-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add a simple message signing and verification page to the explorer #383
base: master
Are you sure you want to change the base?
Conversation
@sagar-a16z is attempting to deploy a commit to the Solana Labs Team on Vercel. A member of the Team first needs to authorize it. |
5e7029e
to
34c1315
Compare
Taking a look today. Thanks for the PR! |
Review from @mcintyre94 offline:
|
Thanks for taking a look!
Might be a while before I have cycles to get to this. If this is a blocker for this I'd appreciate some help. @solana/react is a lot less dev friendly since it doesn't provide much out of the box. I do agree with your points on bloat however. Maybe someone can improve upon this later.
Good call. I used to append some bytes to the signed message to prevent that but removed it at some point. I'll check that the message isn't a BS58 encoded Transaction or a Transaction Message. That should prevent this.
Could you be more specific? I think disabling transaction signing makes this safe but maybe I'm missing something? I'll add a little message just in case. |
I'm basically worried about there being some site that isn't being careful with message signing, that isn't including things like domains or timestamps in the message to sign. Suppose there's some site that just uses "please add my address" as the message to sign. If I can get you to sign that and send me the signature, then I have everything I need to verify as you on that site. It's not obvious to users that a signature can potentially be used like that. |
Ah yes that's a good point. I added a message https://github.com/solana-labs/explorer/pull/383/files#diff-531a904ebfefe89fc7d323072e85a1d1e0a22aea646c9cd0916047dbd063d38bR159 The safest possible thing to do here is to add a pre-fix so that it can't be used anywhere else. |
9e26177
to
52441db
Compare
Added a This prefix is not visible in the webpage but the wallet will display it. |
There doesn't seem to be an easy way to quickly sign a message, verify, and share it. I built https://simple-message-signer.vercel.app/ earlier this year. Source: https://github.com/sagar-a16z/simple-message-signer.
I thought it would be really cool to have this be part of the Solana Explorer. It never stores anything about users or their wallets and also supports rudimentary sharing of messages via url params.