LSGnYR+FteK_4K|fXMkJpWN@%luBKMUvnt|a2V+b<)rVOv
z@m@(3t`^t)iRx6FH-YL~QoZAe>iEw|l&o&3b#*0&F3JMRLyM-`>Os$>NXv=;`F7Ab
zy68P>P}eVhM}JROw=SvIQw8d>y1SA3q;3YSXmLCoqtMEhoJV7r(nx^|c+Wm8N?rWe
zX|{%V;~|Pxk3<BvJh_~ayp{ra>rsm2>yBduz4rJgCR*3B_^CcJZRG78G(g?<+fLfd
z3-f4*df@4$w1uxaLg_7!uG~ztP93{CN*(vi?QA3QZ;wzyK$G749g?(JFWU3WeTiF0
ziJV#~7MY^Vq-G*(@Dxvl3!@V}!&B~3q-NB?(~KG(Ea|PQ3y2Q3$j@ftM;)R5n(YM7
z5tQ08{CAT{pL6|M{<y|z!?HH7zfw|~J9n<D((5XnT<tBL<t(dp)r?=@teEdARcM;i
zS5{Jv!jeUL=~be^-MEshRCZBtOrAb-g2TXa%r%Ip?Fn(JV?(7CGmn@=%$P6GIjc8}
zXEw&4`GI29^=obFe>Y@esikc!3=V;&V5w5L_`!UztIus54x~>v_J@+}+}O8QEK1D5
zQXGCvOo~_g{^0>iY+3q;VMHk{+g_f{dZ&oGX-vX{HItDcWvcyOd4RIjWv?W#Y^I**
z8L94lB|I~SNr4nu;i)cnmgO)~W=fRosdQEATJ3t)z;b6rsnhGJuG4YU_Dy!R|E5ut
ztCnnv#k+n}On5G%EMuHT-Q#l4U*H`rNxAClo8l=?{bExR<*U~=MX~(rO{<e$O^1em
z<keAFbvs{8>Kn%>V|s0c*In+K;jM-em1v;5yt1sM!ddQ$Q)%=4Fa^b%bJ7c$5;)$o
zSWJf^CMgnLlKx`FOu~Z>J6W*gL`sI(v5H+SZJRS>=4O0OA#`Qb7CTntxh(_uYe~>+
z3%2y_RZkRHn>I|M;JMDSvMRnj9#eP6mUJEOUaY0O*ZYw#`>EGO_U_jUeHna}je4th
zyy3Eyqe)i9q$+j$8%a=gC*ODkjjCI<+3N1C(Mm0&CY9cNKpoy3tE^?TQw@2mSl!;-
zkF7J1GPd<&o0%H7r$l{oTbk0$=&FvN*OJE8$vU0lH!bS%76%<te{T5|J7Q#>e$%0x
zkwH%oFWv57SAF^06EUW0ueVkxCdF6$@3)ebAcan$ZI`-Ii-Q2(&>m&Ein?+4Y<1<1
z7$r~9*(_EAc1E*&Bfnv%gB2M`(=G>*x?y*T+OVr1GnsU@l(!v9kV$W%SZ#RQ0W~Es
zOuJ(hyNNdIj6J?P7V~$*?q!gSW6x40#e{Z*1b*5RucVpixSF<Ow)(_7gE37Vd*-Nt
zdlQr#6SeD=pWQnMDp%07zw3ZEAX00QavFK9gB6zvLJ<^RZcS9&CTi8|CI2N}DL2s`
z9cccGgH@T-Q*X>x)830yYP*oOy=P~&jGro^F!j`X85r(&-p{5LYZ?JxxK`u`Pf$ng
zi-C_(wC_pe{?ESD{`Jh7UrNiF6ig1!ym_vQQdcz;BQi0WYRWv`1~v7Ah{5%YA}6_=
zD3mCp#x>VdQChM<hy6;VdN5&TVd~=_<YB>o^uc{_Z3cWe;FqmqgZjXS3GjNJ`0!zH
z^z(-!sZkyAQEcBej8b#U$~=o*r8CfejnIyb`m#t)me#1XAJx)Y^}CPOV%G5u_hUV*
z+dq>ws-2(MRnJA6y7l7_HU8rTH{`qzsP?Z;@O1dEcf~X@a@=2=HPSIOwHWJ9Y7#3g
zOkZi6)zP1fH>z5~bWND6{^64;dQRV)@>ARHx+&+ywtOQ;y(Ut8V{eL52S$gfi$5I!
zUo80NF!h5^NBK}<4%nc25)Rz&*uv=U+|q@$HQsVpg?ECx+BH|$3yH!?U1eTpuDbES
z6Ko4>Jl{vnIhe|t8E>CYgVdkn%<78=lW4p8;lXU!K58$6G%MPxAkCBQPCY+Wt^O<*
z;(GJ5{&*k$>=Ai8v#ON`<JF~~2Z!zy+S5_vDXSIj?ZjG}p{5OtQg?jb6HDR4&(oLf
zfoLdlk;m(*8M?naoqoJKopH81oq4%CJ&fe*b%zIar?c$c>Fjusj?w9-rKb4-X*mK|
z<|`VS?^l#w=m%st{eaAJKVVoL07-O!wK540^lB{I$0R(G8GeQ64{Ku*9!Uv|W$mJ{
zUB}zU4lxOjMKT{@(h<fT>oJn{Lp_#tDOyQLfSqCz9=-M%QTq%48GnL|5DPocBs@Ao
zr$Fcw2!byl2wAZ!Ov0lhTonjc1p?-zKoA0CCRxIxBiQ79%a~*XB%2HjAyyV5OL%mQ
za2X`R1%lZ?5VB^mvV=!Rh!Y5L0>NS+hyh@UvV=!RND&Ar0zsG_Fd+toWy%sBAS{bz
z*#aY5VAu={F;Xm7mhk8#@&rPjKnO4p#Ne^XvV=!RC=dt*0-=Y2AO@5b$r2tNp;#ak
z3xq%e!6^`2vg8t(VyxT(!!0m^42*JtQ6)=wbc9-gP%9968VGd)p<b5o=m^UN!g7Jo
z%Rp$5jfFAbaR2C726LJ|6jRgdte)@k)^ue^E7UoM<3m>pVvVwdN4WHBWay>m4^PI1
zME&Y;JXTs@N4&6js|WX03pygP&KGu6;C-Yc2k$;d4nPO|=6_;U<;yRjlTLg&6Yq?p
z(_v43ee^A#rkH;0Cm5co$6rN_e;;quYs_X_WPV#N=Av>U^m;n|L>M)zlTIYy?K#mO
z3;)>@@ocBeFXmEMOWTPsrtFdF62Gg0?CQ^_nqgYD{ymZQsbBtmTfj!qm5oellEozN
z8#xy$2%VCwWUbADBP)u7r7cEZj-3ut|Mian>h9Ai>K&&Cu<h5g2Q|qQ2+!72326q-
zaCsF_)cr9ja=NSBv&bd(k2|~YQ`sI__iFixSI83BL6Ngub4SgD&(*3HoQY4`C;NNN
z`{i4_=KbIcc45CkCA>{mW(cm^<!(xC>X|cXiT=AJ3WR5fp>*U`JM&@amSBd9{<X={
zA(^K=g1z3HuVynkqVD}B9rpakZ#Lt-?raj|_R-nVFlLr-$6~`b>DwuAK=`*4@ILnK
z;9oXxXVj?gvSQE5G<KY)7LApThi5i*p6DcXnHJA?IT-mZ-(`szH)^_To~s%LxVGG2
zj)H|^#LoJUbXILTSB$rO-bH6y+~<=C^`85FqG3w{2g4pOa_d&(vdS*(h3$zGw&&P|
zI-j-iT=ZgEp1xR!dLugXupxh}Gls6H>pJT|w$BeK<|?L4qVwvVKO|D8>ir=H>1{s@
zWSz3^@zZ5B`p0@ySo>o<yt=(Vj;9X3Iu(9W<fVm%BN?jNFZTuc?U#n(eeRO|#_X)i
z6Odhhc?aIZ{y7%!#s8cq+`D&w9QXf+mPtWm0EX7!Ys!DjSUH9NsY6Q#{&N>%HPQc_
z<da7IfB&V}6l>|T7Q5Q`Q)*Dx^2QVmQbgz=O8w@iemZib>bN=-@`SV!)km(z8x%}|
z&eBrhb402gSBL8>)))(Hb$`CiSMjZ%pMiHe@!H)=xI!PPt?x&uf4+8Gw_kQs_Vz|H
z6NU5ViDuaC3QfwZs&y~&7!jILlad`%usrNsVU$g=d^95`W%3P-?gcbOq4*wlQf5({
zqRgOp{-{FzZ?j{!Dg3ywdG6{OZ<<1pgJ&f>W+cL-8!nt*mK4Y9WSWesAIg+SiM&&$
zKKQXI<cLqfOZS+DWfV(N3ha|S7VF$9r6H+U<CJ(s%JgF*`+sF3=T;{CvZQSOsX|i&
zb9A!Vf^05NG!e8W?;K8{>b0dohH&`?6OBQ~Pnu{3elpB-=dCz9%%~a5|7oUD6y9$E
z>RRm$3t?-W$In<PxoZcMX+xf|JrcVi!;6dL7j2M)809Ea_qK{Z5J0~b`-<-$uyfXf
z;%G7-*n@^p0iV``o&)rC58A*A6xBI9fxi(*J*kkt69{1z^1s2|3cgX8*p&o1BYEE-
z8qnRd5dKgQ4WweeI*6vy8GbT|R-hvbdr~wy@~fWoJ3FRq)^yi=ca68&S?$vof%9Ch
zT%O*G#{F_}g=?`sXZb6=(BD{otQR%K{1Tx^!|dr!b&r7yYfI<5gll@9w+2(0kIji8
zbi1C6R-9g^o39C>41f4+2n{#%&@#gnUgfJeDU>GYNjrZfl=@L8{~(k~sE8+oQ6YXF
z38VY)b2yCd$4`1V6+sXy!zq`X{6ILRjdm*(JOOQDVwbt*JIlJ^z{RcyyP@D}x5wKJ
zhPld}?lLzY9YOZ&QwojsZTGvj0zxml%boLG-Bn_|i``x?qM}_bN>08yg3=r=OmJau
zj$=A^SuVtKuom2kTan!SR0Q3=tQ<Kc1y6S_#yY72fL#`Vp^8)sK-PhDMXD1Obs$5L
zCLkuFr!y6)9tCC{7={oS0E-R`SEL32RvpMv^hkkC2eK7u1xf;>Fwy3+R7F||u!jMH
zhekkw1_UP7017f7aIqFpPXhuQ>j3pKATY8KP_O}k6A@nwF(9zggtFcS1YR}+3N@hY
zWs0-~V3-aL1v5?1ui*v+W|~nJVL)JJJD@%W1ZH*uiZmcFvj>pffWS;EpeO?ZGy4EV
z8xWY;4=BcfvXo@04PdMRLNx7w`sz?Rm^lQfp8<iHBYbBh-K&onJOUxyDwNCUDU!7!
z3Eq*c6G?$#)kjBn#I5?+=q|Ta9~s@bw(3KnJIPjk7<6~os*i#0_`+`##Dt4$)uk^7
zEz{FN_PX0@)djCRs8(Iha)^!~ge>>glS069sGbz^l*9Gpc9D$GlR}bmA3Z6=C`al^
zAw$`&CxrmzC_T9!BPPkwdRmB1j?t4sZgQ-i6hf2x>d7M_*-uX%N0PY|>6GH{wPBlm
zbF5QL0EqOAz(1=<c!c}xR;2Sv;HXMx8UH$hdh-oYRG-*+1Fg%-EwnD9GH6}q6Qi%&
zt3WAch7p8UBwgu73?L~iZ*FOgQ<1J<$-6{y#E2R0`4vuYZME){Ug4iaQ(wBuzl)}U
zL03Um&egj`CJ_`Lq3fy}EWp|rs83xv@=<-sYIp}Te2xddFO~wRp1Wen?bCQ)$I{3f
z@P*^Ri~IU=BYCr)<RN1yid*`T$5-!}ezZ_Ts2(ft!+Sem%XBv+iZ66rZ@)5*Y-HmP
z$5AT((Lv)3RU5^p#le{{SnNhQjnWeA4^Sa|0Igy{CY3yP{>}ix`3TQVfco_r!6gG}
z+YMQJZ-55yT?yp9DeKiiRFN2B@}C0kTf^PrfB;XpHfAuI1Bo?>w1n)uXA&8Hlbz2(
zR1?-|K@vvA#}5LXU8QwHsE2V*;PiE{J13bp521&Q(iBUWTlo0(ydc>(h<5HnZBC{>
zy}P#Z6uCeT_{Ji(dp?|BNXGER^8Y0J%$c3vej7#exhcY&i71l+A4nme_buRJy(r35
z?Q)hGNWaht`|afB0qN8;y6#rF)ERP#<A1sxUYOy-n*E}=e0VA*Ks~>GC`B2?@$l8w
zrolx!kxHg6LE+eO>Mvofxgj&0mkdQO#YsvW|Lss(mK1-(xHa6$UxUG4qDhT=IFjF;
zPVqi}i#McWAY=Jagu@wR7+2rNkdw)9N8q=G^V$p=9RN=wS?q<pb?WSMefSp{7}HoT
zXTo)Z2b)PTdc8>gM5gZH?#ZM{C@>GBY52Kk7_Fuh{>?BlqHf?}I6Y>x)MKF6U1=O|
z=zii<u$G%ee@9f-clg6|vuPvT<$q+;W9CegwX&v?H@8z5uOC5ovuu+%6|%$U58|C8
zD9p!4-;tEwwdBf1!vD}m))rGHjt5-T0*d6{j3keoW9mLdvhcc5Wbc7}XR7aXj~^U^
z3I5h7_=veYe>^7B)lu+Bjd`*(2a`RQugsx6zMRt07{Xlc977RCPLF{Vo^m%7mPc>X
zZi{&kQp5r7MxinOuekcuJv@dUG~x?<%2@Ph9bY|`UW7NCk_+zipXeSqE?H7i>G71+
z<nv{@ScLifrCb_>pAT|rFdW<qx$xHt_{MQiSMG7t%a`s+$?z~se9Y<PzczYc33Dxh
zpQ`uX2|xHx<4NpM#Q_^%HGw{$%^FVF(#Utb#&=DmI+klvb64B>lsjlN?>~tKi^u~n
zM}l9w1NC-Hf*^AyQ7S7i5RnezYbMbER%m2=K8ecVLFVSuayrQ0&!>Om=bbxgH+~+u
zi;lBmle*`3k-X+^Dj=t}?{0d4n9IahUZ6N_!W38)tk;UERL;sx>dBX)dIXCtJkD(p
z8Q0h}D3!c2<Cv`Emk!$gujg-DdD=7z5Bnt&ymct$i;(~74H5kJ1ysOlP2$8Yn*U}h
z1@PX}X(^Q5s_7WJdcJEqrI?nR2tg>^THx2FQ=X~89~=@qbToXd;8`AbDI7%;w#W2l
zF7KE@VXWRH&eXVhCQQh3{_#vKtp@!ke1*vxQ&U+o*Hi7%YYOeXl9v=x1#85*iNNY!
z{W1+4yvAg>#A{96F7X<~DHZE-mMpDBiUC}wS4rh_W>IL;#v7DQlj#;4--KFduF0fc
z`!JgCn1xN$W`1xM4U(Hp#B=Y(vI@P2Li%kt(aah8p@g%#Zr1dP)2dw)-1A*EUO3s(
zW~27(d$8?j;8*XZKA~Goxa?3puiFifw(z!lC|}>3p<r6I$1@LSvPMm`b5~#kqhN6y
zAxYbf+?IQ>PyAo$?c{@sFroDmjj&rzG^9O-7!q22Lfhvjv{qec$-&Y-Au~YxwUb5k
zCiQ3&1%XoJ5~*EVkG&DGLw*Agal}XKlpn1lrpEJ;+*u6W>g10W(`~(un<!?w%UR>8
zsF9@ODDJ~QE2jPdr$l2%Owt*Hvxu`kYUll^oz<y5Fq`^?I$77<1&S20LU*Z?ubNGX
z0p|ssvnHw2N9VGSj>+6TEiUWL_AQ~Fp;t^d)49UOl)%JY;rEr$P<Ul4OK6w^XXbfv
ziXYQ!lBcZH;9p9Wq^lfmgq`=8L(#zLQuY(((BJ?QLg4JONwS&sKx0IZ*_fYpKSqMg
