AmeanAsad · AmeanAsad · Jun 10, 2025
diff --git a/crates/miden-proving-service-client/Cargo.toml b/crates/miden-proving-service-client/Cargo.toml
@@ -26,13 +26,14 @@ tonic = { version = "0.12", default-features = false, features = ["prost", "code
 getrandom = { version = "0.3", features = ["wasm_js"] }
 
 [target.'cfg(not(all(target_arch = "wasm32", target_os = "unknown")))'.dependencies]
-tonic = { version = "0.12", default-features = false, features = ["prost", "codegen", "transport"] }
+tonic = { version = "0.12", default-features = false, features = ["prost", "codegen", "transport", "tls","tls-roots"] }
 tonic-web = { version = "0.12", optional = true }
 
 [dependencies]
 async-trait = "0.1"
 miden-objects = { workspace = true, default-features = false, optional = true }
 miden-tx = { workspace = true, default-features = false, optional = true }
+lunal-attestation = { git = "https://github.com/lunal-dot-dev/attestation-rs.git" }
 prost = { version = "0.13", default-features = false, features = ["derive"] }
 thiserror = "2.0"
 tokio = { version = "1.44", default-features = false, features = ["sync"], optional = true }
@@ -43,4 +44,3 @@ prost = { version = "0.13", default-features = false, features = ["derive"] }
 prost-build = { version = "0.13" }
 protox = { version = "0.7" }
 tonic-build = { version = "0.12" }
-
diff --git a/crates/miden-proving-service-client/src/proving_service/tx_prover.rs b/crates/miden-proving-service-client/src/proving_service/tx_prover.rs
@@ -4,6 +4,7 @@ use alloc::{
     sync::Arc,
 };
 
+use lunal_attestation::verify::verify_attestation;
 use miden_objects::{
     transaction::{ProvenTransaction, TransactionWitness},
     utils::{Deserializable, DeserializationError, Serializable},
@@ -66,8 +67,19 @@ impl RemoteTransactionProver {
         };
 
         #[cfg(not(target_arch = "wasm32"))]
+        use tonic::transport::Endpoint;
+        let mut endpoint = Endpoint::from_shared(self.endpoint.clone())
+            .map_err(|_| RemoteProverError::ConnectionFailed(self.endpoint.to_string()))?;
+
+        // enable TLS for HTTPs endpoints
+        if self.endpoint.starts_with("https://") {
+            endpoint = endpoint
+                .tls_config(tonic::transport::ClientTlsConfig::new().with_native_roots())
+                .map_err(|e| RemoteProverError::ConnectionFailed(e.to_string()))?;
+        }
+
         let new_client = {
-            ApiClient::connect(self.endpoint.clone())
+            ApiClient::connect(endpoint)
                 .await
                 .map_err(|_| RemoteProverError::ConnectionFailed(self.endpoint.to_string()))?
         };
@@ -103,6 +115,17 @@ impl TransactionProver for RemoteTransactionProver {
             TransactionProverError::other_with_source("failed to prove transaction", err)
         })?;
 
+        // Extract the attestation report from metadata
+        if let Some(attestation_value) = response.metadata().get("Attestation-Report") {
+            // Verify the attestation
+            verify_attestation(attestation_value.to_str()).await.map_err(|err| {
+                TransactionProverError::other_with_source(
+                    "failed to verify transaction attestation",
+                    err,
+                )
+            })?;
+        }
+
         // Deserialize the response bytes back into a ProvenTransaction.
         let proven_transaction =
             ProvenTransaction::try_from(response.into_inner()).map_err(|_| {