From 51c5f2bfc9db56a18d8ede1b3d9f9fde75a9f62d Mon Sep 17 00:00:00 2001
From: Bronek Kozicki <brok@incorrekt.com>
Date: Thu, 25 Sep 2025 15:14:29 +0100
Subject: [PATCH 1/2] Improve ValidatorList invalid UNL manifest logging
 (#5804)

This change raises logging severity from `INFO` to `WARN` when handling UNL manifest signed with an unexpected / invalid key. It also changes the internal error code for an invalid format of UNL manifest to `invalid` (from `untrusted`).

This is a follow up to problems experienced by an UNL node due to old manifest key configured in `validators.txt`, which would be easier to diagnose with improved logging.

It also replaces a log line with `UNREACHABLE` for an impossible situation when we match UNL manifest key against a configured key which has an invalid type (we cannot configure such a key because of checks when loading configured keys).
---
 src/test/app/ValidatorList_test.cpp         | 18 ++++++++++
 src/xrpld/app/misc/ValidatorList.h          |  2 +-
 src/xrpld/app/misc/detail/ValidatorList.cpp | 40 +++++++++++++--------
 3 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/src/test/app/ValidatorList_test.cpp b/src/test/app/ValidatorList_test.cpp
index a3b62bd4f7..2b004c3b52 100644
--- a/src/test/app/ValidatorList_test.cpp
+++ b/src/test/app/ValidatorList_test.cpp
@@ -768,6 +768,24 @@ private:
         expectUntrusted(lists.at(7));
         expectTrusted(lists.at(2));
 
+        // try empty or mangled manifest
+        checkResult(
+            trustedKeys->applyLists(
+                "", version, {{blob7, sig7, {}}, {blob6, sig6, {}}}, siteUri),
+            publisherPublic,
+            ListDisposition::invalid,
+            ListDisposition::invalid);
+
+        checkResult(
+            trustedKeys->applyLists(
+                base64_encode("not a manifest"),
+                version,
+                {{blob7, sig7, {}}, {blob6, sig6, {}}},
+                siteUri),
+            publisherPublic,
+            ListDisposition::invalid,
+            ListDisposition::invalid);
+
         // do not use list from untrusted publisher
         auto const untrustedManifest = base64_encode(makeManifestString(
             randomMasterKey(),
diff --git a/src/xrpld/app/misc/ValidatorList.h b/src/xrpld/app/misc/ValidatorList.h
index 1f5d728824..9a2018cbd4 100644
--- a/src/xrpld/app/misc/ValidatorList.h
+++ b/src/xrpld/app/misc/ValidatorList.h
@@ -877,7 +877,7 @@ private:
     verify(
         lock_guard const&,
         Json::Value& list,
-        std::string const& manifest,
+        Manifest manifest,
         std::string const& blob,
         std::string const& signature);
 
diff --git a/src/xrpld/app/misc/detail/ValidatorList.cpp b/src/xrpld/app/misc/detail/ValidatorList.cpp
index 1ddb51c9dd..2b45cec3be 100644
--- a/src/xrpld/app/misc/detail/ValidatorList.cpp
+++ b/src/xrpld/app/misc/detail/ValidatorList.cpp
@@ -1149,21 +1149,33 @@ ValidatorList::applyList(
 
     Json::Value list;
     auto const& manifest = localManifest ? *localManifest : globalManifest;
-    auto [result, pubKeyOpt] = verify(lock, list, manifest, blob, signature);
+    auto m = deserializeManifest(base64_decode(manifest));
+    if (!m)
+    {
+        JLOG(j_.warn()) << "UNL manifest cannot be deserialized";
+        return PublisherListStats{ListDisposition::invalid};
+    }
+
+    auto [result, pubKeyOpt] =
+        verify(lock, list, std::move(*m), blob, signature);
 
     if (!pubKeyOpt)
     {
-        JLOG(j_.info()) << "ValidatorList::applyList unable to retrieve the "
-                           "master public key from the verify function\n";
+        JLOG(j_.warn())
+            << "UNL manifest is signed with an unrecognized master public key";
         return PublisherListStats{result};
     }
 
     if (!publicKeyType(*pubKeyOpt))
-    {
-        JLOG(j_.info()) << "ValidatorList::applyList Invalid Public Key type"
-                           " retrieved from the verify function\n ";
+    {  // LCOV_EXCL_START
+       // This is an impossible situation because we will never load an
+       // invalid public key type (see checks in `ValidatorList::load`) however
+       // we can only arrive here if the key used by the manifest matched one of
+       // the loaded keys
+        UNREACHABLE(
+            "ripple::ValidatorList::applyList : invalid public key type");
         return PublisherListStats{result};
-    }
+    }  // LCOV_EXCL_STOP
 