zqW^-Cun_ajjD(o^*b=hCMd{_FkxICkey88P;Vvijmcz~dDu1n$1_anei$P{7)~xQ0
zh|*3vX^c#9+~J~h7H{UA2N5kh;IQy27dd$2JWAqkyC@Y#?VO8BSc<`CpGIFObERJ>
zGtI2Wruoi!lo*t0hQReRnd+JxeqkQ<b#zdc*oERCUzpeYQUr>CB_>O9wpq$HDC?ot
zaKBJ%j^Gz~xkmY*JfDQ}{Uns9lldbqbmR+cfRp*b`80=i^0Wo;h_-Y00>l9dMCM=|
zNm;f13#gX@9e<>Z#>0%omQ!S`pE2}BKnK=VlzHYpgk$pke0n)zSVjC#<&?yV3|_*5
zjltUNCxl`iU4f8IHlI|1_MLol1&!+MGE=f|A748x1O0aKe^pR?fLriw#U+?>p5US3
zy>AQyi_13L<Dsk`ReJw|vAeD1+dMQT{02n-OE^%p!z*bz6zy*+;r!I|t(DZL-*VKK
z#EUhUB|Kt36D+L|87s}ulV4Sm8^;2CS``dv2VYVJ-WqkZ9g)%+KDrtvw6%)dVd!aw
z7{jj6G`g}@6h9EUP7vE@mhgx!Es>hcI9PCKZPiq0g+8pRr~W)|DZ+tUjP(AcaI8A`
zzn4<~&<+|asN!M>Rwx_@%ne>q56^M>Bk0R^qr!)eP!b08hexPC>V>12_VAJQ*ktS!
z2*rc;nEk!_gSY7EgSwh-HK;wbjC$~akJ4AM`vm9v%@Q6Vm*cY3rl;D?8B#kRw2X$Z
zLuOnlvuowcpiJ2jWAM|D`zGQkzlnHU)C>$h3x$44kOh23Cw3MWqt5!x@F2e#e%`EK
zDdUTm!*4muH!Oz%>Et_>V@x`IMI#?a-_P=SkJAu4g7prl{z^}cvrM9a-UZdJng!4|
zr}=A-Q%b~TGiA+$2T(W4=h$J4F8j!so`4s7g-?3|p3zml^$D7SP1dz15Z(&n{hp+G
zv6p2UJpOu=9@kWGwu|7EIC!n`#~dIov0XL#lRy?@8JH~H%9C(%hiUMQWI}=gvhlGE
zxJeRZ(Qnf6Z4ERoB1A_zE1#Ca4fL~S$!<}jzq4xtenoRlEY@Nizic>9mY@(E?srA8
z;`k@O#isC9jY7c{&bpcoKJ#fxVDT1lK~H=B8G4y@6YA+tDCIiJMi!VRc+Ip(nHD|h
z&SyVM#Y(mh=y;YAFz>ECOIa+(B5wC-_p9VkSgw!Bo6m^y_`955hd=6hUJtmM*TS7H
z;18{(K_P2p8t799B3@pglQ3MA@NgV(LwHgMb@#VW>s(7$8T8ME7ik46Hk$k;{o~~C
ztfTMA#kaf!bL!$BzeF?PAog1i{a4PXuBX_ZPDU|$I57)h@+$4&_0%X+Ef0JdK4hIA
zC$T9$PU`&zwqD36g{0-Y{bhQQHTdJ7@)?B{e)uZ{{wWzsX5SxaL@!(~w02+N$mTtp
zs83plp;V^3Dm~TMvOpk>`g|y$3~7y?N)49Q>WOuhEf#4VpR);<;VPOaGo)C-?SR48
zgTFN!`I}8t99FDQYJMrA!ESF|e#JbGByBWgc3+ckwr=)gvPq{Md>)ZOq!_?07Jpq*
zbn8yD$k=H%>op^{Tcqs<ecgWfukM{je$F0WyZijwMV{ZayH?9BDytRb(NL@C@DsLu
zg1J2wX}{5b<yDFeYO@GCTT?r4o_k3fzwK3uXKfba`dhmNLHj7J<yHC}Ztd_%ufx<G
z;ZMI#IsK1VC}v`{8^?IKxYDgcx`GYT5x>s(8{^}8cVSFU@!@ai<d(icSv~#9NoTay
zH)xK+&KfjgZCyT^U&qgjp4i}j@ya)0PcK^#J+f=t-=yA*T`}s7zS^Z$(7&#Ak32tt
zA*gk8?2d3DK#Yu)57#KkaaK+qCoK4s+VTfo)fAjD4Vn=r<x{KO^W7CNmdiExPUZXs
zjfO=*vFdv#iL%O_bq~5qa7EAUDRs{c;ooVL7F%bc8|xzoj^@}^Xg4cjRMFbZ9oU>f
zmp1Q&*)nlu7j|DEe9SINAB7cv-33U;4hKwzSp7SLJ<!da5lR+MIDdT?Wk%W2+vLKE
zYF8C*PvR;i#Nu_&eaPjF<yUvnX!vlW-lnYZUuei~RjVAa{FS$9M0zYZhLy8hrMMfK
zkG)lv0u{~2^Qw<&JWI6dmt?id-L#DLNYTlpStF%1QJfZ@X*IM~w%=%F^09m2ebw<L
zdl9Cp<6HL9z|d?VvP|4C)+ywILasp}&qpEOk3t?#dY2xx<%>FbR%x=<{4Tbd0R?(p
z=*U8@yhpQ?2BLda=aO(<^B#gSMSRP9u%tyg*<03Qu~omMtEInBxP#~9bss@VyZGS!
z*h#yz>H85$fWFkbTy8}eDM~x|F&$+HUH!R@xC7$7+o!qxW){XX7}1>?!-tCH%RZ%W
zR%=y9KN_L^`BS<ot`F;Cs`qtrxnC#i`Nf0uM&NSM$$G@*t-c+Cwy&MuVYGtB{SDgg
z#V>HWw$ezCK16p~8wEb@nu)AX)wA5j|9l8hp|!mA5X}2pk?ln2B;-ptZ|nYs)2cX5
zN3jnMIt<r$qm@qbkYgwsahM#4a)7%C{?Rc?x--%k$R;agjhk8Ra!qztj=C$^F$-$B
z$*MTI@~p~T6pW+XNDRYfu%f@%7OR9unEptq*=YOPVK{8tdH)W&gIf8*4(cDgj%eUC
zgl=Ydon9CAss`d)9oSLn@s`1G>HgCJzV`6wBiQS&<v0(G<x7uHZ@7=R+nfP}_l{6}
z;+`8OF|Iq`yoNR#Yp7K;(ZpvQqZt0#m+(AwVeFy(M$<=*!slw^okwwW+0KKGA!^!Y
zlvEspnrrVC&*V1W2p;+c`5gKM`LtOfpd&&+;>C``!!!hhf>ZiDlh0U<U7CjL-Jupb
zt2LjdTtz<X%jQ96=~+6@H=M=(x|0`v3tzC4KlUvg;LG}~iaBTu*%iM@bwxCGP`YYW
zn^#9^y}qLcVsQ4JJ4YSNWb5{ZZg8t?+MDO;u+U&nUx0BBu_2%oqfNX>2nC1pcRL{p
zyZ*ysZHV?@&;A4UI&pl}57;+2w6}hsELw(uV)r#~T#NS>Rv1wu=YwS~$E?W?{rJ*R
zU0WeO@t8B-SyAEfPC#6w)OEwB9cJZ8qs&pN7djSoefZ(Phair@)5hPGIBMG5hxAIm
zPede((r?LlPi<ML14Ml_9KdwcbRDMf?|-DEh<IEJQ(_WrDYi6QrY*;oYs<4qiTr|z
zMe#|OXbAt|65>~@E}>s(M()8&*uZ>mV$nS4GA_|)+b9sbAW6#RC(SHen|_&I3?}S!
zO)Lvn$H_5s#0XrW$5#{3Z#vm&X68WfvdYYILT}k>O8LCi%=#j132I4s^=x1sVv+8O
z8uwf(un7}?%RN>aEW(vKN=>27*jrz(B%Df}F<xq6X{j5TZrP}c4ZI#sqRUE{z;_aa
zp-35+p@onNLvuxZpM@pPDz^C>s3O}fi>nCuSYJ-yO?TDQmU*qXF8-L3M=s!6r#_@e
zkAbQLK~*b~%RqMVs{yP(pJ!zW(6cM8tUv7URx7gu(o4=+*$!ms=?`seDl~7O02U7q
zH79^2rPbPQ)Im-LC6s{<)PcVKV)Zr&50sFTWx!E=K7dURt+K%(tiZ=A;_|9EmX{C}
z3t;!AuDF5ul{SCwR|=9hvcJ+`Y*P=ml^XfIfou$|;m-%M_{6n0NUQNyX*C)GSjSs~
zSQ!6LAR7+~qk~v9^xJ(wY-Z@K5x9*4HwOW{Ye5i~jy5qM68EU)x##ahaB*Z2*%O;?
zXn6Cj4R1CY-fT4dNl!L7ZOaY4eiEII!$GJ%WKVYYInFo<ZMMN8J#zsn;IF+{51!YH
zl`Gr*^M*nl|J;iW<tKw#61xHUkziIjvh@ZI_ub0jK7&K?!}i-GJQ%%<cC*yRqeIvb
z*ylS!7(P4WUIFdr8^ljL|0IOn4!iJE2pfl;)tKIF0(AV7z1eW3)l3`I+^-_};odA3
z&hO>kEET#dA(W-^=1`W)lV(tql43DFnB(Q4O#fm|-`Sb_@&REGcOJhp4AZZW|2_=O
zRPm3)z(Otmm-t!E2ZpmWurMo}rLr>?b%QmGzZlM<pprF_B|Jh~IR7~u!<)#XBCuzg
z%qNMTV!kK>2yiamwT1EB5v&i0ei6ZjVVHaLVI$cZt2!qjoEP_DV-(!~F}|haS|6x~
ztNd?$1aX^M&?Ah;M6v<U)ng;sNVu7gM52qad`l$wiraJ|65pDIYbRqFt_s?<F%Gss
z==E3QfE&+G$FYo1e6}z%GFA6tjE_lbGWn4H>^*e+LVrx}$$Y~Ah9i{c2C_4VBz-lI
zo$uvhB*heZaYMyhCt=0@J)Yf#VYw{<KaKq11a=#Gu{nX^gC}j!AePHe=uTw2sZmQv
zVlUuxB>tBntO#a4CYd#1ng1o3T_(4-BZWPNZ#8&!Dtp+x(}bIyDSUJ)i{Xb-*;3l0
z6{N94M77$Wblg9t{o46VHj!{oDq}d?Pq5WLXR*QNb&Q@;V)(_;%+B+&!AiU4&1RDo
zjQ?M9*weV8G<7t-aqHwOMq?aoTpP^><51`1XqF*Ea^d5!nB#ciI5v>twTH*CWD|yN
z(;e(#O4IsJ65Kav@8q-NjB>RX?`D4>nyihP!YquMwL7M<r4~%W_wHeTqYmx&_p+ff
z6>4qwGqX&^+847KqUTQS_oeIv$!>Fw_Q*U|E>h*%x%q58)ALp>WP@b6%3Q1MC}-iK
z6bA_vx`00LuubqHwTddXTlj=SyigzE+~Z}R01bMimaW8id{WD*p^(NbV#7=g=C$U>
zc$%F#wBIknNf52mzFW-h!S^wI{KM=T!0}62qK%rg@+aA^WCZCh{hDPV#*y+An-4#0
z%~R|FYUV#Yg_gGSVJp}o%OROQlHkR)tbp3?;D1}eex!Z;<KM8CQM=-|>>?fKB~L@f
zZG7$1>`u!OnT|;i|F=)GN3r*GuVl06jP~wId}e1oZ^qXBO-DX&RAF@Qd4`qBSIixP
z-(lLNXE1{(M5}IO7PubT!_SJ}i`wHVOCs?V&Pi?S@7M}6mh^}hSR4lLffvwf6@Tsp
z=zutW^aVB#{58JB-d3)PTg9}FA*jh~*0JFj)Bhcr6#BP;oWlRI9?L6@f3=>?#!ub`
zA$Zbo4f!6Dvn@{wPUCp}A6RKGeE0LyV281{%rA9n7yrPfz|32CS{RGqvo^!<=kmpy
zS%o!7!A%GWEA0Gc=%sw#<2A57ndiO65bo1Hd<|FaF^O8Yut7?QLP6TOE$l0T3i|vF
z3`r3mxs|Pg0{M6=TWNJ#6iGSgn8DMUSvbGAmDzYbQen9YZu>b>yF!HH@DYq#d!?DB
z69(?fZ5S#yf3yVyQLY_oVNQb7hHq!1tk@03gSA?1>2|i5VZ-vH#tML&w*#uf&0pWa
zo>1}?NH23I`wR-ux{D3PVjsB+lpDBb7rPs4efKWrl^ZP~JpFAp9Uc4C+bk3FarfKo
zA<!7S8>H6q#@(y~(aeQ=*t?itL*8MZVCDb&9ri6W`#<(FgxR%G??R=^MObjlTiG&F
ziV&>Vl=m2hzMX&j0oLsy9{M4hEg!d>(!3usD+bPlb@tdtOjEGXv)V90&+_}*z*Q%I
zwT*cd6V@Mhe2R&9nXms8YVZm_`YCgPt=t3bHSuAUOS^CY8PE)c?JR-6-OiGDQ#%uf
zhr8QZ_U&sd@m6u4Cma_UAgM&_5Gf2|UQ$QKk2OX>ZWp$Jib+c013zQ$!zDcX89w~N
z2U@k-ZJ)D0Dv-+OhgpJLU@hc79cDw6I1??`hIFt}Chk&x2}wEmPhWyTH_tkX`C7~?
zkAebjn6A*aA7%Q1?}=mVBc)ZIKzz<NjQ+dF*@M)o4fr4S0Y#TvZ<B&&iruLGw(4&Q
zETvXy%1MR`yeTGHi7n-n6YTdq^Y73vP1=xuU~<C{rJRPpQKvn08Vd+>;IlJqv=yI?
zHKM-_Jn}1;#T9(aR~WdJ&wb4nglC&*4JjGpobzXP#i45&wfe7_yC<#DzP`-%<5N}M
z{9h=qW?u9YbooB*&`+?580yZeX!(@(_0Q}Qrudp;@*TnW5)I$FUSCP&S~|%SWQ^w$
zMSh7LJg?bJauZ<y_nPGy)*=&b2}yKSi?YZFpA>V4RZbGSoV%^^>tdJllT}W$I!&}6
zST>$%lSgAAdu{UlQ7#j;Av4G}OiC6j#c2e&g-JVWllxIHw*|=mTs8@ZRX2UNO43z=
zd2*AZtIXm17}Yb+fv=$*Gbh~Zc(B%8R+=KdvUHT=7!!B6#LZMkwSE=WRqaS|%&Yd4
z>*#Z9tA$TmR+my!Td4;?OXmQw4Aorr8hq{MKq)w^OYzp!P`QaNgYOV-?IHIM4!7BD
zVnSA#$b>I(Vzm)H<ZN1oPws30<7^`&Wg|Y7ysX6AV#bbN;F|l;j7ryBY?#FN^@+CN
zEIn`L5?@Y=EjU%rxx-cAs&Ut(*-{OR$%xD1Y{pxcX-gffW9VC(9NUx0I%K#Hxwa?g
zj9=ia<|@9fi^#J*nQu!C9*-0Gz!+@ZM3Yhhj|q}TVFeTg$;04NtPYY_Lap`fDNj&}
zZNY!!aXsY-{zy-GKkUiGUh>Csfz8Q7gJl)Sn}X$$a+R%+p9z*1228dE<E+S8Wn0dR
zLge#d4K}NHNr7$fgCgEnvcOrhAa#XyUvGIVL)90;<Z76cp5gLV3J+ICVFOu$<26@x
zNu@YMZ?vt^p6M?~GyZ*~oG#m;qaNrdPt+FL<@E~YZ$MvpB&PqwzVdiwqfL3AALuI&
z;9L93B3|*=zVfo(4J_4J>s{cfhLB3!rOR291`2)U@H%#LW1Ee}Jh0;0wSh7|XxpOg
z93)R*i3PU6GFL@#vrU?S7+-Z=32sW4l;VFtxXWs+fwfD#K7{Q&AxU0Homyj(>=0Ug
P+YtFtd>S#W%_jXn!1rN&

