Revert secp256k1 crate upgrade due wasm compilation issues. Set node version to 20.x in .github/workflows/wasm.yml

ImplOfAnImpl · ImplOfAnImpl · commit 07ff2c483975 · 2026-04-23T13:11:30.000+03:00
diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml
@@ -21,7 +21,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18.x]
+        node-version: [20.x]
 
     steps:
       - name: Checkout the repository
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -222,7 +222,6 @@ quote = "1.0"
 rand = "0.10"
 rand_core = "0.10"
 rand_0_8 = { version = "0.8", package = "rand" }
-rand_0_9 = { version = "0.9", package = "rand" }
 rand_chacha = "0.10"
 rayon = "1.10"
 reedline = "0.38"
@@ -237,7 +236,7 @@ rstest = "0.24"
 rstest_reuse = "0.7"
 rusqlite = "0.33"
 schnorrkel = "0.11"
-secp256k1 = { version = "0.31", default-features = false }
+secp256k1 = { version = "0.29", default-features = false }
 semver = "1.0"
 serde = "1.0"
 serde_json = "1.0"
diff --git a/blockprod/src/detail/tests.rs b/blockprod/src/detail/tests.rs
@@ -1951,7 +1951,7 @@ mod process_block_with_custom_id {
 
         let mut rng = make_seedable_rng(seed);
 
-        let jobs_to_create = rng.random_range(1..=20);
+        let jobs_to_create = 10 + rng.random_range(1..=20);
 
         let block_production = BlockProduction::new(
             chain_config,
diff --git a/crypto/src/key/mod.rs b/crypto/src/key/mod.rs
@@ -37,8 +37,8 @@ pub use signature::Signature;
 
 #[derive(thiserror::Error, Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
 pub enum SignatureError {
-    #[error("Wrong signature size")]
-    WrongSignatureSize,
+    #[error("Failed to construct a valid signature")]
+    SignatureConstructionError,
 }
 
 #[must_use]
diff --git a/crypto/src/key/secp256k1/extended_keys.rs b/crypto/src/key/secp256k1/extended_keys.rs
@@ -19,7 +19,7 @@ use hmac::{Hmac, Mac};
 use secp256k1;
 use sha2::Sha512;
 
-use randomness::{adapters::Rng09Adapter, CryptoRng};
+use randomness::{adapters::Rng08Adapter, CryptoRng};
 use serialization::{Decode, Encode};
 
 use crate::{
@@ -64,7 +64,7 @@ fn to_key_and_chain_code(
     mac: Hmac<Sha512>,
 ) -> Result<(secp256k1::SecretKey, ChainCode), DerivationError> {
     util::to_key_and_chain_code(mac, |secret_key_bytes| {
-        secp256k1::SecretKey::from_byte_array(*secret_key_bytes)
+        secp256k1::SecretKey::from_slice(secret_key_bytes)
             .map_err(|_| DerivationError::KeyDerivationError)
     })
 }
@@ -92,7 +92,7 @@ impl Secp256k1ExtendedPrivateKey {
         let mut chain_code = [0u8; 32];
         rng.fill_bytes(&mut chain_code);
         let chain_code = chain_code.into();
-        let private_key = secp256k1::SecretKey::new(&mut Rng09Adapter(rng)).into();
+        let private_key = secp256k1::SecretKey::new(&mut Rng08Adapter(rng)).into();
         // Generate a new private key
         let ext_priv = Secp256k1ExtendedPrivateKey {
             derivation_path: DerivationPath::empty(),
diff --git a/crypto/src/key/secp256k1/mod.rs b/crypto/src/key/secp256k1/mod.rs
@@ -18,7 +18,7 @@ pub mod extended_keys;
 use secp256k1;
 use zeroize::Zeroize;
 
