go/registry: Fix node sanity checks

.changelog/3660.breaking.md

@@ -0,0 +1 @@
+go/registry: Fix node sanity checks

go/consensus/tendermint/apps/supplementarysanity/checks.go

@@ -67,7 +67,7 @@ func checkRegistry(ctx *abciAPI.Context, now epochtime.EpochTime) error {
 	if err != nil {
 		return fmt.Errorf("SignedNodes: %w", err)
 	}
-	_, err = registry.SanityCheckNodes(logger, params, signedNodes, seenEntities, runtimeLookup, false, now)
+	_, err = registry.SanityCheckNodes(logger, params, signedNodes, seenEntities, runtimeLookup, false, now, ctx.Now())
 	if err != nil {
 		return fmt.Errorf("SanityCheckNodes: %w", err)
 	}

go/genesis/api/sanity_check.go

@@ -30,7 +30,7 @@ func (d *Document) SanityCheck() error {
 	}
 	epoch := d.EpochTime.GetInitialEpoch(d.Height)
 
-	if err := d.Registry.SanityCheck(epoch, d.Staking.Ledger, d.Staking.Parameters.Thresholds, pkBlacklist); err != nil {
+	if err := d.Registry.SanityCheck(d.Time, epoch, d.Staking.Ledger, d.Staking.Parameters.Thresholds, pkBlacklist); err != nil {
 		return err
 	}
 	if err := d.RootHash.SanityCheck(); err != nil {

go/registry/api/api.go

@@ -475,26 +475,32 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo
 	}
 	expectedSigners = append(expectedSigners, n.ID)
 	if !inEntityNodeList {
-		// Entity signing node registrations is feature-gated by a consensus
-		// parameter, and a per-entity configuration option.
-		if !params.DebugAllowEntitySignedNodeRegistration || !entity.AllowEntitySignedNodes {
-			logger.Error("RegisterNode: registration likely signed by entity",
-				"signed_node", sigNode,
-				"node", n,
-			)
-			return nil, nil, fmt.Errorf("%w: registration likely signed by entity", ErrInvalidArgument)
-		}
-
 		// If we are using entity signing, descriptors will also be signed
 		// by the entity signing key.
-		if !sigNode.MultiSigned.IsSignedBy(entity.ID) {
+		if sigNode.MultiSigned.IsSignedBy(entity.ID) {
+			// Entity signing node registrations is feature-gated by a consensus
+			// parameter, and a per-entity configuration option.
+			//
+			// Ignore the per-entity option during sanity checks as the entity
+			// could have been modified (unless this is during genesis).
+			if !params.DebugAllowEntitySignedNodeRegistration || (!entity.AllowEntitySignedNodes && (!isSanityCheck || isGenesis)) {
+				logger.Error("RegisterNode: registration signed by entity",
+					"signed_node", sigNode,
+					"node", n,
+				)
+				return nil, nil, fmt.Errorf("%w: registration signed by entity", ErrInvalidArgument)
+			}
+
+			expectedSigners = append(expectedSigners, entity.ID)
+		}
+
+		if !isSanityCheck {
 			logger.Error("RegisterNode: registration not signed by entity",
 				"signed_node", sigNode,
 				"node", n,
 			)
 			return nil, nil, fmt.Errorf("%w: registration not signed by entity", ErrInvalidArgument)
 		}
-		expectedSigners = append(expectedSigners, entity.ID)
 	}
 
 	// Expired registrations are allowed here because this routine is abused

go/registry/api/sanity_check.go

@@ -18,6 +18,7 @@ import (
 
 // SanityCheck does basic sanity checking on the genesis state.
 func (g *Genesis) SanityCheck(
+	now time.Time,
 	baseEpoch epochtime.EpochTime,
 	stakeLedger map[staking.Address]*staking.Account,
 	stakeThresholds map[staking.ThresholdKind]quantity.Quantity,
@@ -47,7 +48,7 @@ func (g *Genesis) SanityCheck(
 	}
 
 	// Check nodes.
-	nodeLookup, err := SanityCheckNodes(logger, &g.Parameters, g.Nodes, seenEntities, runtimesLookup, true, baseEpoch)
+	nodeLookup, err := SanityCheckNodes(logger, &g.Parameters, g.Nodes, seenEntities, runtimesLookup, true, baseEpoch, now)
 	if err != nil {
 		return err
 	}
@@ -157,6 +158,7 @@ func SanityCheckNodes(
 	runtimesLookup RuntimeLookup,
 	isGenesis bool,
 	epoch epochtime.EpochTime,
+	now time.Time,
 ) (NodeLookup, error) { // nolint: gocyclo
 
 	nodeLookup := &sanityCheckNodeLookup{
@@ -184,7 +186,7 @@ func SanityCheckNodes(
 			logger,
 			signedNode,
 			entity,
-			time.Now(),
+			now,
 			isGenesis,
 			true,
 			epoch,