delta 16497
zcmch9e_T~n*7sTaoO`(!K`+9E%P$251q1~I1qB6vlcAzuVj*7js<-(4LuCrlDJv^V
zI@unlsAw{ydCiDnu4tB&%w&xzr6naLQ&vvdla<c+OxF9|=Un8P^L*aV^UtftbN1SM
z?X}lld+)W@UVC3(?DP5aX&+;$qsBh$Xq)j1nGEU$Ih@SxLzM4`POCo|#?Tpcv~hy`
z9sQ*C82#1t##!oOV-`P=PX>O*%6#Zw>d(em%s@ObkOivCz0%06s$OGQIPsSQS%7-n
zD~KZ1FTLU^S`9EIQI0ytG?wzzGE*WIs!y9HP?35ZY5Sw*Bvwj~+fZk&*+!M>N^=6$
zs}GwKX`A}GIi9ww-<T({M&cK3Y$R}os+(T-r6#r5yFl4V^dzSo3Q~`IkD#{pZ@s4x
zyGrVKpG2beVxJ|kbVB_mbuyF0=kIh<Jw9na`Kb3#UOrShAxZ3{bP{h#I?bQlLc!`?
zX~*bH`%USah|adZImK6|&;QVqN%W1ndU}>ReEK3S)r>b~CE}f&rK&mU{_5$h)%3ZV
zk)1_fsrA`&@$Sx!Lis<ktLVG-q8U#s?YGT%R^h*Wj7F<n^CL_@(KkySt21KMEsMsq
zTW*dt4F3sy5J`9>#U$Azh}OJ|!rE8nxd^hgEy*HZwQ$L+R$pK+Ka%hO(@OD@m3(+V
zBda<+e^_8JQHEnpa%yT)`jjb)YFCvwS4&c`x+Xu4!rLFo-)Cfz#JkKC(4K#*FJsZf
zLv~ZBy18f^#i}nBJwZw8oD~lveQHHAC8&{a1>hZC9Os`T+D#=1kKiz!q;z$8@uV>j
zPuL85iM?#KLn5E@jb+zm*vf0xJF2R)`NB#{v}B^L(I#aJQnN{#tzIr(Jk%3k%2AiD
zOrl)%{*@Pea)BmWBuO$!dF@;6UmB=Db*@`M1?_LGiz5I(tbY*i2In4DKz!>CO612{
zX*d<O-*Nl>G8MJ|Sh|In9Yvk!VN?0b<WT=wF@~I~v!du)`rC?4*U}GH-g7NIrONK@
z(E4hzNKSQkRW#-)f94Q{s9#i_!bE+wx{GSn%{61Fu6=jSOrl!8GM?g9>juX_a?ge|
zpq$;X&{PLX21Tk@CvQBXY$dATo0BO_ow(`g>!68hbY1;*ImzmebvM&iHTyS9*f!$B
zQpnc+(r;viZ72TeaSBvl%=c+OwfPE(B~od}{Q6-_A2qf2Y>gv%CuWA<JhJiJO!8_E
zzx!PS?P~w#{ver}dB{h=9sAHl+RYQ^&^UEg<DJynez@@rv0cRJ43>lIkqHx<NwF=g
zsBxB;DM~)I5Sc6s%F7%W70Z(HQime7pl5i*M=|Y}q}}ey$vc+EwO&_w?~RrB>XrAp
z>m1)vz}kq1--J$1Yf2;5LG2qKO%-2tuX-OogTu@^b)bFiW4WZw+L7(=@3fn-yi=dP
zqV|l5R9||gg75f&Z0c`Y#u2G6wcG|(H{{s@iy2FvB}%^HgE96~E1sQ<_4C5BqtNSj
zo*gmFiV~wm3dYC4q;U0L&)!Cn?FE0BL=@fr&~q!;@MuvtmPvTf@01iNL4E0kKy~<@
zIpC#m&ltS7>=~by$|N7Mm6cbO+DlRyDftq`msdEd>_Vc~vZ6}uWozs;<yCb$j+Ckq
z`)N-GrK{;LgeRvnO4COn;}(Z=-TIno5=B%wsvT7u9BckVp_H!P|3Wlnf=pakHlzGS
zj;dMC>I!?!>h&{A?A6s7wG)%4Nm908QXSPgk!Gt)TQi`h)z&!3;I-B;ygzQe6-#mQ
zi<uL1nc_3Ee505Gc}!9yyd>?#3YdfkA}C}QsSqjIq^;PZ_B}7A$jr{vr-uirKkg02
z!W#P0;$d|}KD9}cB(kiwmy|epUO1-Vqc2U=ibt#GUrNQ&8o6&I=|x=iB0sfy-zax^
z=e}fji8}1%jb;ZLWKM?l`N+$0N+hGbYEt`cYH(XP+0}io6swQ7g({_tb|ZU*>i<e8
z49A358fYg9H?tO|(t#CfV|y~Ss)yTmAUp3*_bSI^I;D|$`A=Tzw2lbsLH0`Z^^TF$
zr+(VeK$id)tFQezR=FZ0OSHIRzgb=68pW>4YT_#^)RBKOsUNwbFx`G}ZD(dheHocw
z?H@_$j~*yi*L8*|nTp2LZR%&8VU+#ofd&}IEe9Id6-A|k_3WymZaKJF)IYcdihs+i
zcPV}ba4Fil?NB%iHfXH(9*SU*db04fFeTdHCVJ|%F-ok#&D*W7$FU?G>D=pMl~e;d
zB<PeJhDCn#pk2LmcmylZ5vsc)RQ2#m^@pw)rO4ox!<}!8Q|t!n(rOvsj8+^5I-~&)
zz8Rr74Q{CqITERq4xl}BB$!Io=a1xIIKMlR4h<I9T{@8FB}B8-z`umS#!vjqJ;>hw
zm&Ej1X3AMZbxg8QMETmaj<Pk5syar<#B8Z9DX*z#WLbi*M2TyiRn;}c>m7FB)T)tx
z4fd^NWSghKl2ohC{p)fp=x6`BoYgVjUr7EIAA3cGZNMNZSgyjf)vJ@<8Ux;n-ueyO
zrXhx^KfX0Gb33D$nA%Ax@ez2%N|b`RTE5Y-rdY61-N-00Th9>eR15vLU0Ve4@lqq>
zmCMOrU47J!$<}>z7iLxQ+a<J1O}aQr{r2s;YbihViFeuoE&Q7uyte&qet0vZh+AvZ
zrbZ+u7Gaf1&0;+TXzK}c_4Pm-KRp?<VcM~9jYx=E0gaxi-gRsN?c#aEDO7P(*NBD&
zO1$5le;wwAcXKp2SnU-l?l%hNEc5sRI>{qOP=NZ(@eIA(JEF|7v3PBj!;$&uiCZzN
zZaXmoE!}zIZlr%XF;8w~K5F90Xtlg23B%vglMY#a+*1Ns&U>#C!+PL7yOy7*-u!+x
z1o80uqwsEf|1RW?KRMaIO(@2Q>hh9Wp$Xfd8keX^Q6a+us>*B2)>xn<CMHW#o7!@6
zVnYYSK(-C#HIC}!uEF%gQ-kT0{=szWg~9ZsD}(9D2KgGDG{3=gdbmi3Y4np4V?BVR
zQ~@-&i;}ZFiYDfI04aqYK&rz7m{bWs5*=WjOu_?AX=R6)ghw*MD-iu*-AuwGDLz(q
zR1_Z7@D8zKOv2+O8GD%2!_>;pLmF(*<OR^5m>vVFR1$Jvy-dQR(dZL2`T)rICx{8*
zuyahpqamCZ2<HWY;0_2vV(cQ5@Ms8^1i~eOfLSOIt_XyyOlrVC4TEH05UR@t9YYA0
znPmx&hTtm@d<BA0M-UQcR$0QMAp{GAV1eMJBZy&Ok+OtGLx>g#(E>r36fl9IX^>cg
zEaA~Gk_1MQz%c6=V!T+oEaA}*G6h1WK=9TP#1OLCvV=!N$PoxR0%3@bAcmFY$r2t7
zp+F!M2m~L2u#QP$tXYvP;n6Vc0>dsae035If#8%SJQ_l&KqwUmLv@5oflw<;cr=7M
zflwz9hUp0PvO3}981?Fhqe87rUkVgfW3O80sHq;vkhZE*PDlH16STI=5*|z~sZo|1
z)vD9E*tm6_j>d}n@^m!YDXTkTMyT<<HZ0-Uy=8d+sW%hv?|YA%cFD9x>_yb1p99ps
zkIq099r!pO?_p;aQ?t72%%2C8LqgwA)S||H@&anU|4GyJHMe{^6Pn@3r{nSd;nN8)
zRin?2!TYAOqp;#j&qiZ=rk;&u)S({w`!VWNAN(v9Mx^7jSIoOa7j`kJS*`edytzd{
z7HPN6v+JC%`rhZGS?e{Be>9Iqv%S~gfM%I|;FFeDKz2S$95ss6EUTY?K8;7`0I@^X
zUB-po<mGdcY@)0A@O(Pe_%EX44#}S0ZI^t5ciRPSpxwK4D%NgUSpqprN993E-Rj{l
zl43n~G2{aW591UuyULyeE4B#}NA#*&mX68%yLz~iQ@>onV1|Exej;q_yXRZ+-t><+
zA1l#`jJZ|t1}p69gs;c@T2|RtIbZ~jWX!OyQpbNiVMvs-w79&i#98KuRY!llfO^%c
zuV>-y`Z~tFU+YsZeVs=A>Xr)uCJNYKFR688syBU;i7~zZn>4(;z6r*5wI?%7{pUCL
zYluZUy88WvJU!LE>{}ZFwer8_=mx<jW_5Yl2Ip#_tuLs3|Mj|-ZBskGyHiUwVy?Y@
zu>e)9-_OR@_tx*j=%Tvm`#RA3{`&-@lPUA)oErT@ES*;u{*Z}u;}22nynA@GjoStF
z@(=Z>Rr6ysyCkbcGeU&D8>+tfV~9Qnt?Cay-j4lS|D_}}wBynwu{`2)9i^)rRWo5X
z;2A_zRFzkhSKCW8tRVxdg()j}UMeajUyjCm+2#Fs`~5Qu@5=vP%dY%?ZS5*L{TPi>
z|NY-KcfY&_hAHvibztemf6vE$<?_Gh>9SXs{q#@3i>}@b1EH$}Xkml;!qq9T;r&x#
z!>?XVbmPwbIaN;?eC%u12xq{iw*NeNU=jcFbFx-!Q*ZiZygSwO%Ohmo8A&&j@6Ixs
z>-N>$X%~DoBatuvlu;0WfKf)UpF;CySJpZ=l&{wIF&XpXBNkvy`3anK#i~#`-z;N0
zezQ#DDS_W9(=xJhIHb`-tfVZZU`1I%;k?j5qsC*(YaU*J=F-I~WQ$oEAF%{Zm#x}?
zIk(0mOA6-s3gyb-iXQRcoeB*Pjs!c`LLN(;>&omkwN==mM)J=UiinQJOLM9wr4&h0
zGz^-Y1yx~^Vv$r#!Ady1K@aAV{zv9gZ)DCROG@Ic23qKws*z0+WYZOON4|}R8!1YG
zg2+&hFN5c%jTo;t5>_NXXrv|h4D+I!JW#}_iLH;o=<%X8ER)o?mW|;>CW@yf*8?U>
zCCcQ7%>cEHQZyg#O%n&VM#K4?-ZWVsU;d6a#p(`Xh+%No#U~G;2PvDsIfSOtZ2rp-
z8b>*NoDV$?=nWrwhUF;g2P?+#2YhKL<?^yH3S?3)Z}X*yVb=>akDv7=c#hY4HjK|1
zN>Nn6?-)u8sgEBVO54$uJPY}o!%FR&ir2!i<o03on4TM;Xc<E-G(*n_a<jhGf}ZLX
z`P&wHbRb>fM_y>};&=-2zP)zMI!CFatmYhl(vNgc+r}e@(*(WKBgoDxhEvKQbY%E7
z*#!90Iur;;m_P1MHSTst2hc1n8O*l^&`3JZTLP#U9U?0g;B$+WmgDn^m2SmnXdo5h
zvp$frsgS=INJ$NLg)Fn|HFk*tN*wDDAG-$oY;>#|ge+Cg@|r;~z)@;<dLU<1tg9$q
z>nvO6sH&)Pmeuqsl;sWt3~Uq-3J7qP+SfS-sf5)G-{`EVffX8PRVq|8I~ZAn*)1&C
zDa_>oTUeycSi53ZB)h_&eje-mWDo^4Ai4wNXIX6Dn50Nf0N9!VNLHj$0I~*5RHRB#
zT?0}SX%-Zdmc}xuMS)QRCc#?;;H3eR5eEZc(ttEYiyD|UAYGBRqQqMY5N$RjD$+K9
zLv#>4YzO3{Ltvs2kgpDbizYxrbqH+i1T;*Cz{oB@799d7BChDCLtv#DWy5s{ytDxF
z*P-+VMcNH8Km(J(Of$5uRfoV#E6M_O2+ZsS6r@97rVWryhrmn+pkN&WGo64!bO_8G
z0u-u4V5SRDm=2{W@lrRya2<qbjshB?K@-8uF+d}A2+Z{G$AW2@He&EJgmA@p$>=GP
z+Gv4yBr8R(z%Xf}qdD&;ZEQ3*-K33-=8&7Tq0k&_lQs;R3vJTIKy#MiYzkt+EjDS=
zmwg+ww2-~#>Y6mcYfi06le6rnAqXMM!?mOku<WlTg*;`emK4I21GS`(q#UFrg&1X<
zmJ~9SgSDg(pd6wlyD(ys9IB;-=;SahDdZ-HYe^wAd4!hi5y_ES@)VM+NRfIKPj3*L
z@n6R}#RPyz`viW!BH<A}w_TCWDLxq$_7eWw^90QsO7*elucLKAxq;RNR0gdJJTeU0
zIg-y0qfxq+ji8JCkuVCvXHOW7pi3Nqk|^Ixs32!+3?oQXa=VQW3r7`g<L{x@m+5ND
z9ER}V>RLyY@Bo6<xj$R@rErSV-GGr)$FoL|)2-~@7y%2Q;aykD#?wZ+3vB$M!Q|PI
zROzmHdj#E%SQY;ug7S3=YIm=N=SR{Q9pv*zk(r1;6-iaPnvJ-jAdznyMSnu+l+n}y
z-0w!y!^~h1Vf$ddD~htn%)`b)?Yb>pK{UO5UDjycFovG|Ro2e2Q0AT$NAtU5s4UKG
z@El~vjWKBv^vC0C5W#+%Yho-c8wgdz(I)ca=i}hgXtLtZOd!7qtAQ4|6>>ffT&l`9
z)#cY!IG~gV1Dw(PzHu<rdaW%9G{k*Azzy-RZokgv?o#;fPO*8Y<M9auM^B6+7q#PR
zi4r{<69z!T9Eh#j)@wmxD<WF(cKO>0<c-g%1kDD*W~T6I<Antj_A`aQIG*6-i}VJ3
z5Jn0yR5|P=|C>(sOrVEit=CBwO#XWL)asHA=JzI2uG{l9dWtC^3G=OvFG`{Tho5gr
zA`4u_rX+~n9TNU52|mUDgcZx1li>q+76<W+iDVi)RpDzU(pFxSNJB$$67y>&x9Utr
z@}Vg-4L(+G3ay9m{+vR&A!4^NL+mr^^lcr5t*%8Vzg%Br1|Q9dnVPD3bdRLc0@V8?
zm2P5IruIWC2#MPGib<4?g5OP|dHD2CqDA;5Po^Cd&EK3%2-xXvRBRe;)`um;yT(~j
ztZ(G_-_mHIa0mUC2JobGI>urR+PM!OJ%xS`XZy7&v<08(Q^`R|eD_qbf(1c65E#to
zWWdML#?~BGB90Pt6=CCVW>C4DY8X5*ia_sinzsPn{Gm*0aL>S{)5s46>!;Bnch2<b
z7>`W;$aD&H^UDuU$Ew#S(2guJX-OMbvM}lX--yAgde3lvBnyJk!;(BU8;;d3en&P|
zc_uf_fTx<tQ)W;!+}GtZpdzz*-3%IwPs<F7f&2RQ3^;2!{H~c4Vxbff$}B4{bz);s
zUZv;qvYF(oW89~47h-g5s;RPTT@B^aXJJX?@_T2|>+Yj6?wn13q1`T=l_e448iyMv
z@||-Ltxh*+hh;o=9!+DJZs6EFY?vMqfr{+GoJ2Nz5b)K)6a1BV6vHbJsNh%UQ7C^Y
zhe|1rhuuV5#bMV|H_^Yum(QnH#W(+E>JyRrZyvMp`MH!wg|6mYx{X+oL2de7q$_M8
zObN3a)V5ur>eMg2dC4N0%N&>>7vbI>Uj#Ma<N9b3w2AuM^K+QfAdbfZ`Dcr9s#9uE
z_qFJ?Ze2omQYHUz3FKVM<$OxOdP>SiL-pb_L)-)KQMMW=8;1bdJhFfSSgk?by2r*B
