From 9834f0712f97b2f2f04501e7371e3da5b2cd0fc6 Mon Sep 17 00:00:00 2001 From: Alejandro Martinez Andres <11448715+al3mart@users.noreply.github.com> Date: Wed, 18 Dec 2024 11:21:56 +0100 Subject: [PATCH] doc: explicitly mention insecure handling of secrets --- .../securely-sign-transactions-from-cli.md | 17 ++++++++--------- .../securely-sign-transactions-from-cli.md | 15 +++++++-------- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/pop-cli-for-appchains/guides/securely-sign-transactions-from-cli.md b/pop-cli-for-appchains/guides/securely-sign-transactions-from-cli.md index 66dcd7c..4c61ed8 100644 --- a/pop-cli-for-appchains/guides/securely-sign-transactions-from-cli.md +++ b/pop-cli-for-appchains/guides/securely-sign-transactions-from-cli.md @@ -5,7 +5,7 @@ to sign the transactions using your browser extension wallet. ## Example Usage For a full guide on calling a chain from Pop CLI, see the [Call a Chain](./call-a-chain.md) guide. -Normally, you would provide `--suri=` to interact with the chain. However, this should only be used for development accounts. +Normally, you would provide `--suri=` to interact with the chain. However, this implies a potentially insecure way of handling private keys and should only be used for development accounts. For production accounts and more secure signing, Pop CLI provides the `--use-wallet` option that you can use. Here is an example of calling a chain using `--use-wallet`: @@ -16,11 +16,11 @@ pop call chain --pallet System --function remark --args "0x11" --url ws://localh This will open a signing portal in your browser. Pop CLI will display the following: ```bash ◇ Wallet signing portal started at http://127.0.0.1:9090. -│ -◒ Waiting for signature... Press Ctrl+C to terminate early. +│ +◒ Waiting for signature... Press Ctrl+C to terminate early. ``` -Your browser will open a new tab with the following screen at http://127.0.0.1:9090 (or similar if the port is already in use); +Your browser will open a new tab with the following screen at http://127.0.0.1:9090 (or similar if the port is already in use);

Signing Portal Initial Open

Click on the `Connect Wallet` button to connect your browser extension wallet. @@ -29,7 +29,7 @@ Click on the `Connect Wallet` button to connect your browser extension wallet. After connecting your wallet, you will have the option to choose your account and sign the transaction, and finally see the transaction details for signing.

Transaction Details

-Once ready to sign, pressing the `Sign` button will open your wallet for signature. +Once ready to sign, pressing the `Sign` button will open your wallet for signature. > ⚠️ **It is important to verify transaction details in your wallet before signing.**

Opened Wallet for Signing

@@ -40,11 +40,10 @@ After the signed transaction is received, the portal will send the transaction p ```bash ◆ Signed payload received. -│ +│ ◇ Extrinsic submitted with hash: "0x039076e2760eb1a4d41bf4daf009a0376ba128bd8c51cf365e4a5c5dee07a414" │ ◆ Do you want to perform another call? -│ ○ Yes / ● No -└ +│ ○ Yes / ● No +└ ``` - diff --git a/pop-cli-for-smart-contracts/guides/securely-sign-transactions-from-cli.md b/pop-cli-for-smart-contracts/guides/securely-sign-transactions-from-cli.md index b359bc8..f786481 100644 --- a/pop-cli-for-smart-contracts/guides/securely-sign-transactions-from-cli.md +++ b/pop-cli-for-smart-contracts/guides/securely-sign-transactions-from-cli.md @@ -5,8 +5,8 @@ to sign the transactions using your browser extension wallet. ## Example Usage: Deploying a Contract For a full guide on deploying a contract, see the [Deploy Your Contract Locally](./deploy-your-contract-locally.md) guide. -Normally, you would provide `--suri=` to deploy the contract. However, this should only be used for development accounts. -For production accounts and more secure signing, Pop CLI provides the `--use-wallet` option that you can use to deploy your contract. +Normally, you would provide `--suri=` to interact with the chain. However, this implies a potentially insecure way of handling private keys and should only be used for development accounts. +For production accounts and more secure signing, Pop CLI provides the `--use-wallet` option that you can use. Here is an example of deploying a contract using `--use-wallet`: ```bash @@ -16,11 +16,11 @@ pop up contract --constructor new --args false --use-wallet This will open a signing portal in your browser. Pop CLI will display the following: ```bash ◇ Wallet signing portal started at http://127.0.0.1:9090. -│ -◒ Waiting for signature... Press Ctrl+C to terminate early. +│ +◒ Waiting for signature... Press Ctrl+C to terminate early. ``` -Your browser will open a new tab with the following screen at http://127.0.0.1:9090 (or similar if the port is already in use); +Your browser will open a new tab with the following screen at http://127.0.0.1:9090 (or similar if the port is already in use);

Signing Portal Initial Open

Click on the `Connect Wallet` button to connect your browser extension wallet. @@ -36,7 +36,7 @@ If the transaction will fail, the dry-run alert will change: In this case, you can expand the dry-run alert to see the error details. This example shows an error of the account not having enough funds:

Expanded Failing Dry Run

-Once ready to sign, pressing the `Sign` button will open your wallet for signature. +Once ready to sign, pressing the `Sign` button will open your wallet for signature. > ⚠️ **It is important to verify transaction details in your wallet before signing.**

Opened Wallet for Signing

@@ -47,9 +47,8 @@ After the signed transaction is received, the portal will send the transaction p ```bash ◆ Signed payload received. -│ +│ ◇ Contract deployed and instantiated: ● The contract address is "5F1P99TD63qZ9bnoxrK7kuzwMWuU7kKKVJJZoVKBYoVQtQeR" ● The contract code hash is "0x9e4bbfc311f58aaffb63d7570651567d40dd76f301f601a0f0a61f3204d49e5b" ``` -