Add support for ZK attestation service

.github/workflows/espresso-devnet-tests.yaml

@@ -38,6 +38,18 @@ jobs:
       - name: Compile contracts
         run: just compile-contracts
 
+      - name: Load environment variables
+        run: |
+          while IFS= read -r line; do
+            # Skip comments and empty lines
+            if [[ ! "$line" =~ ^#.* ]] && [[ -n "$line" ]]; then
+              # Remove quotes from values
+              line=$(echo "$line" | sed 's/"\(.*\)"/\1/')
+              echo "$line" >> $GITHUB_ENV
+            fi
+          done < ./espresso/.env
+        shell: bash
+
       - name: Build Devnet without TEE
         run: |
           cd op-deployer

.github/workflows/espresso-enclave.yaml

@@ -68,6 +68,18 @@ jobs:
             --port 22 \
             --cidr 0.0.0.0/0 || true
 
+      - name: Load environment variables
+        run: |
+          while IFS= read -r line; do
+            # Skip comments and empty lines
+            if [[ ! "$line" =~ ^#.* ]] && [[ -n "$line" ]]; then
+              # Remove quotes from values
+              line=$(echo "$line" | sed 's/"\(.*\)"/\1/')
+              echo "$line" >> $GITHUB_ENV
+            fi
+          done < ./espresso/.env
+        shell: bash
+
       - name: Launch EC2 Instance
         id: ec2
         run: |
@@ -108,6 +120,17 @@ jobs:
         run: |
           ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=5 -i key.pem ec2-user@$DNS << EOF
             export BRANCH_NAME=$BRANCH_NAME
+            export ESPRESSO_ATTESTATION_VERIFIER_NETWORK_RPC_URL="${ESPRESSO_ATTESTATION_VERIFIER_NETWORK_RPC_URL}"
+            export ESPRESSO_ATTESTATION_VERIFIER_NETWORK_PRIVATE_KEY="${ESPRESSO_ATTESTATION_VERIFIER_NETWORK_PRIVATE_KEY}"
+            export ESPRESSO_ATTESTATION_VERIFIER_SP1_PROVER="${ESPRESSO_ATTESTATION_VERIFIER_SP1_PROVER}"
+            export ESPRESSO_ATTESTATION_VERIFIER_RPC_URL="${ESPRESSO_ATTESTATION_VERIFIER_RPC_URL}"
+            export ESPRESSO_ATTESTATION_VERIFIER_NITRO_VERIFIER_ADDRESS="${ESPRESSO_ATTESTATION_VERIFIER_NITRO_VERIFIER_ADDRESS}"
+            export ESPRESSO_ATTESTATION_VERIFIER_NETWORK_USE_DOCKER="${ESPRESSO_ATTESTATION_VERIFIER_NETWORK_USE_DOCKER}"
+            export ESPRESSO_ATTESTATION_VERIFIER_SKIP_TIME_VALIDITY_CHECK="${ESPRESSO_ATTESTATION_VERIFIER_SKIP_TIME_VALIDITY_CHECK}"
+            export ESPRESSO_ATTESTATION_VERIFIER_RUST_LOG="${ESPRESSO_ATTESTATION_VERIFIER_RUST_LOG}"
+            export ESPRESSO_ATTESTATION_VERIFIER_HOST="${ESPRESSO_ATTESTATION_VERIFIER_HOST}"
+            export ESPRESSO_ATTESTATION_VERIFIER_PORT="${ESPRESSO_ATTESTATION_VERIFIER_PORT}"
+            export ESPRESSO_ATTESTATION_VERIFIER_DOCKER_IMAGE="${ESPRESSO_ATTESTATION_VERIFIER_DOCKER_IMAGE}"
             ./run-tests-github-actions.sh  ${{ secrets.CACHIX_AUTH_TOKEN }}
           EOF
 

.github/workflows/espresso-integration.yaml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-8core
     strategy:
       fail-fast: false
       matrix:
@@ -37,6 +37,18 @@ jobs:
       - name: Compile contracts
         run: just compile-contracts
 