z7GQSOasQ>5g!S4daI3)-R$WoNy1dF^Sz7KyFkh0k8E`BV%>UgA#rn=tn$NaF-R~gl
z<4;gjOrt?}QJV~dE@~s9jEbp_#Y;^{F@QU@8i~C17V?kXb)D*IHr%kPn^6nxHuJNE
z6vnX~4WbqvybN=um1i%5a^B0!mQffoHH1COXx6yF<A#(CRcni@2X>ab4V1XFYOTjk
zb2kqxq#SKigaR0W^0kuGs*`%4kme7$MoQW%avlE*+HJgIIVC0kFHa<-4qZHBI^DuN
z<RQ#XO_=c(>5z~mpe|SJt+2p8-J-xpvTc%%8q}3<2mQGS>y8~892;won_RC4xgOrM
zf>Ln+NNG2hufBu#7t;v-%?dIPJ!PP<#SVLQd0Dk2of2p^9$HMJyn98%JqD>y=hE8m
zCVS3<Y`?${=DUk&q<<kBxMM&z$wVgSnnM0zF~xeH6NLH=(s?(b3vNPJJqTUU8xC7V
zLjx`veog42flpgS!Em<zu#%GDY<;kjCMj18^gEtCocZ&G?~xaevy+8g(mev6Z>Lap
zMbo;o%vS{i7Yq_ERjj9^K!Z`AyMD&Oxoa@;MJp-V-)#JK+h(4*3Z~A?m#w0yim#C#
z({8iymsa5#gD>w|MYGI)2%j^9QL?&*uBPQOB;s646XkHDN$uH!i#8En{J>hmF`!Yz
zj5%9}PDJz6bx?rOI#1i(LCb9(LCaV-_Iir-O)x^F+VM(Nbt+F=Pa{U2q%^TP%wD}(
zSi77x2<`w&%#HXYBLW?wuUv#w13W^ise)6WrEA5pnQl>Jdx#=aBk~+>RAdWefU}L-
zITFuu!Ya1$-#B3+_VQPpG(pbMi*Ur`<+9vPh&tu+QDrnU1fi5f_mz`{Yeh7dY<2`D
zHz1_YP=-S=#Bsk<4}TWR|5}EXoyUJHgX5d0Grg#synI_cBvHWElmjb?H<i;$?B2gG
zr;Oo6Mv8ZPbvOV-?~8a=1x0(?1^*`8NpbM<3Yt9p`lzqC{KEHFP}&fu)=vvIou&NW
z6*S#?9pZJDVxVZZRMKK7+V?9ddUCB%iI|a(bGKZ3g-MxD62fH`ao7Wj+Kbg2B|Ku|
zVUe~X!L}KtZG1u%IgLMQp?tpMAlZgQRXHlkt6<%$Px3da!25Qs(texN$S+pW-2o6n
ziWua9AT@f~BuYZ~v(+@if2Sb5%P8RyUEU-$8*z#d;R>pu0u%J)#k*(}f8;K*;{plN
z!dB0yr%{0?DN9gYiU_QBr9qoKtvdRX^|Y9OcNeUk-)0O+8_(E`9n48yycwpvgKygm
zceqVQ?b}RKV>^tVzB={>zjoF-bZ4zouVZhZi{Xa^-(5xtkC4$RS?bnOM~x}cQC_|U
zHtm?}i7m96s7IR;$*0^Cwbx^!o)UF@EdAIj_X>i5`!q8BxWCjtIR8D56wdMIe@ofH
z{qo>4CsWwMvUTN%-zd`g$M43D>pZ{xZkkE`{H42T9B?TD=0XctOB7YJ9-FrH<t1y*
z^6&4a1nUJOrRC%3xh}&!-7!WNc*;Fs{v!X~Jy_zG_`mLfherG#+YqHPaPNB|+y}Oy
zg$w-MZ4`Q4$rzxEl{@B&yT?~OdVEFep5=4ts^~8u;(7OxKY!w0xIzX!ed%7BYc=Dz
zPBHb%XC+@PW$8CcelFnF8{o)xJw-{6H)4&MaUMSqU<&2|jZ_|dqgEkHnY|7Z^vOoT
z-9aye{KH&l8|i6=4e<aa??Fng!;RF%a2m)Gyrcv#HScN|-=orPEJ>t8dBkJbcb?>P
zAEPu%b!~Z!W{Oa>AfzcP&%uHlxr<(c$LQLn1w0r0p4Px0Z2vutwKT~T<zD?Fteqn$
z1Pa&0>W5=$^j`9%!OrEn(x0HK3<_rQQ;2dF2<)`$R7@c^K26__DDtA)7TN1Wq;g4(
zy~dH@2DBAY#D_ma`ONNxQ{EB$-e<7uad7?&g%5*W4bx(MX$W6Cy%13jarHez8)R1M
zrQPJ?&gbCJR9@pUJl4%+t=AxzwHPZFOHv&V-VHCheh|CYZ63CIU~d)Jy)yKQ@AEX}
z7TozW4c^H}C5l++zMp|fJE&)LeX`iCcObd#+62j^6sb{5C0e8=EwR&Ux0ke&KlME2
z`V}aW55-&y;#TkCKRr)H{sjsp=B$CNoMN}Nwp@~S37(S*o4xcgXz}2;S)*z>hX5W@
z4B&1rPt{Ryqv|NoRY$8<)3(<Op4oq#C~aDHW{11gLmsUn&*N@fr`HYYsT0J}OsD9m
zjURr2?l2z`{B?LqU3%WltrYIt?IjFwb?w@<&Q0BXLo1YFx6X`qEOyj&ww3l7=osIz
z4-318pWH{8kvJ9zn^Wb)Eg9TD8PputE(Jij4a|G1hmk&|^%u6Jmp8nuQG4@cN*m@$
zP3rSPcqv5l&Rq#@l%YUf31Z<i;HG&9;hg9Y!2{#_JD}4qxIXKkcn19>YD~N27TZ;i
z8p!hy+m#!|c10K46))bfA0+$vi~DIrXr&?Qnm+=e22ez)y>6AG*ty2ZKif}}!l6tp
zGodXdO4Cbl&(2xC#<|*TfMYdsEHq<bCk+X!G*HSS;NdWRVU=^8vrLk%icVbelE}5C
z6JZ|cyDJB1u|h<Pc+)`&;HwYPX!vRO9i)jFP!HFf196KE%$QA{T|%{A8!FOgn=ik7
z5H`+_$G=K8Xv^8JBE}HR?|GHd0{#P8KYrp>T9#sk#)B#IGfBbMwPS@R{HxoT0u@b#
zn+7jRQl#tYL-af56RnYnHQA(Cz1W&y(w9;arr&_BPT=<+h7VTD4<Du!1yP(Rb?XLy
zKBNoYa}p@91e27iQA!7;bT_3;H>GS3N}0T>i#B^_i%OX$X|_o{R2`(xs*pD*hI!{`
zWS~xS`OQaYDS|S8ID$=W9=~)1#d+>N2shJHa~HT)b<+w3u3FboXz(Il@iun7MXuk!
zjX(gid-R++OxlH6K6W(?bw&M+jx)rNetZ|VO`G^b$0?kC;(t62f4S84$#LvqS*2b%
zsMg(^I*;DenuNn0%9p-JkDBX5pK1{;cU^psK4##&`~$4;bEjYcwu$sA({_P^>tMY1
z14=}D-XFqTH|co4{ScSdcRqdwJN_>}#L-bO&pwSK!d)gh%a`}T1H1b)MX+5OH&%Y&
zG$mP^O_Vm^7iP?lk5~%z+WdGg1qHRBAxXU0Zj*#ZcxyJP71Trcyk7WMd-)x`IMwas
z?SL%1Frtgf%S$v9BuRS(7mt604Ul#vIA(O4i89>A4_A#=IZH|~!{b-4x8n?|7{M+_
zhe_>f4B&MiAuQ0uaTFQOk9>sviWU=LQXBXAn4%f5zItQ~b!u$Xe2kOELrCW6UA6M!
zGxP#=X@#Tuuo>^>Q~Kbo9OX;<Xb%77V{Fp*_t6Y?bWjFy3%cFIa_m3I;+W}rzu5x6
zx!Z)f)g#0sUhEXSL0vp3==GQ<a-V51>gDCS@Co^NQNQcI&r!A__j{J{qJPkX?3_uv
zqRiRX^aLEbr@n@gI?s=Ojc#Ai$&To7o8XHcGw7mV0v_uncl9f+G{jZ>4c$fTiitm!
ziwSh;0v%>oH5!wL4*ES<(`F6974Tp58Zm<z;hxd_pWi`OnOzkZ;lVIp^Wc(aejWhS
z%p*V0Y!+-rfG6C$s;ayS_jnOAc3u4eeiDEG62%3E;{ufu7HN()$C?w&spfQZrdf*Q
zPh7?%O1KQ4Ia*IwU#78q_+?Doj?3`>mx<K(muZZ55-wh2Cm~5mu2KJ_HXPgP6~6Ui
z;yN`&AYhG)<M@#P_J^S+Hbu@f5AI;AO)SFyhHagc&7U{15s2q?n^@fJS{5}MF*;{i
zwR1J)n1#)BUjQAv`bjY&jHjVg=bH6h?6pdoFPCCwa}swk%~Ft)MO_Qy&;=zxpxOz-
zP^1)0n_NhRp`|?jqM5}mEiij(`8@Lt+BXmQ(7uJhTkNQ=EvYf#!t@qpHWdNawD1l^
z+5)N)1XZO-MLKd3-{;Ln@%i3tjEvjsyvLgb@cX@)PpHF8^9suDD8sfgA6J5^#U8i3
zOf+B@bv}ZFh|g%gcL-Ymz4p@({F<YbkMd!0Nu}oNS3@Dga!5h1D$%I+Vzp)o50phA
zOMzEd@52`RJI(O9%J72?xLw-ewN$Tjr}(l-30tr0);6<ezqSdwo*m<#`mkvJkS}|g
zZ8!6?3}MFnp)7_PdHqlp9oKZ7D7W7z%I&&zcAB-@wEWYdY-aecV_@<2+M4y{Rn8ix
zqq>PtAI9<nZn&B&?Q&B%FbwW*J^y?d8w0fk<T)lAu9vKJu506k78V-Ud>u<IH?q{C
zv((}y*k)ld6Lw!GlY1bNU>qB2Lw(PnM1u8m!&cN3SA9jyCd!Xhv%MY}9eykUo8Qm;
zSaMw3b*yyU$V!LKN{2`NTZgmTxpg>;!x<~<GD~<cxG6`CQupKjY#i)lyg!SFbt)84
z7vCm6M|qn+n*a^b@6To^IY#_kD(PetpC5o9ay4^j0GkZ6(GtMY;Cy}*z!KrP;7V1Z
z67Hq{GK}xFvN(R1m4ztL9$8aasuzABHiDZ1A?-{)A&@OZ@TMUUZ8`bAK=4t@&xlVQ
zHwUpK@G&)rB{Ddk&zJ)E)*u#w{p*t=i%cq+t^Bhf7K%OLFF_E}Y@T4lr-0vT1A@b(
z9ySN?%l>RA-)CcHQ0}y`Nf_$yY-}oPG^s1St$c}<S=9%;<CH#=`zK@k$zZ6KOZ;H4
zXvM7N4GG{B!bU3wGd&|he^#Ce5Q^6xf{t7HqaiFwDAAQZL9R0)>??(QUEL!Y?(zA#
zqDHax!fR|C&8EU09v#h6{PAmqd|Tp-5`;wc-)vMTa7z?>6Y@A2#a>1?wnZ~>N^vfl
zor56W8N)6ND`F&t71TIOu<Ma<Z{@FJ*?f$de+)j`d2tLIkB&VY!|L&uC&sV<S7a=M
zyS<Gs7{^|v?XDs5><OZsd`|)^#E}V&XS*TtJ>%IWa=4l&uq_OeY(z5q4L-Y)*^|`a
znlzD}BKSZ)skn$tU9R^gvpIxYM#1UqD8Vv+HU;Z;C-<4kZl<HI!l^7*!F1R&ojrt`
zJt<i%9mcOL3nN1O$t<9@xVp1gimX_TUK014g&3-37S>)cpE8R@QMjvk7K=AvFdxbR
z7qKp{n*_)8u0PCYeYig6+PZ)}OElXRwTO8!YIVggW_Nl)OfM9&59p+;VL3~dDcAK%
z5i`nE;Obn-x(zr8X;{lXCE0FFciGqDms&_UTs=<qG}H2`OW0Uhb{b1v&E?E0N?UkG
z1%zUE{jrkmA*ysOsb;SVPtLM|;cSTKZ(x4|+IBvABYs+C=WQEV6|`5>CN@c_H#Ql0
zQy7bMHEd#wAa2)*I(7@gl8L#C{Q@wip2eD}*|qpycCU<JS?_k1=6h0+lst-<Sz87D
z%De7|o=<*&%|-m|HxIDea1im~188|K4}Fkr@WPK!-jcBRe)k{~5we31vLEOW-}eyv
z1IR6DWZ%&#KI>t~zMF4;nBC;nBhzUK!*cv#wi#Q*1&^?$)aTm$2!jWIj)yj}ZFJGq
z(ggnl9>Xmv^TL%rSMg)w`;BYeP8LT>pG;?5J0EA;jacR*n^`0#eReaNaPm8w*(?m;
z;byiL%#3}C9aJtM$jZNXidBlZ&51u-dD+vb5&1vYpey{dr`QJmLJN8n%in2XEAWYX
z7Sr}8*H_Q7TktC`p7k8NZ`f6t{uL9UZ_#qr6uLfmjx8|4p@{w?^ieu5`XehFV^GLI
z5@mV?OJVK{vow$h3(%Zfg8y*wkKlhcANPOQR?Pps|A$>+m`Z#0v9XF-fh6AB$G#w_
zrp`75&hvQWE9_w?mX}|_kQef4?QBXwx`KT|MB+e{ZU$~7+FcK|vx$V!Is7M#hn=tK
zfV3U1gB{FHkXE>hWti{-pGYuR>ax4oMuzZAZzs!x$sTurtw$UgA#nULS$Wa{hTkn7
zU^gk*3cRe)gX}#hgKrPAWUTbaSJ6&AFL)J8ZySI1RaPT!_cHU~Lu@g+QF4f-VoE-H
zh}{9gLtldqYT_GTW2doYUi3OUj49=JnEeea{gcD&AJF+nyVx=;nNe@B86+2A&8>Tr
zHIS00P@d}_N7y+TiulA^Si;BnmABXm`IJ|$Yxz-TBIOG9TduWlGnaxjKjJt>u%Bli
z2Uq9$!^c^Ta#ewWF`mHOyTG@dfD*+1{{(Y@t+74qMa5viLOa!i3@C}I@53k<_^S8W
zbZ&ni_T!!RnZ?rR6>h=}7xFdW2vovE`uct7=V<PIk{!X=A3w>meee^gO0s2Xw=B5t
zX*R+&<rLejV1PS&;XdV<a{1qT**GQGfWG;C#MUqj=7uv6Pa*&N8E|FiBl<9h3b4&!
z*-E5=wz;0@gKk1W_b2QvjOfFkLMe5+%xBqO2;86OXTjuj{iB~XkrHiyf^GN=Ni1!@
zbNIb3jE(;nIE}A#<$Zyrfl=Q7C7Wi7HBck^P|tt<5?$TOqrbvnY~x>i#nxMs3<Ods
zGwkc~2co^z+g+>AGv`ohbRGLAJ8FQk<yWDUTKV*!*`0LAb?|3cKaAgpzd&R4b{vy`
z6m#|sCeO9t*If9O=e5P+a0ScqEc_~suQ19_$sKgg^|MjlO&FHvO!5*_o`KrH*(KL6
zCfR`B&~k&f94EFPN#62HV&~ECEhm|9G5092@Y~=a@-!^c!XfglAw`HlA=6-<B*lx>
zU|*+Q{uNg0-68Tw{M7W@A@XH2ISh0OcxHZ=uRO})YxXmXVRahlDsru^mwe@PYQXQr
z2)`c*Hcye1UHApx1tr`ZmNj#|WAz<NDjchq;@ASdZlu|grsd^ta_2;wEs0vrTt}Is
z+F2cIPSi1San^w&hnl(sb7G8!q3t$O&G*D>kZyw0&G)RFx!zvI*A9~d0yE9`WSbK$
zGjTHQ6ShHbQp({whRGS2QpbkLlMn_`EOH|>!=n~?7R2?TMgBV!@Bu&hZ8^tW$nP62
zt3V3%m#4~3b1s}K`F8KwW($r!>`rqXKjtrA2&gxkYBuGVV^#@Ypm@E#dVS(n*Si67
z7DLrxL2?yT@o$6Vm&xj@WZdDXD~8AKs4A`y=g8a5jjp-D@&YDXvA9n}%5z+wgvw7V
zm?N7b<f)ir2O{K|u=GDi$XWPIkCYpR*R#X{*SHSxu{zf5Ld_AfwUYgsev3{&l<^T`
zanirlRXtYj#1AH232`#4c8=Mn#8GBxHA}N9aha@6T-+^Qga10fSyFBCsohlLM%c@L
bA1~id=Us*bIYMa0G2`XUxb(lM+bsQGUu$na


