-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get frames signing in V3 #320
base: main
Are you sure you want to change the base?
Conversation
…roid into np/remove-v2-client
private suspend fun signDigest(digest: ByteArray): Signature { | ||
val signedPrivateKey = xmtpClient.keys.identityKey | ||
val privateKey = PrivateKeyBuilder.buildFromSignedPrivateKey(signedPrivateKey) | ||
return PrivateKeyBuilder(privateKey).sign(digest) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since there is no more key bundles how might we do the signing in V3? @neekolas
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We would need to sign with the installation keys (and include the pub key in the payload so it could be verified since installation key signatures are not recoverable without the pub key).
This does change how the verification works. The verifier would need to pull down the identity update history for the right inbox ID to make sure the public key is registered.
That’s going to require some work on the Node SDK side, since the verifier isn’t necessarily a full client with a database. We would want some static methods to help support workflows like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For security reasons we are going to want a different context/label on the Frames signatures than what we use for messages or identity updates. That’ll help prevent replays.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like there might be some libxmtp work here. Probably makes sense to write up a tech doc or something. @mchenani this might be a great next task for you if you're up for it.
We need a way to sign in V3