Status-react: Add personal message sign support
User Story
As a Dapp's developer, I want to sign messages in Status.
Description
Some things have changed with signing data in Ethereum.
The methods personal_sign and its partner, personal_ecRecoverhave replaced the previous signature methods, eth_sign and eth_recover. That’s because the previous methods signed raw data unmodified, making it vulnerable to chosen ciphertext attacks, as well as potentially signing transactions you didn’t intend to. You can read more about the reasoning behind this change on the go-ethereum repository.
In order for many DApps to work, and to work securely in Status, we need to support these different signing methods. Further links are given below and in the comments.
https://github.com/MetaMask/metamask-extension/pull/1149
Type: Feature
flexsurfer
All 12 comments
Looks like it is implemented by latest web3
jeluard
on 13 Dec 2017
See also some example usage
jeluard
on 13 Dec 2017
Needed for CryptoKitties
pablanopete
on 9 Feb 2018
Balance: 0 ETH
Tokens: SNT: 4500.00
Contract address: 0xb3bf7f041757997f33c15565c7d225b048ff4606
Network: Mainnet
Paid to: andytudhope
Visit https://openbounty.status.im to learn more.
status-open-bounty
on 2 Apr 2018
@flexsurfer we have web3.personal.sign support which is exactly that personal_sign. Does that mean, that we need to provide a signal from the Go side for Status to show a password dialog, just like with transactions?
mandrigin
on 4 Apr 2018
@mandrigin yeah i think so, do you need a password for this function?
flexsurfer
on 4 Apr 2018
@mandrigin Maybe we could think about making this mechanism more generic? Are there any other call that would require authentication?
jeluard
on 4 Apr 2018
@jeluard emm... signing a transaction? 😅
mandrigin
on 4 Apr 2018
@flexsurfer it assumes that the account is locked, as I can see https://ethereum.stackexchange.com/a/25610
Which function should be used to sign message locally? Which function is the most secure?
mandrigin
on 4 Apr 2018
:D I was thinking maybe https://github.com/ethereum/wiki/wiki/JavaScript-API#web3ethcall and potentially others might fit this scenario.
Also maybe an opportunity to think how we could offer alternative authentication methods (fingerprint, face recognition, ..)
GitHub
wiki - The Ethereum Wiki -
jeluard
on 4 Apr 2018
@jeluard as I understand, at the moment, when a TX is created, we (status-go) give you (status-react) a notification, then you show a dialogue and call our completeTransaction API with a password to unlock the account.
I can see how the same mechanics can be made more generic to support other types of methods that require a signature.
mandrigin
on 4 Apr 2018
I got a branch with the implementation (https://github.com/status-im/status-go/tree/igorm/implement-personal-sign).
It has API changes.
1) Method renames:
CompleteTransactionbecomesApproveSignRequestDiscardTransactionbecomesDiscardSignRequest
2) Signal changes
transaction.queued→ sign-request.queued
transaction.failed→ sign-request.failed
3) Signal logic changes
When any of personal_sign or eth_sendTransaction is called, sign-request.queued will come. It's args will contain either Tx metadata (like before) or account and data to sign for personal_sign.
So both personal_sign and eth_sendTransaction should call ApproveSignRequest to proceed.
status-go - The Status module that consumes go-ethereum
mandrigin
on 11 Apr 2018
Related issues
rachelhamlin
·
49Comments
churik
·
52Comments
jeluard
·
45Comments
jakubgs
·
44Comments
flexsurfer
·
42Comments
Most helpful comment
@jeluard as I understand, at the moment, when a TX is created, we (status-go) give you (status-react) a notification, then you show a dialogue and call our
completeTransactionAPI with a password to unlock the account.I can see how the same mechanics can be made more generic to support other types of methods that require a signature.