From 6c4e549f9e14eb585822351da217082f688ff10f Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 11:01:49 +0200
Subject: [PATCH 17/28] Comments

---
 Cargo.lock                      | 9 +++++----
 node/cli/src/chain_spec/mod.rs  | 3 +++
 pallets/propagation/src/mock.rs | 2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 3343fe5df..2ca7c9810 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -215,9 +215,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.88"
+version = "1.0.89"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e1496f8fb1fbf272686b8d37f523dab3e4a7443300055e74cdaa449f3114356"
+checksum = "86fdf8605db99b54d3cd748a44c6d04df638eb5dafb219b135d0149bd0db01f6"
 
 [[package]]
 name = "approx"
@@ -1078,9 +1078,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.7.1"
+version = "1.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8318a53db07bb3f8dca91a600466bdb3f2eaadeedfdbcf02e1accbad9271ba50"
+checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3"
 dependencies = [
  "serde",
 ]
@@ -2745,6 +2745,7 @@ dependencies = [
  "sp-keyring 34.0.0",
  "subxt",
  "synedrion",
+ "tdx-quote",
  "tokio",
  "tracing",
  "tracing-subscriber 0.3.18",
diff --git a/node/cli/src/chain_spec/mod.rs b/node/cli/src/chain_spec/mod.rs
index d8a7598ac..174c937ef 100644
--- a/node/cli/src/chain_spec/mod.rs
+++ b/node/cli/src/chain_spec/mod.rs
@@ -126,6 +126,9 @@ pub mod tss_x25519_public_key {
     ];
 }
 