+      - name: Load environment variables
+        run: |
+          while IFS= read -r line; do
+            # Skip comments and empty lines
+            if [[ ! "$line" =~ ^#.* ]] && [[ -n "$line" ]]; then
+              # Remove quotes from values
+              line=$(echo "$line" | sed 's/"\(.*\)"/\1/')
+              echo "$line" >> $GITHUB_ENV
+            fi
+          done < ./espresso/.env
+        shell: bash
+
       - name: Generate test slice
         id: test_split
         uses: hashicorp-forge/go-test-split-action@v1

espresso/.env

@@ -26,6 +26,20 @@ ESPRESSO_SEQUENCER_API_PORT=24000
 ESPRESSO_DEV_NODE_PORT=24002
 ESPRESSO_BUILDER_PORT=31003
 
+
+##### Espresso Attestation Verifier Service ######
+ESPRESSO_ATTESTATION_VERIFIER_PORT=8080
+ESPRESSO_ATTESTATION_VERIFIER_RPC_URL="https://rpc.ankr.com/eth_sepolia/ece75e2d2d01c537031b3b31a619b7830674b9cd1b9fe6bc957a3d393c035dbb"
+ESPRESSO_ATTESTATION_VERIFIER_SP1_PROVER="mock"
+ESPRESSO_ATTESTATION_VERIFIER_NITRO_VERIFIER_ADDRESS="0x2D7fbBAD6792698Ba92e67b7e180f8010B9Ec788"
+ESPRESSO_ATTESTATION_VERIFIER_SKIP_TIME_VALIDITY_CHECK=true
+ESPRESSO_ATTESTATION_VERIFIER_HOST="0.0.0.0"
+ESPRESSO_ATTESTATION_VERIFIER_NETWORK_PRIVATE_KEY="0x71f8e55f7555c946eadd5a2b5897465a9813b3ee493d6ef4ba6f1505a6e97af3"
+ESPRESSO_ATTESTATION_VERIFIER_NETWORK_RPC_URL="https://rpc.mainnet.succinct.xyz"
+ESPRESSO_ATTESTATION_VERIFIER_NETWORK_USE_DOCKER=1
+ESPRESSO_ATTESTATION_VERIFIER_RUST_LOG="info"
+ESPRESSO_ATTESTATION_VERIFIER_DOCKER_IMAGE="ghcr.io/espressosystems/attestation-verifier-zk:sha-0e987c3"
+
 L1_ENGINE_PORT=8551
 L1_HTTP_PORT=8545
 L1_BEACON_PORT=5052

espresso/cli.go

@@ -36,6 +36,7 @@ var (
 	OriginHeight                     = espressoFlags("origin-height")
 	NamespaceFlagName                = espressoFlags("namespace")
 	RollupL1UrlFlagName              = espressoFlags("rollup-l1-url")
+	AttestationServiceFlagName       = espressoFlags("espresso-attestation-service")
 )
 
 func CLIFlags(envPrefix string, category string) []cli.Flag {
@@ -103,20 +104,27 @@ func CLIFlags(envPrefix string, category string) []cli.Flag {
 			EnvVars:  espressoEnvs(envPrefix, "ROLLUP_L1_URL"),
 			Category: category,
 		},
+		&cli.StringFlag{
+			Name:     AttestationServiceFlagName,
+			Usage:    "URL of the Espresso attestation service",
+			EnvVars:  espressoEnvs(envPrefix, "ATTESTATION_SERVICE_URL"),
+			Category: category,
+		},
 	}
 }
 
 type CLIConfig struct {
-	Enabled                  bool
-	PollInterval             time.Duration
-	UseFetchAPI              bool
-	QueryServiceURLs         []string
-	LightClientAddr          common.Address
-	L1URL                    string
-	RollupL1URL              string
-	TestingBatcherPrivateKey *ecdsa.PrivateKey
-	Namespace                uint64
-	OriginHeight             uint64
+	Enabled                    bool
+	PollInterval               time.Duration
+	UseFetchAPI                bool
+	QueryServiceURLs           []string
+	LightClientAddr            common.Address
+	L1URL                      string
+	RollupL1URL                string
+	TestingBatcherPrivateKey   *ecdsa.PrivateKey
+	Namespace                  uint64
+	OriginHeight               uint64
+	EspressoAttestationService string
 }
 
