Feature Request

Summary

On load CometBFT stores the hash of the genesis file in the state database but verifies it against a recomputed hash of the genesis file itself. Operators often get a precomputed hash along with a genesis file. We can provide them with an optional cli parameter via which they pass this hash for Comet to double check that the genesis file was not corrupted.

Proposal

• Introducing a new flag - genesis_hash to be passed via command line to CometBFT
• This flag is optional as it can increase the safety guarantees provided by comet but it might be cumbersome for operators to update their existing node boot-up procedures with an extra required flags.
• If the flag is not provided the we log a warning to the operator.
• This hash has to be checked against the sha256 hash of the genesis file document iteself (after merging PR node: verify genesis doc hash against the file contents rather than remarshalled JSON #1293 ). If there is a mismatch between the two hashes, the node will not boot.
• Only when these two match, we store the hash of the genesis file in stateDB for checks further in the future. There should not be a scenario where there has been a hash stored already and it mismatches (a correct) hash provided by the operator. The only scenarios where this is possible - a corrupt initial genesis file or a operator giving the wrong hash. In any case, we have to log the error and not boot.