+/// Mock provisioning certification keys for attestation of the test TS servers.
+/// These are generated deterministically from their TSS account IDs using the helper function
+/// entropy_testing_utils::helpers::print_test_pck_verifying_keys
 pub mod provisioning_certification_key {
     use entropy_shared::BoundedVecEncodedVerifyingKey;
 
diff --git a/pallets/propagation/src/mock.rs b/pallets/propagation/src/mock.rs
index 7942818e3..2d99b152d 100644
--- a/pallets/propagation/src/mock.rs
+++ b/pallets/propagation/src/mock.rs
@@ -379,7 +379,7 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
     let mut t = system::GenesisConfig::<Test>::default().build_storage().unwrap();
     let pallet_staking_extension = pallet_staking_extension::GenesisConfig::<Test> {
         threshold_servers: vec![
-            // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL))
+            // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL, PCK))
             (5, (7, NULL_ARR, vec![20], BoundedVec::with_max_capacity())),
             (6, (8, NULL_ARR, vec![40], BoundedVec::with_max_capacity())),
             (1, (3, NULL_ARR, vec![10], BoundedVec::with_max_capacity())),

From 030ac41f55449323929bb353fd7d6527e2226c15 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 12:16:09 +0200
Subject: [PATCH 18/28] Fix client test

