Cover v1.5 ✅ Adding a Permissioning Layer & the Cover SDK
Today, we’re releasing a newer, more robust version of Cover that comes with a new code base and an SDK for simplified interactions with the Cover canisters.
Today, Cover is growing out of its alpha status and into a version we’re dubbing v1.5 — not quite full v2, but consider this a strong stepping stone to the full Cover protocol + platform.
Last time we talked, we mentioned that one of the hurdles forward was figuring out permissioning around build submissions in Cover. With this release, we’ve added a permissioning layer that makes for a more secure platform.
But that’s not all, at the same time we’ve also increased the flexibility & composability of build submissions by introducing a Cover SDK.
This all sounds great! In this blog, we’ll dive deep into what these changes mean for Cover, how you can build atop them, and why they help increase the code transparency of the Internet Computer dApp ecosystem.
A Quick Reminder.
Before we get to how Cover has evolved from v1 → v1.5, here’s a quick reminder of what Cover does:
Cover ensures that canisters living on the Internet Computer mainnet have verifiably open code. This is done by taking the WASM hash that gets generated every time a canister is deployed or updated, and comparing it with the WASM hash that Cover generates from a public Github repo.
If they match, this canister is now ‘verified’ by Cover — a status that is saved to Cover’s canister and is queryable by anyone. If at any time the WASM hashes are out of sync, the canister goes back to being ‘unverified’.
Cover allows dApps to gain user trust by doxxing their code for everyone to inspect and determine if it’s safe to interact & entrust your assets with.
Cover v1.5 — Flexible, Permissioned Builds.
Cover’s improved architecture diagram, highlighting the move away from requiring Github Actions for build submissions and adding a ‘Verify Ownership’ step.
The first major improvement that we’ve made to Cover v1.5 is adding a permissioning layer. In Cover v1, anyone was able to submit a canister build for any canister. This lack of permissioning created an opportunity for malicious actors to submit builds to canisters they didn’t have any affiliation with, that they knew would fail. This made it difficult to fully trust Cover v1’s verified status — we’ve now solved this.
The core of Cover’s permissioning layer is enabled by our addition of identity. What this means is that we can authenticate users and only let them make build submissions against canister’s that they own or control. This can be visualized from the addition of the Verify Ownership step in the diagram above.
Unless an owner tries to self-sabotage, this pretty well covers the major trust issue that Cover v1 had.
The second area of improvement that we’ve focused on in this update is adding flexibility to the channels that developers can submit new builds through.
Cover v1 brought code verification of Github Repos through a custom Cover Github Action. However, we realized that this is a very opinionated and potentially limiting choice on our behalf. Who are we to say that developers must use (and potentially have to pay for) Github Actions to use Cover… we’re supposed to be an open internet service, after all!
So with Cover v1.5, we created the Cover SDK to help just this problem. Cover’s SDK comes with methods for handling custom build configs and makes new build submissions a breeze. Developers can integrate these methods into applications of their own — Essentially, Cover is now plug & play!
Want to create your own custom CI-CD pipeline that has Cover sandwiched into the middle? Go for it! Want to authenticate and allow users to submit builds through a frontend application? That’s possible too… more on that soon 😉
However, Cover’s SDK isn’t solely for build configs and submission…
Working with the Cover SDK 🛠
The Cover SDK is a Javascript library that wires up a connection to the Cover canister & validator to predictably & consistently translate method calls to the Cover’s open APIs. We previously talked about the Cover SDK in the context of submitting new builds — but this is not all it can do! Developers might also want to use the SDK to:
- Get a canister’s IC WASM hash
- Get a canister’s Cover WASM hash
- Check the current verified status of a canister
- Get the build configs for a canister submitted to Cover
- Ask for a list of all verified canisters
- Manage build configurations
We strongly recommend that all applications looking to interface with Cover use our SDK as their entry point. It allows for our team to continually upgrade Cover without breaking integrations as we can simply modify the SDK under the hood to match any updates required.
Get started with the Cover SDK by checking out our documentation 📒
What to expect next from Cover.
As we said in the introduction, Cover v1.5 is a very significant update that represents a step towards Cover v2. So what can we expect from Cover v2 & beyond? 🤔
Cover UI
We’ve got the designs fully mocked, and have already started development of the application! Cover’s UI will be a simple yet friendly place where users can come to check if the canister that they’re interacting with is Cover verified.
Additionally, users will be able to authenticate through Plug and submit new builds of their own through the UI. We’re working hard to provide as many options to use Cover as we can 💪
Caching Layer
As Cover becomes widely adopted, more and more calls to check the current verification status of canisters will be made. To keep up with this increased volume, without sacrificing the available throughput of method calls, we can implement a caching layer for canisters that become popular and receive the bulk of the verification requests.
Decentralizing the Validator
The goal of every open internet service should be to offer a fully permissionless service to its users, completely void of centralized infrastructure. Currently, Cover resembles an in-between frankenstein of decentralized and centralized parts — the validator falling into the latter category.
It seems very feasible to migrate the validator service to run fully on an Internet Computer canister in the future. We are doing our best to communicate our intent to fully decentralize Cover’s infrastructure while we research ways to make it a reality.
Until Next Time 👋
Thanks for reading. Cover is officially out of alpha, which is a big deal! 🥳
With the addition of the SDK, we’re confident that we’ll start to see more and more applications making build submissions, as well as more starting to ingest cover data to add to the security of their users.
As always, if you have any questions or concerns about the Cover v1.5 release, you’re more than welcome to come jam about it in our Discord. We’ll see you there!