-use randomness::{adapters::Rng09Adapter, CryptoRng};
+use randomness::{adapters::Rng08Adapter, CryptoRng};
 use serialization::{Decode, Encode};
 
 use crate::{
@@ -46,7 +46,7 @@ impl Encode for Secp256k1PrivateKey {
 impl Decode for Secp256k1PrivateKey {
     fn decode<I: serialization::Input>(input: &mut I) -> Result<Self, serialization::Error> {
         let mut v = <[u8; secp256k1::constants::SECRET_KEY_SIZE]>::decode(input)?;
-        let result = secp256k1::SecretKey::from_byte_array(v)
+        let result = secp256k1::SecretKey::from_slice(&v)
             .map(|r| Secp256k1PrivateKey { data: r })
             .map_err(|_| serialization::Error::from("Private Key deserialization failed"));
         v.zeroize();
@@ -63,7 +63,7 @@ impl From<secp256k1::SecretKey> for Secp256k1PrivateKey {
 impl Secp256k1PrivateKey {
     pub fn new<R: CryptoRng>(rng: &mut R) -> (Secp256k1PrivateKey, Secp256k1PublicKey) {
         let secp = secp256k1::Secp256k1::new();
-        let (secret, public) = secp.generate_keypair(&mut Rng09Adapter(rng));
+        let (secret, public) = secp.generate_keypair(&mut Rng08Adapter(rng));
         (
             Secp256k1PrivateKey::from_native(secret),
             Secp256k1PublicKey::from_native(public),
@@ -75,9 +75,7 @@ impl Secp256k1PrivateKey {
     }
 
     pub fn from_bytes(bytes: &[u8]) -> Result<Self, Secp256k1KeyError> {
-        let bytes_arr: [u8; secp256k1::constants::SECRET_KEY_SIZE] =
-            bytes.try_into().map_err(|_| Secp256k1KeyError::InvalidData)?;
-        secp256k1::SecretKey::from_byte_array(bytes_arr)
+        secp256k1::SecretKey::from_slice(bytes)
             .map(|r| Secp256k1PrivateKey { data: r })
             .map_err(|_| Secp256k1KeyError::InvalidData)
     }
@@ -98,14 +96,15 @@ impl Secp256k1PrivateKey {
         let secp = secp256k1::Secp256k1::new();
         // Hash the message
         let e = Blake2b32Stream::new().write(msg).finalize();
-        let msg_hash = secp256k1::Message::from_digest(e.into());
+        let msg_hash =
+            secp256k1::Message::from_digest_slice(e.as_slice()).expect("Blake2b32 is 32 bytes");
         // Sign the hash
         // TODO(SECURITY) erase keypair after signing
         let keypair = self.data.keypair(&secp);
 
         let aux_data = aux_data_provider.get_secp256k1_schnorr_aux_data();
 
-        secp.sign_schnorr_with_aux_rand(msg_hash.as_ref(), &keypair, &aux_data)
+        secp.sign_schnorr_with_aux_rand(&msg_hash, &keypair, &aux_data)
     }
 }
 
@@ -191,7 +190,7 @@ impl Secp256k1PublicKey {
         VERIFIER
             .verify_schnorr(
                 signature,
-                msg_hashed.as_ref(),
+                msg_hashed,
                 &self.pubkey_data.x_only_public_key().0,
             )
             .is_ok()
@@ -371,11 +370,9 @@ mod test {
         #[case] is_valid: bool,
     ) {
         let pk = Secp256k1PublicKey::from_bytes(&hex::decode(pk).unwrap()).unwrap();
-        let sig = secp256k1::schnorr::Signature::from_byte_array(
-            hex::decode(sig).unwrap().try_into().unwrap(),
-        );
+        let sig = secp256k1::schnorr::Signature::from_slice(&hex::decode(sig).unwrap()).unwrap();
         let msg_hash =
-            secp256k1::Message::from_digest(hex::decode(msg_hash).unwrap().try_into().unwrap());
+            secp256k1::Message::from_digest_slice(&hex::decode(msg_hash).unwrap()).unwrap();
         assert_eq!(pk.verify_message_hashed(&sig, &msg_hash), is_valid);
     }
 
@@ -396,7 +393,7 @@ mod test {
         assert!(pk.verify_message(&sig1, &msg));
         assert!(pk.verify_message(&sig2, &msg));
         assert_eq!(sig1, sig2);
-        assert_eq!(sig1.to_byte_array(), sig2.to_byte_array());
+        assert_eq!(sig1.serialize(), sig2.serialize());
     }
 