---
 crates/client/src/tests.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crates/client/src/tests.rs b/crates/client/src/tests.rs
index f04df75c1..c7c6879d1 100644
--- a/crates/client/src/tests.rs
+++ b/crates/client/src/tests.rs
@@ -73,7 +73,8 @@ async fn test_change_threshold_accounts() {
                 ServerInfo {
                     tss_account: AccountId32(one.pair().public().0),
                     x25519_public_key,
-                    endpoint: "127.0.0.1:3001".as_bytes().to_vec()
+                    endpoint: "127.0.0.1:3001".as_bytes().to_vec(),
+                    provisioning_certification_key: BoundedVec([0u8, 33].to_vec()),
                 }
             )
         )

From 2f7aa2d9a2a13e7db5ff5502f1160eafc966cca6 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 12:18:05 +0200
Subject: [PATCH 19/28] Add random secret PCK to attestation pallet benchmark
 test

---
 pallets/attestation/src/benchmarking.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pallets/attestation/src/benchmarking.rs b/pallets/attestation/src/benchmarking.rs
index 3dc2c4051..e8b1d7a15 100644
--- a/pallets/attestation/src/benchmarking.rs
+++ b/pallets/attestation/src/benchmarking.rs
@@ -23,14 +23,17 @@ use super::*;
 #[allow(unused)]
 use crate::Pallet as AttestationPallet;
 
-// This is a randomly generated secret p256 ECDSA key
+/// This is a randomly generated secret p256 ECDSA key - for mocking attestation
 const ATTESTATION_KEY: [u8; 32] = [
     167, 184, 203, 130, 240, 249, 191, 129, 206, 9, 200, 29, 99, 197, 64, 81, 135, 166, 59, 73, 31,
     27, 206, 207, 69, 248, 56, 195, 64, 92, 109, 46,
 ];
+
+/// This is a randomly generated secret p256 ECDSA key - for mocking the provisioning certification
+/// key
 const PCK: [u8; 32] = [
-    167, 184, 203, 130, 240, 249, 191, 129, 206, 9, 200, 29, 99, 197, 64, 81, 135, 166, 59, 73, 31,
-    27, 206, 207, 69, 248, 56, 195, 64, 92, 109, 46,
+    117, 153, 212, 7, 220, 16, 181, 32, 110, 138, 4, 68, 208, 37, 104, 54, 1, 110, 232, 207, 100,
+    168, 16, 99, 66, 83, 21, 178, 81, 155, 132, 37,
 ];
 
 fn assert_last_event<T: Config>(generic_event: <T as Config>::RuntimeEvent) {

From e069b64ed7c9f008809346c2fae920809ce132dd Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 12:35:52 +0200
Subject: [PATCH 20/28] Fix attestation benchmark

---
 pallets/attestation/src/benchmarking.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pallets/attestation/src/benchmarking.rs b/pallets/attestation/src/benchmarking.rs
index e8b1d7a15..40d25fc77 100644
--- a/pallets/attestation/src/benchmarking.rs
+++ b/pallets/attestation/src/benchmarking.rs
@@ -51,7 +51,7 @@ benchmarks! {
 
     let attestation_key = tdx_quote::SigningKey::from_bytes(&ATTESTATION_KEY.into()).unwrap();
     let pck = tdx_quote::SigningKey::from_bytes(&PCK.into()).unwrap();
-    let pck_encoded = tdx::quote::encode_verifying_key(pck).unwrap();
+    let pck_encoded = tdx_quote::encode_verifying_key(pck).unwrap();
 
     let input_data = QuoteInputData::new(
         &attestee, // TSS Account ID
@@ -59,7 +59,7 @@ benchmarks! {
         nonce,
         1, // Block number
     );
-    let quote = tdx_quote::Quote::mock(signing_key.clone(), pck, input_data.0).as_bytes().to_vec();
+    let quote = tdx_quote::Quote::mock(attestation_key.clone(), pck, input_data.0).as_bytes().to_vec();
 
     // Insert a pending attestation so that this quote is expected
     <PendingAttestations<T>>::insert(attestee.clone(), nonce);

From e8f317ceb0dbbbdc7d8bd8dff5b721e173ec7c6c Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 13:02:04 +0200
Subject: [PATCH 21/28] Fix attestation benchmark again

---
 pallets/attestation/src/benchmarking.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pallets/attestation/src/benchmarking.rs b/pallets/attestation/src/benchmarking.rs
index 40d25fc77..3534a35cf 100644
--- a/pallets/attestation/src/benchmarking.rs
+++ b/pallets/attestation/src/benchmarking.rs
@@ -51,7 +51,7 @@ benchmarks! {
 
     let attestation_key = tdx_quote::SigningKey::from_bytes(&ATTESTATION_KEY.into()).unwrap();
     let pck = tdx_quote::SigningKey::from_bytes(&PCK.into()).unwrap();
-    let pck_encoded = tdx_quote::encode_verifying_key(pck).unwrap();
+    let pck_encoded = tdx_quote::encode_verifying_key(pck.verifying_key()).unwrap();
 
     let input_data = QuoteInputData::new(
         &attestee, // TSS Account ID

From 0272c72d0a42762125b8282aeea8c721807b0f0e Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 13:22:48 +0200
Subject: [PATCH 22/28] Update attestation pallet test

---
 pallets/attestation/src/mock.rs  | 11 ++++++++++-
 pallets/attestation/src/tests.rs |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/pallets/attestation/src/mock.rs b/pallets/attestation/src/mock.rs
index 478f31a41..1914effbc 100644
--- a/pallets/attestation/src/mock.rs
+++ b/pallets/attestation/src/mock.rs
@@ -332,6 +332,13 @@ impl pallet_parameters::Config for Test {
     type WeightInfo = ();
 }
 
+/// This is a randomly generated secret p256 ECDSA key - for mocking the provisioning certification
+/// key
+const PCK: [u8; 32] = [
+    117, 153, 212, 7, 220, 16, 181, 32, 110, 138, 4, 68, 208, 37, 104, 54, 1, 110, 232, 207, 100,
+    168, 16, 99, 66, 83, 21, 178, 81, 155, 132, 37,
+];
+
 // Build genesis storage according to the mock runtime.
 pub fn new_test_ext() -> sp_io::TestExternalities {
     let mut t = system::GenesisConfig::<Test>::default().build_storage().unwrap();
@@ -342,10 +349,12 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
     };
     pallet_attestation.assimilate_storage(&mut t).unwrap();
 
+    let pck = tdx_quote::SigningKey::from_bytes(&PCK.into()).unwrap();
+    let pck_encoded = tdx_quote::encode_verifying_key(&pck.verifying_key()).unwrap();
     let pallet_staking_extension = pallet_staking_extension::GenesisConfig::<Test> {
         threshold_servers: vec![
             // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL, PCK))
-            (5, (0, NULL_ARR, vec![20], BoundedVec::default())),
+            (5, (0, NULL_ARR, vec![20], BoundedVec::from(pck_encoded.to_vec()))),
         ],
         proactive_refresh_data: (vec![], vec![]),
         mock_signer_rotate: (false, vec![], vec![]),
diff --git a/pallets/attestation/src/tests.rs b/pallets/attestation/src/tests.rs
index aa206398b..31ef6c53e 100644
--- a/pallets/attestation/src/tests.rs
+++ b/pallets/attestation/src/tests.rs
@@ -28,7 +28,7 @@ fn attest() {
         assert_eq!(nonce, [0; 32]);
 
         let attestation_key = tdx_quote::SigningKey::random(&mut OsRng);
-        let pck = tdx_quote::SigningKey::random(&mut OsRng);
+        let pck = tdx_quote::SigningKey::from_bytes(&PCK.into()).unwrap();
 
         let input_data = QuoteInputData::new(
             ATTESTEE, // TSS Account ID

From 50583271d05f4811f057e3e6b486ce53c40b46e1 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 14:04:31 +0200
Subject: [PATCH 23/28] Fix attestation pallet mock/bench

---
 pallets/attestation/src/benchmarking.rs |  2 +-
 pallets/attestation/src/mock.rs         | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/pallets/attestation/src/benchmarking.rs b/pallets/attestation/src/benchmarking.rs
index 3534a35cf..16b4de2ad 100644
--- a/pallets/attestation/src/benchmarking.rs
+++ b/pallets/attestation/src/benchmarking.rs
@@ -73,7 +73,7 @@ benchmarks! {
         tss_account: attestee.clone(),
         x25519_public_key: [0; 32],
         endpoint: b"http://localhost:3001".to_vec(),
-        provisioning_certification_key: BoundedVec::from(pck_encoded.to_vec()),
+        provisioning_certification_key: pck_encoded.to_vec().try_into().unwrap(),
     });
 
   }: _(RawOrigin::Signed(attestee.clone()), quote.clone())
diff --git a/pallets/attestation/src/mock.rs b/pallets/attestation/src/mock.rs
index 1914effbc..3513578c4 100644
--- a/pallets/attestation/src/mock.rs
+++ b/pallets/attestation/src/mock.rs
@@ -36,6 +36,13 @@ use std::cell::RefCell;
 
 use crate as pallet_attestation;
 
+/// This is a randomly generated secret p256 ECDSA key - for mocking the provisioning certification
+/// key
+pub const PCK: [u8; 32] = [
+    117, 153, 212, 7, 220, 16, 181, 32, 110, 138, 4, 68, 208, 37, 104, 54, 1, 110, 232, 207, 100,
+    168, 16, 99, 66, 83, 21, 178, 81, 155, 132, 37,
+];
+
 const NULL_ARR: [u8; 32] = [0; 32];
 
 type Block = frame_system::mocking::MockBlock<Test>;
@@ -332,13 +339,6 @@ impl pallet_parameters::Config for Test {
     type WeightInfo = ();
 }
 
-/// This is a randomly generated secret p256 ECDSA key - for mocking the provisioning certification
-/// key
-const PCK: [u8; 32] = [
-    117, 153, 212, 7, 220, 16, 181, 32, 110, 138, 4, 68, 208, 37, 104, 54, 1, 110, 232, 207, 100,
-    168, 16, 99, 66, 83, 21, 178, 81, 155, 132, 37,
-];
-
 // Build genesis storage according to the mock runtime.
 pub fn new_test_ext() -> sp_io::TestExternalities {
     let mut t = system::GenesisConfig::<Test>::default().build_storage().unwrap();
@@ -354,7 +354,7 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
     let pallet_staking_extension = pallet_staking_extension::GenesisConfig::<Test> {
         threshold_servers: vec![
             // (ValidatorID, (AccountId, X25519PublicKey, TssServerURL, PCK))
-            (5, (0, NULL_ARR, vec![20], BoundedVec::from(pck_encoded.to_vec()))),
+            (5, (0, NULL_ARR, vec![20], pck_encoded.to_vec().try_into().unwrap())),
         ],
         proactive_refresh_data: (vec![], vec![]),
         mock_signer_rotate: (false, vec![], vec![]),

From 1daae2c00d179ab752009bf77943890764396c7c Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 18 Sep 2024 17:51:22 +0200
Subject: [PATCH 24/28] Fix entropy-client test

