From bf8f40a57cefea50899bb15caa989c6ec0bc40c6 Mon Sep 17 00:00:00 2001
From: Nodar Ambroladze <nodar.ambroladze@gmail.com>
Date: Thu, 16 May 2024 18:09:52 +0200
Subject: [PATCH 1/4] Skip tls verification when making requests to secure
 signer from Dataposter

---
 arbnode/dataposter/data_poster.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arbnode/dataposter/data_poster.go b/arbnode/dataposter/data_poster.go
index 7bc18a2121..04789d0fda 100644
--- a/arbnode/dataposter/data_poster.go
+++ b/arbnode/dataposter/data_poster.go
@@ -217,6 +217,10 @@ func NewDataPoster(ctx context.Context, opts *DataPosterOpts) (*DataPoster, erro
 func rpcClient(ctx context.Context, opts *ExternalSignerCfg) (*rpc.Client, error) {
 	tlsCfg := &tls.Config{
 		MinVersion: tls.VersionTLS12,
+		// Dataposter verifies that signed transaction was signed by the account
+		// that it expects to be signed with. So signer is already authenticated
+		// on application level and does not need to rely on TLS for authentication.
+		InsecureSkipVerify: true, // #nosec G402
 	}
 
 	if opts.ClientCert != "" && opts.ClientPrivateKey != "" {

From 761e98dfe76f381b30fac569ce6f16d3b36e6f3c Mon Sep 17 00:00:00 2001
From: Nodar Ambroladze <nodar.ambroladze@gmail.com>
Date: Thu, 16 May 2024 20:23:00 +0200
Subject: [PATCH 2/4] Expose InsecureSkipVerify as a flag in external signer
 config

---
 arbnode/dataposter/data_poster.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/arbnode/dataposter/data_poster.go b/arbnode/dataposter/data_poster.go
index 04789d0fda..35826620f8 100644
--- a/arbnode/dataposter/data_poster.go
+++ b/arbnode/dataposter/data_poster.go
@@ -220,7 +220,7 @@ func rpcClient(ctx context.Context, opts *ExternalSignerCfg) (*rpc.Client, error
 		// Dataposter verifies that signed transaction was signed by the account
 		// that it expects to be signed with. So signer is already authenticated
 		// on application level and does not need to rely on TLS for authentication.
-		InsecureSkipVerify: true, // #nosec G402
+		InsecureSkipVerify: opts.InsecureSkipVerify, // #nosec G402
 	}
 
 	if opts.ClientCert != "" && opts.ClientPrivateKey != "" {
@@ -1227,6 +1227,8 @@ type ExternalSignerCfg struct {
 	// (Optional) Client certificate key for mtls.
 	// This is required when client-cert is set.
 	ClientPrivateKey string `koanf:"client-private-key"`
+	// TLS config option, when enabled skips certificate verification of external signer.
+	InsecureSkipVerify bool `koanf:"insecure-skip-verify"`
 }
 
 type DangerousConfig struct {
@@ -1280,6 +1282,7 @@ func addExternalSignerOptions(prefix string, f *pflag.FlagSet) {
 	f.String(prefix+".root-ca", DefaultDataPosterConfig.ExternalSigner.RootCA, "external signer root CA")
 	f.String(prefix+".client-cert", DefaultDataPosterConfig.ExternalSigner.ClientCert, "rpc client cert")
 	f.String(prefix+".client-private-key", DefaultDataPosterConfig.ExternalSigner.ClientPrivateKey, "rpc client private key")
+	f.Bool(prefix+".client-private-key", DefaultDataPosterConfig.ExternalSigner.InsecureSkipVerify, "skip TLS certificate verification")
 }
 