 func (c CLIConfig) Check() error {
@@ -137,19 +145,23 @@ func (c CLIConfig) Check() error {
 		if c.Namespace == 0 {
 			return fmt.Errorf("namespace is required when Espresso is enabled")
 		}
+		if c.EspressoAttestationService == "" {
+			return fmt.Errorf("attestation service URL is required when Espresso is enabled")
+		}
 	}
 	return nil
 }
 
 func ReadCLIConfig(c *cli.Context) CLIConfig {
 	config := CLIConfig{
-		Enabled:      c.Bool(EnabledFlagName),
-		PollInterval: c.Duration(PollIntervalFlagName),
-		UseFetchAPI:  c.Bool(UseFetchApiFlagName),
-		L1URL:        c.String(L1UrlFlagName),
-		RollupL1URL:  c.String(RollupL1UrlFlagName),
-		Namespace:    c.Uint64(NamespaceFlagName),
-		OriginHeight: c.Uint64(OriginHeight),
+		Enabled:                    c.Bool(EnabledFlagName),
+		PollInterval:               c.Duration(PollIntervalFlagName),
+		UseFetchAPI:                c.Bool(UseFetchApiFlagName),
+		L1URL:                      c.String(L1UrlFlagName),
+		RollupL1URL:                c.String(RollupL1UrlFlagName),
+		Namespace:                  c.Uint64(NamespaceFlagName),
+		OriginHeight:               c.Uint64(OriginHeight),
+		EspressoAttestationService: c.String(AttestationServiceFlagName),
 	}
 
 	config.QueryServiceURLs = c.StringSlice(QueryServiceUrlsFlagName)

espresso/docker-compose.yml

@@ -359,6 +359,8 @@ services:
         condition: service_healthy
       l2-genesis:
         condition: service_completed_successfully
+      attestation-service-zk:
+        condition: service_healthy
     environment:
       L1_RPC: http://l1-geth:${L1_HTTP_PORT}
       OP_BATCHER_L1_ETH_RPC: http://l1-geth:${L1_HTTP_PORT}
@@ -374,6 +376,7 @@ services:
       - --espresso.enabled=true
       - --espresso.fetch-api=true
       - --espresso.poll-interval=1s
+      - --espresso.espresso-attestation-service=http://attestation-service-zk:${ESPRESSO_ATTESTATION_VERIFIER_PORT}
       - --espresso.light-client-addr=0x703848f4c85f18e3acd8196c8ec91eb0b7bd0797
       - --espresso.testing-batcher-private-key=${OP_TESTING_BATCHER_PRIVATE_KEY:-$OPERATOR_PRIVATE_KEY}
       - --private-key=${OP_BATCHER_PRIVATE_KEY:-$OPERATOR_PRIVATE_KEY}
@@ -417,7 +420,11 @@ services:
         condition: service_started
       l2-genesis:
         condition: service_completed_successfully
+      attestation-service-zk:
+        condition: service_healthy
     network_mode: "host"
+    env_file:
+      - ./.env
     environment:
       http_proxy: http://127.0.0.1:3128
       HTTP_PROXY: http://127.0.0.1:3128
@@ -444,6 +451,7 @@ services:
         export L2_RPC_URL="http://127.0.0.1:${OP_HTTP_PORT}"
         export ROLLUP_RPC_URL="http://127.0.0.1:${ROLLUP_PORT}"
         export ESPRESSO_URL1="http://127.0.0.1:${ESPRESSO_SEQUENCER_API_PORT}"
+        export ESPRESSO_ATTESTATION_SERVICE_URL="http://127.0.0.1:${ESPRESSO_ATTESTATION_VERIFIER_PORT}"
         /source/espresso/docker/op-batcher-tee/run-enclave.sh
 
   # Legacy op-proposer (for non-succinct mode)
@@ -627,6 +635,36 @@ services:
       start_period: 240s
     restart: unless-stopped
 
