Verifying the public key
Overview
When a user or canister receives a response from ICP, that response will have a certificate that validates the response has not been altered or changed. This certificate is signed by the root of trust, which is the ICP root public key. This public key can be used to additionally verify that a user or canister is interacting with a version of ICP that has not been tampered with, verifying that the response's certificate is valid.
Local
In a local canister execution environment, the key can be fetched via the /api/v2/status
endpoint.
Mainnet
On the mainnet, you can use agent-js or agent-rs to fetch the public key, as these agents have the root key hard-coded.
Verifying the public key
Once you have obtained the public key, you can validate it is correct by using dfx
to ping the network you're using, such as:
dfx ping ic // mainnet
dfx ping local // local canister execution
This ping command will return the public root key of the network specified:
{
"ic_api_version": "0.18.0" "replica_health_status": "healthy" "root_key": [48, 129, 130, 48, 29, 6, 13, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 1, 2, 1, 6, 12, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 2, 1, 3, 97, 0, 129, 76, 14, 110, 199, 31, 171, 88, 59, 8, 189, 129, 55, 60, 37, 92, 60, 55, 27, 46, 132, 134, 60, 152, 164, 241, 224, 139, 116, 35, 93, 20, 251, 93, 156, 12, 213, 70, 217, 104, 95, 145, 58, 12, 11, 44, 197, 52, 21, 131, 191, 75, 67, 146, 228, 103, 219, 150, 214, 91, 155, 180, 203, 113, 113, 18, 248, 71, 46, 13, 90, 77, 20, 80, 95, 253, 116, 132, 176, 18, 145, 9, 28, 95, 135, 185, 136, 131, 70, 63, 152, 9, 26, 11, 170, 174]
}