Two independent actions, by design
Because the On-Chain KMS only releases keys to enclaves whose compose hash is whitelisted, shipping a new version takes two actions that cannot be performed by the same step:- Governance — the Safe multisig approves an on-chain transaction adding the new
release’s compose hash to the
DstackAppwhitelist. - Deployment — CI builds and pushes the new image and restarts the CVM.
Who holds the keys
TheDstackApp contract (0x3F91…05FfC)
and the Phala KMS contract are both owned by a Safe multisig
(0xF688…1098)
on Base.
| Property | Value | How to confirm |
|---|---|---|
| Threshold | 2 of 4 signers must approve any change | cast call 0xF688…1098 "getThreshold()(uint256)" --rpc-url https://mainnet.base.org |
| Signers | 4 distinct Lit-controlled keys | cast call 0xF688…1098 "getOwners()(address[])" --rpc-url https://mainnet.base.org |
| Safe version | 1.4.1 | cast call 0xF688…1098 "VERSION()(string)" --rpc-url https://mainnet.base.org |
| Timelock | None — the Safe owns the contracts directly | owner() on the app returns the Safe address, not a timelock |
These values are live on-chain. Always confirm them yourself with the
cast commands
above rather than trusting this page — that is the whole point of attestation.The release flow
Production uses a two-phase Safe workflow: a CI step proposes theaddComposeHash transaction, signers approve it in the Safe UI, and it is then
executed on-chain. The ordering requirement is strict — the whitelist transaction
must be confirmed before the new CVM boots and requests keys, or the KMS rejects
it.
What signers verify before approving
The multisig is only as strong as what its signers check before they sign. A compose hash is just 32 bytes; approving it blindly would defeat the model. Before approving anaddComposeHash transaction, a signer confirms:
- Provenance — the hash corresponds to an image built by GitHub Actions from a
reviewed, merged commit on
LIT-Protocol/chipotle, verifiable via its Sigstore cosign signature in the public Rekor transparency log (see Chain of Trust → Image provenance). - Reproducibility — the compose hash can be recomputed locally from the
digest-pinned
docker-composeand matches the value in the proposed transaction. - Diff review — the change between the currently-whitelisted release and the new one has been reviewed.
Rollback
To roll back, redeploy a previous image whose compose hash is still whitelisted — no governance action is required, because old hashes are not removed automatically. To forbid a version (e.g. one found to be vulnerable), the multisig removes its compose hash fromDstackApp with removeComposeHash, another 2-of-4 action. See
Incident Response
for compromise and emergency-revocation scenarios.
Self-hosting: govern releases on your own terms
If you self-host Lit Chipotle, you own the governance, not Lit. You deploy your ownDstackApp contract and point its owner at your own Safe (or wallet, timelock,
or DAO). That means:
- You approve every release. Lit publishing a new version does not change what your enclave runs. A new compose hash only takes effect in your deployment when your signers whitelist it.
- On your own timeline. You can pin a reviewed compose hash indefinitely, audit a new Lit release at your own pace, and whitelist it only when you are satisfied — there is no forced upgrade.
- With your own controls. Want a mandatory review delay? Put a timelock in front of your Safe. Want a higher quorum or different signers? Configure your own threshold. The hosted service runs a 2-of-4 Safe with no timelock; your deployment can be as conservative as your compliance posture requires.
What’s next
On-Chain KMS
The contracts that gate key release, and how to confirm the multisig owns them.
What Is Attestation?
The plain-English foundation: what the enclave proves and why it’s trustworthy.
Self-Hosting
Run and govern your own deployment, approving releases on your own timeline.
Full Verification Guide
Walk the on-chain governance Safe and verify every layer yourself.