+  attestation-service-zk:
+    image: ghcr.io/espressosystems/attestation-verifier-zk:sha-0e987c3
+    platform: linux/amd64
+    ports:
+      - "${ESPRESSO_ATTESTATION_VERIFIER_PORT}:${ESPRESSO_ATTESTATION_VERIFIER_PORT}"
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "timeout 2 bash -c 'cat < /dev/null > /dev/tcp/localhost/${ESPRESSO_ATTESTATION_VERIFIER_PORT}' || exit 1",
+        ]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+      start_period: 150s
+    env_file:
+      - ./.env
+    environment:
+      # This is a demo private key for tests, it doesnt contain any funds
+      NETWORK_PRIVATE_KEY: "${ESPRESSO_ATTESTATION_VERIFIER_NETWORK_PRIVATE_KEY}"
+      NETWORK_RPC_URL: "${ESPRESSO_ATTESTATION_VERIFIER_NETWORK_RPC_URL}"
+      SP1_PROVER: "${ESPRESSO_ATTESTATION_VERIFIER_SP1_PROVER}"
+      RPC_URL: "${ESPRESSO_ATTESTATION_VERIFIER_RPC_URL}"
+      NITRO_VERIFIER_ADDRESS: "${ESPRESSO_ATTESTATION_VERIFIER_NITRO_VERIFIER_ADDRESS}"
+      USE_DOCKER: "${ESPRESSO_ATTESTATION_VERIFIER_NETWORK_USE_DOCKER}"
+      SKIP_TIME_VALIDITY_CHECK: "${ESPRESSO_ATTESTATION_VERIFIER_SKIP_TIME_VALIDITY_CHECK}"
+      RUST_LOG: "${ESPRESSO_ATTESTATION_VERIFIER_RUST_LOG}"
+      HOST: "${ESPRESSO_ATTESTATION_VERIFIER_HOST}"
+      PORT: "${ESPRESSO_ATTESTATION_VERIFIER_PORT}"
+
   espresso-dev-node:
     image: ${ESPRESSO_DEV_NODE_IMAGE}
     depends_on:

espresso/docker/op-batcher-tee/run-enclave.sh

@@ -10,6 +10,7 @@ set -e
 : ${ROLLUP_RPC_URL:?Error: ROLLUP_RPC_URL is required}
 : ${ESPRESSO_URL1:?Error: ESPRESSO_URL1 is required}
 : ${OPERATOR_PRIVATE_KEY:?Error: OPERATOR_PRIVATE_KEY is required}
+: ${ESPRESSO_ATTESTATION_SERVICE_URL:?Error: ESPRESSO_ATTESTATION_SERVICE_URL is required}
 
 # Optional configuration with defaults
 TAG="${TAG:-op-batcher-enclavetool}"
@@ -28,6 +29,7 @@ echo "L1 RPC URL: $L1_RPC_URL"
 echo "L2 RPC URL: $L2_RPC_URL"
 echo "Rollup RPC URL: $ROLLUP_RPC_URL"
 echo "Espresso URLs: $ESPRESSO_URL1, $ESPRESSO_URL2"
+echo "Attestation service url: $ESPRESSO_ATTESTATION_SERVICE_URL"
 echo "Debug Mode: $ENCLAVE_DEBUG"
 echo "Monitor Interval: $MONITOR_INTERVAL seconds"
 echo "Memory: ${MEMORY_MB}MB"
@@ -48,6 +50,7 @@ BATCHER_ARGS="$BATCHER_ARGS,--max-channel-duration=1"
 BATCHER_ARGS="$BATCHER_ARGS,--target-num-frames=1"
 BATCHER_ARGS="$BATCHER_ARGS,--espresso.fetch-api=true"
 BATCHER_ARGS="$BATCHER_ARGS,--espresso.light-client-addr=0x703848f4c85f18e3acd8196c8ec91eb0b7bd0797"
+BATCHER_ARGS="$BATCHER_ARGS,--espresso.espresso-attestation-service=$ESPRESSO_ATTESTATION_SERVICE_URL"
 
 # Add debug arguments if enabled
 if [ "$ENCLAVE_DEBUG" = "true" ]; then

espresso/environment/5_batch_authentication_test.go

@@ -11,17 +11,12 @@ import (
 	"github.com/ethereum-optimism/optimism/op-e2e/e2eutils/geth"
 	"github.com/ethereum-optimism/optimism/op-e2e/system/e2esys"
 	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/hf/nitrite"
 )
 