---
 crates/client/src/tests.rs          | 15 ++++++++++++---
 crates/testing-utils/src/helpers.rs |  3 ++-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/crates/client/src/tests.rs b/crates/client/src/tests.rs
index c7c6879d1..2687413da 100644
--- a/crates/client/src/tests.rs
+++ b/crates/client/src/tests.rs
@@ -16,8 +16,11 @@ use crate::{
     update_programs,
 };
 use entropy_testing_utils::{
-    constants::TEST_PROGRAM_WASM_BYTECODE, jump_start_network,
-    substrate_context::test_context_stationary, test_node_process_testing_state,
+    constants::TEST_PROGRAM_WASM_BYTECODE,
+    helpers::{derive_mock_pck_verifying_key, encode_verifying_key},
+    jump_start_network,
+    substrate_context::test_context_stationary,
+    test_node_process_testing_state,
 };
 use serial_test::serial;
 use sp_core::{sr25519, Pair, H256};
@@ -64,6 +67,12 @@ async fn test_change_threshold_accounts() {
     )
     .await
     .unwrap();
+
+    let provisioning_certification_key = {
+        let key = derive_mock_pck_verifying_key(&AccountId32(one.pair().public().0));
+        BoundedVec(encode_verifying_key(&key).unwrap().to_vec())
+    };
+
     assert_eq!(
         format!("{:?}", result),
         format!(
@@ -74,7 +83,7 @@ async fn test_change_threshold_accounts() {
                     tss_account: AccountId32(one.pair().public().0),
                     x25519_public_key,
                     endpoint: "127.0.0.1:3001".as_bytes().to_vec(),
-                    provisioning_certification_key: BoundedVec([0u8, 33].to_vec()),
+                    provisioning_certification_key,
                 }
             )
         )
diff --git a/crates/testing-utils/src/helpers.rs b/crates/testing-utils/src/helpers.rs
index deabd52b9..5e64f843e 100644
--- a/crates/testing-utils/src/helpers.rs
+++ b/crates/testing-utils/src/helpers.rs
@@ -22,6 +22,7 @@ use crate::{
 use entropy_protocol::PartyId;
 use rand::{rngs::StdRng, SeedableRng};
 use subxt::{backend::legacy::LegacyRpcMethods, utils::AccountId32, OnlineClient};
+pub use tdx_quote::encode_verifying_key;
 
 /// A helper for setting up tests which starts both a set of TS servers and a chain node and returns
 /// the chain API as well as IP addresses and PartyId of the started validators
@@ -65,6 +66,6 @@ pub fn derive_mock_pck_verifying_key(tss_account_id: &AccountId32) -> tdx_quote:
 pub fn print_test_pck_verifying_keys() {
     for tss_account in crate::constants::TSS_ACCOUNTS.iter() {
         let pck = derive_mock_pck_verifying_key(tss_account);
-        println!("{:?}", tdx_quote::encode_verifying_key(&pck));
+        println!("{:?}", encode_verifying_key(&pck));
     }
 }

From e6c5f0824b8a575f20d879c022092a632929ce92 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Thu, 19 Sep 2024 11:51:26 +0200
Subject: [PATCH 25/28] Fix client test

---
 crates/client/src/tests.rs     |  3 ++-
 node/cli/src/chain_spec/mod.rs | 24 +++++++++++++++++++-----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/crates/client/src/tests.rs b/crates/client/src/tests.rs
index 2687413da..5ebb984fb 100644
--- a/crates/client/src/tests.rs
+++ b/crates/client/src/tests.rs
@@ -69,7 +69,8 @@ async fn test_change_threshold_accounts() {
     .unwrap();
 
     let provisioning_certification_key = {
-        let key = derive_mock_pck_verifying_key(&AccountId32(one.pair().public().0));
+        let key =
+            derive_mock_pck_verifying_key(&AccountId32(AccountKeyring::Alice.pair().public().0));
         BoundedVec(encode_verifying_key(&key).unwrap().to_vec())
     };
 
diff --git a/node/cli/src/chain_spec/mod.rs b/node/cli/src/chain_spec/mod.rs
index 174c937ef..ed9f3c9cd 100644
--- a/node/cli/src/chain_spec/mod.rs
+++ b/node/cli/src/chain_spec/mod.rs
@@ -133,11 +133,25 @@ pub mod provisioning_certification_key {
     use entropy_shared::BoundedVecEncodedVerifyingKey;
 
     lazy_static::lazy_static! {
-        pub static ref ALICE: BoundedVecEncodedVerifyingKey = vec![2, 137, 55, 65, 52, 103, 166, 204, 247, 160, 46, 220, 5, 113, 151, 217, 157, 196, 11, 240, 175, 82, 148, 230, 31, 245, 207, 194, 3, 74, 121, 184, 20].try_into().unwrap();
-        pub static ref BOB: BoundedVecEncodedVerifyingKey = vec![3, 83, 163, 234, 166, 114, 67, 146, 122, 122, 99, 236, 205, 116, 209, 45, 230, 107, 62, 55, 147, 38, 185, 203, 157, 147, 156, 173, 233, 58, 134, 162, 156].try_into().unwrap();
-        pub static ref CHARLIE: BoundedVecEncodedVerifyingKey = vec![2, 167, 50, 42, 76, 239, 190, 42, 72, 64, 110, 90, 172, 253, 252, 148, 115, 107, 34, 110, 2, 112, 184, 147, 87, 71, 63, 217, 238, 89, 253, 97, 176].try_into().unwrap();
-        pub static ref DAVE: BoundedVecEncodedVerifyingKey = vec![3, 68, 52, 130, 44, 84, 174, 32, 55, 213, 192, 7, 121, 188, 19, 231, 134, 47, 223, 166, 199, 118, 161, 203, 142, 75, 184, 108, 165, 70, 251, 249, 142].try_into().unwrap();
-        pub static ref EVE: BoundedVecEncodedVerifyingKey = vec![2, 60, 115, 185, 180, 118, 177, 23, 3, 49, 65, 92, 230, 60, 245, 1, 140, 149, 117, 238, 83, 69, 110, 30, 140, 31, 60, 69, 38, 34, 202, 242, 125].try_into().unwrap();
+        pub static ref ALICE: BoundedVecEncodedVerifyingKey = vec![
+            2, 137, 55, 65, 52, 103, 166, 204, 247, 160, 46, 220, 5, 113, 151, 217, 157, 196, 11,
+            240, 175, 82, 148, 230, 31, 245, 207, 194, 3, 74, 121, 184, 20
+        ].try_into().unwrap();
+        pub static ref BOB: BoundedVecEncodedVerifyingKey = vec![
+            3, 83, 163, 234, 166, 114, 67, 146, 122, 122, 99, 236, 205, 116, 209, 45, 230, 107, 62,
+            55, 147, 38, 185, 203, 157, 147, 156, 173, 233, 58, 134, 162, 156].try_into().unwrap();
+        pub static ref CHARLIE: BoundedVecEncodedVerifyingKey = vec![
+            2, 167, 50, 42, 76, 239, 190, 42, 72, 64, 110, 90, 172, 253, 252, 148, 115, 107, 34, 110,
+            2, 112, 184, 147, 87, 71, 63, 217, 238, 89, 253, 97, 176
+        ].try_into().unwrap();
+        pub static ref DAVE: BoundedVecEncodedVerifyingKey = vec![
+            3, 68, 52, 130, 44, 84, 174, 32, 55, 213, 192, 7, 121, 188, 19, 231, 134, 47, 223, 166,
+            199, 118, 161, 203, 142, 75, 184, 108, 165, 70, 251, 249, 142
+        ].try_into().unwrap();
+        pub static ref EVE: BoundedVecEncodedVerifyingKey = vec![
+            2, 60, 115, 185, 180, 118, 177, 23, 3, 49, 65, 92, 230, 60, 245, 1, 140, 149, 117, 238,
+            83, 69, 110, 30, 140, 31, 60, 69, 38, 34, 202, 242, 125
+        ].try_into().unwrap();
     }
 }
 

From fed5e20229b1701ca234f85a0b0189f6c9695215 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Thu, 19 Sep 2024 12:32:51 +0200
Subject: [PATCH 26/28] Fix client test

---
 crates/client/src/tests.rs | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/crates/client/src/tests.rs b/crates/client/src/tests.rs
index 5ebb984fb..5c3ae04f2 100644
--- a/crates/client/src/tests.rs
+++ b/crates/client/src/tests.rs
@@ -16,7 +16,7 @@ use crate::{
     update_programs,
 };
 use entropy_testing_utils::{
-    constants::TEST_PROGRAM_WASM_BYTECODE,
+    constants::{TEST_PROGRAM_WASM_BYTECODE, TSS_ACCOUNTS},
     helpers::{derive_mock_pck_verifying_key, encode_verifying_key},
     jump_start_network,
     substrate_context::test_context_stationary,
@@ -69,8 +69,7 @@ async fn test_change_threshold_accounts() {
     .unwrap();
 
     let provisioning_certification_key = {
-        let key =
-            derive_mock_pck_verifying_key(&AccountId32(AccountKeyring::Alice.pair().public().0));
+        let key = derive_mock_pck_verifying_key(&TSS_ACCOUNTS[0]);
         BoundedVec(encode_verifying_key(&key).unwrap().to_vec())
     };
 

From 09bc7f21488920dac4ad12974dd0c92c5509f49b Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Thu, 19 Sep 2024 13:45:08 +0200
Subject: [PATCH 27/28] Changelog

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c31561298..761bee43b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,7 +18,7 @@ At the moment this project **does not** adhere to
   cleaned up. A lot of storage entries, events, and extrinsics were removed from the `Registry`
   pallet. The genesis build config was also removed. Additionally, the `new/user/` HTTP endpoint in
   the TSS was removed since it was no longer necessary.
-- In [#1045](https://github.com/entropyxyz/entropy-core/pull/1045), `ProgramsInfo` now takes `version_number` to maintain backwards compatibility if programs runtime is updated 
+- In [#1045](https://github.com/entropyxyz/entropy-core/pull/1045), `ProgramsInfo` now takes `version_number` to maintain backwards compatibility if programs runtime is updated
 
 ### Added
 - Jumpstart network ([#918](https://github.com/entropyxyz/entropy-core/pull/918))
@@ -35,6 +35,7 @@ At the moment this project **does not** adhere to
 - Update test CLI for new registration and signing flows ([#1008](https://github.com/entropyxyz/entropy-core/pull/1008))
 - Add remove program function to entropy-client ([#1023](https://github.com/entropyxyz/entropy-core/pull/1023))
 - Add a programs version ([#1045](https://github.com/entropyxyz/entropy-core/pull/1045))
+- Handle Provisioning Certification Keys (PCKs) ([#1051](https://github.com/entropyxyz/entropy-core/pull/1051))
 
 ### Changed
 - Fix TSS `AccountId` keys in chainspec ([#993](https://github.com/entropyxyz/entropy-core/pull/993))

From 47579ef55f72a0675ffc4f33561556fead861477 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Wed, 25 Sep 2024 09:13:19 +0200
Subject: [PATCH 28/28] Rm unused dependency from staking pallet

---
 Cargo.lock                 | 3 +--
 pallets/staking/Cargo.toml | 1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 6a0691b54..08c481b6f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -7406,7 +7406,6 @@ dependencies = [
  "frame-support 29.0.2",
  "frame-system",
  "log",
- "p256",
  "pallet-bags-list",
  "pallet-balances",
  "pallet-parameters",
@@ -14045,7 +14044,7 @@ dependencies = [
 [[package]]
 name = "synedrion"
 version = "0.1.0"
-source = "git+https://github.com/entropyxyz/synedrion/?rev=1d210d149dfeb0dca1dd41d7fac4d0bf03c686fa#1d210d149dfeb0dca1dd41d7fac4d0bf03c686fa"
+source = "git+https://github.com/entropyxyz/synedrion?rev=1d210d149dfeb0dca1dd41d7fac4d0bf03c686fa#1d210d149dfeb0dca1dd41d7fac4d0bf03c686fa"
 dependencies = [
  "base64 0.21.7",
  "bincode 2.0.0-rc.3",
diff --git a/pallets/staking/Cargo.toml b/pallets/staking/Cargo.toml
index 281e1e334..60beae497 100644
--- a/pallets/staking/Cargo.toml
+++ b/pallets/staking/Cargo.toml
@@ -17,7 +17,6 @@ scale-info ={ version="2.11", default-features=false, features=["derive"] }
 log        ={ version="0.4.22", default-features=false }
 serde      ={ version="1.0.210", default-features=false }
 rand_chacha={ version="0.3", default-features=false }
-p256       ={ version="0.13.2", default-features=false, features=["ecdsa", "alloc"] }
 
 frame-benchmarking={ version="29.0.0", default-features=false, optional=true }
 frame-support     ={ version="29.0.0", default-features=false }