     #[rstest]
diff --git a/crypto/src/key/signature/mod.rs b/crypto/src/key/signature/mod.rs
@@ -65,7 +65,8 @@ impl Decode for Signature {
         match sig_kind {
             SignatureKind::Secp256k1Schnorr => {
                 let data = <[u8; secp256k1::constants::SCHNORR_SIGNATURE_SIZE]>::decode(input)?;
-                let sig = secp256k1::schnorr::Signature::from_byte_array(data);
+                let sig = secp256k1::schnorr::Signature::from_slice(&data)
+                    .map_err(|_| serialization::Error::from("Signature deserialization failed"))?;
                 Ok(Signature::Secp256k1Schnorr(sig))
             }
         }
@@ -84,9 +85,8 @@ impl Signature {
     ) -> Result<Self, SignatureError> {
         match kind {
             SignatureKind::Secp256k1Schnorr => {
-                let decoded_sig = secp256k1::schnorr::Signature::from_byte_array(
-                    data.as_ref().try_into().map_err(|_| SignatureError::WrongSignatureSize)?,
-                );
+                let decoded_sig = secp256k1::schnorr::Signature::from_slice(data.as_ref())
+                    .map_err(|_| SignatureError::SignatureConstructionError)?;
                 Ok(Self::Secp256k1Schnorr(decoded_sig))
             }
         }
diff --git a/crypto/src/util/mod.rs b/crypto/src/util/mod.rs
@@ -31,7 +31,7 @@ pub fn new_hmac_sha_512(key: &[u8]) -> Hmac<Sha512> {
 
 pub fn to_key_and_chain_code<SecretKey>(
     mac: Hmac<Sha512>,
-    to_key: impl FnOnce(&[u8; 32]) -> Result<SecretKey, DerivationError>,
+    to_key: impl FnOnce(&[u8]) -> Result<SecretKey, DerivationError>,
 ) -> Result<(SecretKey, ChainCode), DerivationError> {
     // Finalize the hmac
     let mut result = mac.finalize().into_bytes();
@@ -44,7 +44,7 @@ pub fn to_key_and_chain_code<SecretKey>(
     result.zeroize();
 
     // Create the secret key key
-    let secret_key = to_key(&secret_key_bytes.into())?;
+    let secret_key = to_key(secret_key_bytes.as_slice())?;
     secret_key_bytes.zeroize();
 
     // Chain code
diff --git a/randomness/Cargo.toml b/randomness/Cargo.toml
@@ -9,7 +9,6 @@ license.workspace = true
 rand.workspace = true
 rand_core.workspace = true
 rand_0_8.workspace = true
-rand_0_9.workspace = true
 
 [dev-dependencies]
 static_assertions.workspace = true
diff --git a/randomness/src/adapters.rs b/randomness/src/adapters.rs
@@ -37,23 +37,3 @@ impl<R: crate::Rng> rand_0_8::RngCore for Rng08Adapter<R> {
 }
 
 impl<R: crate::CryptoRng> rand_0_8::CryptoRng for Rng08Adapter<R> {}
-
-/// An adapter that implements `rand` v0.9's `RngCore` and `CryptoRng` if the wrapped type implements
-/// `Rng` and `CryptoRng` respectively.
-pub struct Rng09Adapter<R>(pub R);
-
-impl<R: crate::Rng> rand_0_9::RngCore for Rng09Adapter<R> {
-    fn next_u32(&mut self) -> u32 {
-        self.0.next_u32()
-    }
-
-    fn next_u64(&mut self) -> u64 {
-        self.0.next_u64()
-    }
-
-    fn fill_bytes(&mut self, dest: &mut [u8]) {
-        self.0.fill_bytes(dest)
-    }
-}
-
-impl<R: crate::CryptoRng> rand_0_9::CryptoRng for Rng09Adapter<R> {}
diff --git a/randomness/src/lib.rs b/randomness/src/lib.rs
@@ -135,8 +135,4 @@ mod tests {
     assert_impl_all!(Rng08Adapter<NonCryptoRngType>: rand_0_8::RngCore);
     assert_not_impl_any!(Rng08Adapter<NonCryptoRngType>: rand_0_8::CryptoRng);
     assert_impl_all!(Rng08Adapter<CryptoRngType>: rand_0_8::Rng, rand_0_8::CryptoRng);
-
-    assert_impl_all!(Rng09Adapter<NonCryptoRngType>: rand_0_9::RngCore);
-    assert_not_impl_any!(Rng09Adapter<NonCryptoRngType>: rand_0_9::CryptoRng);
-    assert_impl_all!(Rng09Adapter<CryptoRngType>: rand_0_9::Rng, rand_0_9::CryptoRng);
 }
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
@@ -1478,27 +1478,13 @@ user-id = 1588
 user-login = "apoelstra"
 user-name = "Andrew Poelstra"
 
