Set Sui package manifest to pass source verification

[unmaykr-aftermath]

Update the Sui package manifest (Move.toml) so that it passes source verification against the package published on Sui's testnet.

This ensures that downstream Sui Move packages that have this version of the Wormhole package as a dependency can verify that exact same code is published on the Sui Testnet via sui client verify-source --skip-source --verify-deps.

Instructions for verifying the source code have been added to the README.

If the PR is approved, it would be nice to tag the resulting commit so that other Sui Move packages can declare this as a dependency as follows.

[dependencies.Wormhole]
git = "https://github.com/wormhole-foundation/wormhole.git"
subdir = "sui/wormhole"
rev = "<tag-name>"

I have ensured that the package still builds and tests pass:

sui move build
sui move test

[evan-gray]

Source verification seems like a positive step, but I'd want to make sure all of these fields are set correctly. There was also recent work on updating the dependencies in #3803 so perhaps this could be revisited after that is merged and the sui/mainnet and sui/testnet branches are updated similarly.

Testing branches for those are here:
https://github.com/wormhole-foundation/wormhole/tree/sui-upgrade-mainnet
https://github.com/wormhole-foundation/wormhole/tree/sui-upgrade-testnet

[evan-gray]

might be best to keep these dependencies pinned to a commit hash

[unmaykr-aftermath]

We have to take into account that Sui (along with MoveStdlib at "0x1"
AFAIK) is a special package which can be upgraded onchain 'in-place'
(unlike regular Move package upgrades on Sui that in effect create a new
package with a new address.)

The advantage of using framework/testnet is that the compiler will
automatically fetch the Sui package that's currently on testnet, hence
source verification will succeed.

$ sui client verify-source --verify-deps
UPDATING GIT DEPENDENCY https://github.com/MystenLabs/sui.git
INCLUDING DEPENDENCY Sui
INCLUDING DEPENDENCY MoveStdlib
BUILDING Wormhole
// ...
Source verification succeeded!

However, let's say we published the package in the past and set Sui
to testnet-v1.17.1 in the manifest. Verification could fail in the
future to to upgrades to the Sui package.

$ sui client verify-source --verify-deps
FETCHING GIT DEPENDENCY https://github.com/MystenLabs/sui.git
INCLUDING DEPENDENCY Sui
INCLUDING DEPENDENCY MoveStdlib
BUILDING Wormhole
// ...
Multiple source verification errors found:

- Local dependency did not match its on-chain version at 0000000000000000000000000000000000000000000000000000000000000002::Sui::bls12381
- Local version of dependency 0000000000000000000000000000000000000000000000000000000000000002::group_ops was not found.

For all other packages, it definitely makes sense to pin them to a
commit/tag.

[evan-gray]

The address I see in the testnet branch is 0xf47329f4344f3bf0f8e436e2f7b485466cff300f12a166563995d3888c296a94

[unmaykr-aftermath]

That's interesting. Indeed, I changed published-at and wormhole to
0xf47329f4344f3bf0f8e436e2f7b485466cff300f12a166563995d3888c296a94
in Move.toml and source verification passed too. Begs the question of
why there are two different deployments with the exact same source code.

In fact, at Aftermath we've been using 0xcc029e2810f17f9f43f52262f40026a71fbdca40ed3803ad2884994361910b7e
to verify Wormhole messages (and there's more activity in the contract
than just ours looking at the txs.)

Would be good to clarify what's the official version.

[evan-gray]

Is this only for testnet and not mainnet?

[unmaykr-aftermath]

No, the procedure is general whether you're verifying mainnet or testnet code. But ofc, if one checked-out the testnet branch, a testnet RPC should be used. I may update the description here to be more general