How to verify signature after signMessage()?

[qrtp]

Hi, this library has been great to connect a wallet and sign a message using the provided hooks. However, once I receive back a signed message I need to verify it. I cannot find any typescript examples on how to accomplish the verification that signature matches the expected address and message payload.

For example, I have this callback to run after user provides signature. How would I go about validating the signature? I will want to verify also on a backend server once it is sent there.

  const expectedAddress = "<a wallet address>";
  const messageText = "some message to sign";

  // signature success handler
  const onSignatureSuccess = async (signature: string, key?: string) => {
     console.log(`signature success, key=${key}, signature=${signature}`);

     // verify the signature and key originate from expected Cardano address
    if (!verifySignature(signature, key)) {
        throw new Error("invalid signature");
    }
  };

  const verifySignature = (signature: string, key?: string): boolean => {
      // how to verify these correspond to messageText and expectedAddress?
  }

[fabianbormann]

Hi @qrtp,

typically you would send a request with that signature and key in a post body to your backend to check there if the public key (stake address) owner really signed that message.

If you want to run your backend based on typescript/javascript I would suggest the cardano-serialization-lib to fulfill that task. Here is an stackexchange question+answer that shows it's usage.

I think you need to adjust this solution a little bit, because the old nami wallet api held the key in the header part of the encoded signature. So you don't need to extract the key from the header anymore because since cip30 the key and signature is provided separately.

Please let me know if this solution works for you. 😊

[qrtp]

Thanks for the response! I did come across that post, and it seems like a very complicated method to go about verifying a signature. The cardano-serialization-lib import is a little rough also, given that our project has strict typescript requirements.

I am not a Cardano expert, so feel like I'm starting to chew glass a bit learning the details. The goal for this project is to allow our users to verify ownership of a Cardano address by signing a message and attaching it as metadata to their on-chain domain. I've done this for several other chains (Ethereum, Polygon, Solana, Hedera) and there's been a simple sign(message) and verify(address, signature) method pair in each case. Perhaps it won't be so straight forward for this integration?

FWIW the project is to potentially add Cardano NFT support to the Unstoppable Domains profile page. Here's an example showing my domain aaronquirk.x with Solana and Polygon NFTs. However, the first step will of course to verify ownership of the address.

[fabianbormann]

I will try to come up with a more lightweight typescript solution in the next days. Tomorrow I will discuss it with the team because I think we should add an extra lib for the verification to keep the server-side import light and simple.

[qrtp]

Thank you so much, @fabianbormann. I think this will be a great help to the community in general. I'm super excited to start adding Cardano features for our users. Cross chain is the way ❤️

[fabianbormann]

Hey @qrtp, please checkout this solution. It's based on the @stricahq libs. They wrote really cool libraries (so many kudos to you if you read this guys!). I just committed the code with my account but tomorrow I will transfer it into the cardano-foundation namespace and also add the build pipeline (so there is no npm public package now but you can still copy the code snippet if it's urgent) 😊

[qrtp]

Fantastic! I will try it today and let you know how it goes. Thanks!

[qrtp]

Followup. Thank you, the code verifies the signature as expected! However, the address associated with the key is a stake address. How can I verify an address to receive payments (e.g. the one the user has given us) is associated with the stake address used to sign?

Example:

• Address to receive payments: addr1qxytm5f2y5x2yjw3fx60musegxxcvst8m8ck7lv0l0mfd4t8uh26h6gx5mzrjhs59kc03d8h5ga9a6ul4ptvve566vssmff09g
• Stake address used to sign: stake1u9n7t4dtayr2d3petc2zmv8cknm6ywj7aw06s4kxv6ddxgg7whfns

How do I verify the stake address is associated with the receive address above?

[fabianbormann]

Hey @qrtp, you can also do this with @stricahq/typhonjs. The stake credential is part of the address (as long as it's not an enterprise address: https://docs.cardano.org/learn/cardano-addresses)

import { utils, address } from '@stricahq/typhonjs';
...

test('test if a payment address belongs to a stake key', async () => {
    const paymentAddress = utils.getAddressFromBech32(
      "addr1qxytm5f2y5x2yjw3fx60musegxxcvst8m8ck7lv0l0mfd4t8uh26h6gx5mzrjhs59kc03d8h5ga9a6ul4ptvve566vssmff09g"
    ) as BaseAddress;

    const rewardAddressMainnet = new address.RewardAddress(1, paymentAddress.stakeCredential).getBech32();

    expect(rewardAddressMainnet).toBe('stake1u9n7t4dtayr2d3petc2zmv8cknm6ywj7aw06s4kxv6ddxgg7whfns'); // true
});

[fabianbormann]

Meanwhile I relocated the repository to https://github.com/cardano-foundation/cardano-verify-datasignature as the build pipeline does now exists you can just install the package npm i @cardano-foundation/cardano-verify-datasignature:

const verifyDataSignature = require('@cardano-foundation/cardano-verify-datasignature');

const key = 'a4010103272006215820b89526fd6bf4ba737c55ea90670d16a27f8de6cc1982349b3b676705a2f420c6';
const signature = '84582aa201276761646472657373581de118987c1612069d4080a0eb247820cb987fea81bddeaafdd41f996281a166686173686564f458264175677573746120416461204b696e672c20436f756e74657373206f66204c6f76656c61636558401712458b19f606b322982f6290c78529a235b56c0f1cec4f24b12a8660b40cd37f4c5440a465754089c462ed4b0d613bffaee3d1833516569fda4852f42a4a0f';

console.log(verifyDataSignature(signature, key));

[fabianbormann]

With the lastest release (1.0.4) of cardano-verify-datasignature you can just use:

const verifyDataSignature = require('@cardano-foundation/cardano-verify-datasignature');

const key = '...';
const signature = '...';
const message = 'plain message or undefined';
const address = 'addr1qxytm5f2y5x2yjw3fx60musegxxcvst8m8ck7lv0l0mfd4t8uh26h6gx5mzrjhs59kc03d8h5ga9a6ul4ptvve566vssmff09g';

console.log(verifyDataSignature(signature, key, message, address));

Have a nice day and please contact me again if you have any question 😊

[qrtp]

Works like a charm. Being able to pass the payment address during verification is a game changer. This capability will be very helpful to the community.