     PublicKey pubKey = *pubKeyOpt;
     if (result > ListDisposition::pending)
@@ -1356,19 +1368,17 @@ std::pair<ListDisposition, std::optional<PublicKey>>
 ValidatorList::verify(
     ValidatorList::lock_guard const& lock,
     Json::Value& list,
-    std::string const& manifest,
+    Manifest manifest,
     std::string const& blob,
     std::string const& signature)
 {
-    auto m = deserializeManifest(base64_decode(manifest));
-
-    if (!m || !publisherLists_.count(m->masterKey))
+    if (!publisherLists_.count(manifest.masterKey))
         return {ListDisposition::untrusted, {}};
 
-    PublicKey masterPubKey = m->masterKey;
-    auto const revoked = m->revoked();
+    PublicKey masterPubKey = manifest.masterKey;
+    auto const revoked = manifest.revoked();
 
-    auto const result = publisherManifests_.applyManifest(std::move(*m));
+    auto const result = publisherManifests_.applyManifest(std::move(manifest));
 
     if (revoked && result == ManifestDisposition::accepted)
     {
@@ -1796,7 +1806,7 @@ ValidatorList::getAvailable(
 
     if (!keyBlob || !publicKeyType(makeSlice(*keyBlob)))
     {
-        JLOG(j_.info()) << "Invalid requested validator list publisher key: "
+        JLOG(j_.warn()) << "Invalid requested validator list publisher key: "
                         << pubKey;
         return {};
     }

From a12f5de68d0acd2641829fdc144404e1ad1ff9e3 Mon Sep 17 00:00:00 2001
From: Bart <bthomee@users.noreply.github.com>
Date: Thu, 25 Sep 2025 18:08:07 +0200
Subject: [PATCH 2/2] chore: Pin all CI Docker tags (#5813)

To avoid surprises and ensure reproducibility, this change pins all CI Docker image tags to the latest version in the XRPLF/CI repo.
---
 .github/workflows/build-test.yml        | 2 +-
 .github/workflows/notify-clio.yml       | 2 +-
 .github/workflows/pre-commit.yml        | 3 ++-
 .github/workflows/publish-docs.yml      | 2 +-
 .github/workflows/upload-conan-deps.yml | 2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 634ed42690..2197e88a42 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -63,7 +63,7 @@ jobs:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
       max-parallel: 10
     runs-on: ${{ matrix.architecture.runner }}
-    container: ${{ inputs.os == 'linux' && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version) || null }}
+    container: ${{ inputs.os == 'linux' && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-5dd7158', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version) || null }}
     steps:
       - name: Check strategy matrix
         run: |
diff --git a/.github/workflows/notify-clio.yml b/.github/workflows/notify-clio.yml
index 692904ff12..2d6fa63796 100644
--- a/.github/workflows/notify-clio.yml
+++ b/.github/workflows/notify-clio.yml
@@ -40,7 +40,7 @@ jobs:
   upload:
     if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     runs-on: ubuntu-latest
-    container: ghcr.io/xrplf/ci/ubuntu-noble:gcc-13
+    container: ghcr.io/xrplf/ci/ubuntu-noble:gcc-13-sha-5dd7158
     steps:
       - name: Checkout repository
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index ead137308d..9b85a3bd11 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -7,8 +7,9 @@ on:
   workflow_dispatch:
 
 jobs:
+  # Call the workflow in the XRPLF/actions repo that runs the pre-commit hooks.
   run-hooks:
     uses: XRPLF/actions/.github/workflows/pre-commit.yml@af1b0f0d764cda2e5435f5ac97b240d4bd4d95d3
     with:
       runs_on: ubuntu-latest
-      container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit" }'
+      container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit:sha-d1496b8" }'
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index 2fcdd581d1..efd89a5b22 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -27,7 +27,7 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-latest
-    container: ghcr.io/xrplf/ci/tools-rippled-documentation
+    container: ghcr.io/xrplf/ci/tools-rippled-documentation:sha-d1496b8
     permissions:
       contents: write
     steps:
diff --git a/.github/workflows/upload-conan-deps.yml b/.github/workflows/upload-conan-deps.yml
index c52b3c89d3..98db52a436 100644
--- a/.github/workflows/upload-conan-deps.yml
+++ b/.github/workflows/upload-conan-deps.yml
@@ -56,7 +56,7 @@ jobs:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
       max-parallel: 10
     runs-on: ${{ matrix.architecture.runner }}
-    container: ${{ contains(matrix.architecture.platform, 'linux') && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version) || null }}
+    container: ${{ contains(matrix.architecture.platform, 'linux') && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-5dd7158', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version) || null }}
 
     steps:
       - name: Cleanup workspace