ensure deterministic reshard input

src/qos_client/src/cli/services.rs

@@ -1552,7 +1552,8 @@ pub(crate) fn reshard_re_encrypt_share(
 		unsafe_auto_confirm,
 	}: ReshardReEncryptShareArgs,
 ) -> Result<(), Error> {
-	let reshard_input = read_reshard_input(reshard_input_path)?;
+	let mut reshard_input = read_reshard_input(reshard_input_path)?;
+	reshard_input.deterministic();
 	let attestation_doc =
 		read_attestation_doc(&attestation_doc_path, unsafe_skip_attestation)?;
 	let mut new_share_set = get_share_set(&new_share_set_dir);

src/qos_core/src/protocol/services/attestation.rs

@@ -27,10 +27,11 @@ pub(in crate::protocol) fn reshard_attestation_doc(
 ) -> Result<NsmResponse, ProtocolError> {
 	let ephemeral_public_key =
 		state.handles.get_ephemeral_key()?.public_key().to_bytes();
-	let reshard_input = state
+	let mut reshard_input = state
 		.reshard_input
 		.clone()
 		.ok_or(ProtocolError::MissingReshardInput)?;
+	reshard_input.deterministic();
 
 	Ok(get_post_boot_attestation_doc(
 		&*state.attestor,

src/qos_core/src/protocol/services/reshard.rs

@@ -85,7 +85,8 @@ pub struct ReshardInput {
 }
 
 impl ReshardInput {
-	fn deterministic(&mut self) {
+	/// Make sure reshard input is deterministic
+	pub fn deterministic(&mut self) {
 		self.quorum_keys.sort();
 	}
 
@@ -249,12 +250,13 @@ pub(in crate::protocol) fn reshard_provision(
 	input: ReshardProvisionInput,
 	state: &mut ProtocolState,
 ) -> Result<bool, ProtocolError> {
-	let reshard_input = state
+	let mut reshard_input = state
 		.reshard_input
 		.as_ref()
 		.ok_or(ProtocolError::MissingReshardInput)?
 		.clone();
 
+	reshard_input.deterministic();
 	input.approval.verify(&reshard_input.qos_hash())?;
 
 	if !reshard_input.old_share_set.members.contains(&input.approval.member) {