 // TestE2eDevnetWithInvalidAttestation verifies that the batcher correctly fails to register
 // when provided with an invalid attestation. This test ensures that the batch inbox contract
 // properly validates attestations
 func TestE2eDevnetWithInvalidAttestation(t *testing.T) {
-	// Sishan TODO: this test is skipped now as we skip the attestation verification, should be restored after https://app.asana.com/1/1208976916964769/project/1209976130071762/task/1211868671079203?focus=true
-	// Related task: https://app.asana.com/1/1208976916964769/project/1209976130071762/task/1212349352131215?focus=true
-	t.Skip("skipping E2E invalid attestation test for now as we skip the attestation verification, should be restored after zk verification added.")
-
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
@@ -45,11 +40,7 @@ func TestE2eDevnetWithInvalidAttestation(t *testing.T) {
 	}
 
 	batchDriver := system.BatchSubmitter.TestDriver()
-	batchDriver.Attestation = &nitrite.Result{
-		Document: &nitrite.Document{
-			CABundle: [][]byte{[]byte{1, 2, 3, 4}},
-		},
-	}
+	batchDriver.Attestation = []byte("this is an invalid attestation")
 	err = batchDriver.StartBatchSubmitting()
 
 	if err == nil {
@@ -72,9 +63,15 @@ func TestE2eDevnetWithUnattestedBatcherKey(t *testing.T) {
 
 	launcher := new(env.EspressoDevNodeLauncherDocker)
 
-	privateKey, err := crypto.GenerateKey()
+	// This is a random private key belonging to address 0xe16d5c4080C0faD6D2Ef4eb07C657674a217271C that will result in Mock Nitro verifier to return `false`
+	// because the given key is not registered as an attested batcher.
+	// Check the following code in Mock Espresso Nitro verifier:
+	//    if (signer == address(0xe16d5c4080C0faD6D2Ef4eb07C657674a217271C)) {
+	//        return false;
+	//   }
+	privateKey, err := crypto.HexToECDSA("841c29acb9520a7ea8a48e7686cd825b93e8a3ecd966b62cb396ff8a2cd7e80e")
 	if err != nil {
-		t.Fatalf("failed to generate private key")
+		t.Fatalf("failed to parse private key: %v", err)
 	}
 
 	system, _, err :=

espresso/environment/enclave_helpers.go

@@ -182,7 +182,7 @@ func LaunchBatcherInEnclave() E2eDevnetLauncherOption {
 						for _, url := range c.Espresso.QueryServiceURLs {
 							appendArg(&args, espresso.QueryServiceUrlsFlagName, url)
 						}
-
+						appendArg(&args, espresso.AttestationServiceFlagName, c.Espresso.EspressoAttestationService)
 						err := SetupEnclaver(ct.Ctx, sys, args...)
 						if err != nil {
 							panic(fmt.Sprintf("failed to setup enclaver: %v", err))

espresso/environment/espresso_docker_helpers.go

@@ -44,8 +44,10 @@ type DockerContainerConfig struct {
 
 	Ports []string
 
-	Network string
-	AutoRM  bool
+	Network  string
+	AutoRM   bool
+	Platform string
+	Name     string
 }
 
 // DockerBuildArg is a configuration struct that is used to pass
@@ -71,6 +73,13 @@ func (d *DockerCli) LaunchContainer(ctx context.Context, config DockerContainerC
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
+	// Remove existing container with the same name if it exists
+	if config.Name != "" {
+		// Try to remove the container, ignore errors if it doesn't exist
+		removeCmd := exec.CommandContext(ctx, "docker", "rm", "-f", config.Name)
+		_ = removeCmd.Run() // Ignore errors - container might not exist
+	}
+
 	outputBuffer := new(bytes.Buffer)
 	var args []string
 	// Let's build the arguments for the docker launch command
@@ -91,6 +100,14 @@ func (d *DockerCli) LaunchContainer(ctx context.Context, config DockerContainerC
 				args = append(args, "-p", port)
 			}
 		}
+		// Add platform support
+		if config.Platform != "" {
+			args = append(args, "--platform", config.Platform)
+		}
+
+		if config.Name != "" {
+			args = append(args, "--name", config.Name)
+		}
 
 		for key, value := range config.Environment {
 			args = append(args, "-e", key+"="+value)