-[[publisher.secp256k1]]
-version = "0.31.1"
-when = "2025-06-23"
-user-id = 1588
-user-login = "apoelstra"
-user-name = "Andrew Poelstra"
-
 [[publisher.secp256k1-sys]]
 version = "0.10.1"
 when = "2024-09-11"
 user-id = 1588
 user-login = "apoelstra"
 user-name = "Andrew Poelstra"
 
-[[publisher.secp256k1-sys]]
-version = "0.11.0"
-when = "2025-04-26"
-user-id = 1588
-user-login = "apoelstra"
-user-name = "Andrew Poelstra"
-
 [[publisher.semver]]
 version = "1.0.27"
 when = "2025-09-14"
diff --git a/wasm-wrappers/Cargo.toml b/wasm-wrappers/Cargo.toml
@@ -26,8 +26,11 @@ itertools.workspace = true
 serde.workspace = true
 thiserror.workspace = true
 
-# This crate is required for rand to work with wasm. See: https://docs.rs/getrandom/latest/getrandom/#webassembly-support
-getrandom = { version = "0.2", features = ["js"] }
+# This is required for `rand` to work with wasm. See: https://docs.rs/getrandom/latest/getrandom/#webassembly-support
+# Note that technically we use 2 differeent versions of `rand` (0.8 and 0.10) which depend on different versions of
+# `getrandom` (0.2 and 0.4 respectively). In reality though, only RNGs from 0.10 will be created.
+getrandom_0_2 = { version = "0.2", package = "getrandom", features = ["js"] }
+getrandom_0_4 = { version = "0.4", package = "getrandom", features = ["wasm_js"] }
 gloo-utils = "0.2"
 js-sys = "0.3"
 tsify = "0.5"

Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,8 @@ pub use signature::Signature;`
`37`	`37`
`38`	`38`	`#[derive(thiserror::Error, Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]`
`39`	`39`	`pub enum SignatureError {`
`40`		`- #[error("Wrong signature size")]`
`41`		`- WrongSignatureSize,`
	`40`	`+ #[error("Failed to construct a valid signature")]`
	`41`	`+ SignatureConstructionError,`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`#[must_use]`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,8 @@ impl Decode for Signature {`
`65`	`65`	`match sig_kind {`
`66`	`66`	`SignatureKind::Secp256k1Schnorr => {`
`67`	`67`	`let data = <[u8; secp256k1::constants::SCHNORR_SIGNATURE_SIZE]>::decode(input)?;`
`68`		`- let sig = secp256k1::schnorr::Signature::from_byte_array(data);`
	`68`	`+ let sig = secp256k1::schnorr::Signature::from_slice(&data)`
	`69`	`+ .map_err(\|_\| serialization::Error::from("Signature deserialization failed"))?;`
`69`	`70`	`Ok(Signature::Secp256k1Schnorr(sig))`
`70`	`71`	`}`
`71`	`72`	`}`
`@@ -84,9 +85,8 @@ impl Signature {`
`84`	`85`	`) -> Result<Self, SignatureError> {`
`85`	`86`	`match kind {`
`86`	`87`	`SignatureKind::Secp256k1Schnorr => {`
`87`		`- let decoded_sig = secp256k1::schnorr::Signature::from_byte_array(`
`88`		`- data.as_ref().try_into().map_err(\|_\| SignatureError::WrongSignatureSize)?,`
`89`		`- );`
	`88`	`+ let decoded_sig = secp256k1::schnorr::Signature::from_slice(data.as_ref())`
	`89`	`+ .map_err(\|_\| SignatureError::SignatureConstructionError)?;`
`90`	`90`	`Ok(Self::Secp256k1Schnorr(decoded_sig))`
`91`	`91`	`}`
`92`	`92`	`}`