Over the last two weeks most of our attention went into making Zebra’s releases easier to trust and install: a new reviewed release process, downloadable signed binaries, and signed Docker images that anyone can rebuild and verify came from us. Alongside that we fixed a couple of node stability problems (including a sync stall near the chain tip), shipped Zebra v5.2.0, and started work on support for the future NU6.3 “Ironwood” network upgrade.
Security
The headline security work was making Zebra’s releases reproducible and signed, so anyone can rebuild a release and confirm the binary they downloaded genuinely came from our release pipeline. Before this shipped, we reviewed the new pipeline and fixed a few issues it turned up. The linked pull requests and our release blog posts have the full details.
CI / DevOps
Most of our DevOps effort went into a new, reviewed release process for Zebra, with a human check before each release goes out. On top of that, each release now ships pre-built, signed zebrad binaries for Linux that can be installed with cargo binstall. We also did some test infrastructure work, including reorganising the zebrad tests into a clearer layout and letting maintainers run integration tests on demand for pull requests from forks.
Other Zebra work
We shipped Zebra v5.2.0, which widens the rollback window to 1000 blocks together with a related checkpoint fix. We also tracked down and fixed a sync stall near the chain tip that could leave a node stuck restarting.
We also started on support for NU6.3 “Ironwood”, a future Zcash network upgrade that adds a new shielded pool and transaction format. This is early, experimental work, and we’ve opened an initial draft so the team and collaborators can review the approach as it develops.
Work on other repositories
On Zcash’s wallet daemon Zallet, we added a generate-identity subcommand so users can create an encryption identity without needing a separate tool, and we added z_importkey and z_exportkey for Sapling keys. We also did some maintenance on the infrastructure behind our public status page (status.zfnd.org) and the DNS seeder.
Thanks to external contributors
We had a lot of help from outside the team this period. @nuttycom landed a line of work — building on our own earlier groundwork — to make Zebra’s state safe to open read-only as a secondary database and to stream non-finalized blocks to other tools such as wallets. @zmanian fixed several invalidateblock/reconsiderblock cases that could crash the node, and @evan-forbes raised the local rollback window from 99 to 1000 blocks as a defence against sustained chain splits. @emersonian made a disk-write crash report the underlying error so operators can quickly spot a full disk. @dannywillems added Dockerfile linting with hadolint and a shellcheck workflow, and @dmidem fixed CI for the ZSA integration branches.