 var DefaultDataPosterConfig = DataPosterConfig{
@@ -1301,7 +1304,7 @@ var DefaultDataPosterConfig = DataPosterConfig{
 	UseNoOpStorage:         false,
 	LegacyStorageEncoding:  false,
 	Dangerous:              DangerousConfig{ClearDBStorage: false},
-	ExternalSigner:         ExternalSignerCfg{Method: "eth_signTransaction"},
+	ExternalSigner:         ExternalSignerCfg{Method: "eth_signTransaction", InsecureSkipVerify: true},
 	MaxFeeCapFormula:       "((BacklogOfBatches * UrgencyGWei) ** 2) + ((ElapsedTime/ElapsedTimeBase) ** 2) * ElapsedTimeImportance + TargetPriceGWei",
 	ElapsedTimeBase:        10 * time.Minute,
 	ElapsedTimeImportance:  10,
@@ -1334,7 +1337,7 @@ var TestDataPosterConfig = DataPosterConfig{
 	UseDBStorage:           false,
 	UseNoOpStorage:         false,
 	LegacyStorageEncoding:  false,
-	ExternalSigner:         ExternalSignerCfg{Method: "eth_signTransaction"},
+	ExternalSigner:         ExternalSignerCfg{Method: "eth_signTransaction", InsecureSkipVerify: true},
 	MaxFeeCapFormula:       "((BacklogOfBatches * UrgencyGWei) ** 2) + ((ElapsedTime/ElapsedTimeBase) ** 2) * ElapsedTimeImportance + TargetPriceGWei",
 	ElapsedTimeBase:        10 * time.Minute,
 	ElapsedTimeImportance:  10,

From b8503d8c2581d1c065800b01bc8be7740e41a9af Mon Sep 17 00:00:00 2001
From: Nodar Ambroladze <nodar.ambroladze@gmail.com>
Date: Thu, 16 May 2024 20:24:10 +0200
Subject: [PATCH 3/4] Fix flag initialization

---
 arbnode/dataposter/data_poster.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arbnode/dataposter/data_poster.go b/arbnode/dataposter/data_poster.go
index 35826620f8..8137cbac60 100644
--- a/arbnode/dataposter/data_poster.go
+++ b/arbnode/dataposter/data_poster.go
@@ -1282,7 +1282,7 @@ func addExternalSignerOptions(prefix string, f *pflag.FlagSet) {
 	f.String(prefix+".root-ca", DefaultDataPosterConfig.ExternalSigner.RootCA, "external signer root CA")
 	f.String(prefix+".client-cert", DefaultDataPosterConfig.ExternalSigner.ClientCert, "rpc client cert")
 	f.String(prefix+".client-private-key", DefaultDataPosterConfig.ExternalSigner.ClientPrivateKey, "rpc client private key")
-	f.Bool(prefix+".client-private-key", DefaultDataPosterConfig.ExternalSigner.InsecureSkipVerify, "skip TLS certificate verification")
+	f.Bool(prefix+".insecure-skip-verify", DefaultDataPosterConfig.ExternalSigner.InsecureSkipVerify, "skip TLS certificate verification")
 }
 
 var DefaultDataPosterConfig = DataPosterConfig{

From 7b7159cb7de9ee78d318a4ea1f4f74df5781fbf7 Mon Sep 17 00:00:00 2001
From: Nodar Ambroladze <nodar.ambroladze@gmail.com>
Date: Thu, 16 May 2024 20:25:59 +0200
Subject: [PATCH 4/4] Keep insecureSkipVerify false by default in prod config

---
 arbnode/dataposter/data_poster.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arbnode/dataposter/data_poster.go b/arbnode/dataposter/data_poster.go
index 8137cbac60..fb35ac3c8d 100644
--- a/arbnode/dataposter/data_poster.go
+++ b/arbnode/dataposter/data_poster.go
@@ -1304,7 +1304,7 @@ var DefaultDataPosterConfig = DataPosterConfig{
 	UseNoOpStorage:         false,
 	LegacyStorageEncoding:  false,
 	Dangerous:              DangerousConfig{ClearDBStorage: false},
-	ExternalSigner:         ExternalSignerCfg{Method: "eth_signTransaction", InsecureSkipVerify: true},
+	ExternalSigner:         ExternalSignerCfg{Method: "eth_signTransaction", InsecureSkipVerify: false},
 	MaxFeeCapFormula:       "((BacklogOfBatches * UrgencyGWei) ** 2) + ((ElapsedTime/ElapsedTimeBase) ** 2) * ElapsedTimeImportance + TargetPriceGWei",
 	ElapsedTimeBase:        10 * time.Minute,
 	ElapsedTimeImportance:  10,