add recovery bit to allow restoring the public key #137
Conversation
nikgraf
added this to the
Phase 1: Developers can build an app using private data milestone
nikgraf
force-pushed
the
ng/use-recovery-bit
branch
from
356e1b9 to
9ed05ce
Compare
| accountId: author.accountId, | ||
| publicKey: author.signaturePublicKey, | ||
| signature, | ||
| signature: signatureResult.toCompactHex(), |
There was a problem hiding this comment.
What do you think of grouping the hex part and recovery of the signature in a SignatureWithRecovery type like I did here? https://github.com/graphprotocol/hypergraph/pull/135/files#diff-46bf560b871193fa360550e8a148fcf76963723d89bd6252c4cfc4e729d9704eR5-R15
There was a problem hiding this comment.
yeah, sounds good. Will update the PR
btw our addresses use 0x as prefix to indicate hex, but signatures don't. Should we add it for consistency or is it only relevant for addresses? What's the default in the Ethereum eco-system?
There was a problem hiding this comment.
Good question, I think it would be good to standardize and use the 0x prefix in any hex strings, so yeah that'd include signatures. Most (if not all) ethereum tooling uses that everywhere.
| signatureInstance = signatureInstance.addRecoveryBit(event.author.recovery); | ||
| const authorPublicKey = signatureInstance.recoverPublicKey(sha256(encodedTransaction)); | ||
|
|
||
| const isValidSignature = secp256k1.verify(event.author.signature, encodedTransaction, authorPublicKey.toRawBytes(), { |
There was a problem hiding this comment.
Actually, one more thing - I think this might not be necessary, as recoverPublicKey essentially verifies the signature too (it will only give the correct public key if the corresponding private key signed that message)
There was a problem hiding this comment.
This might even be redundant, because the public key is recovered from the signature, so it will probably always be valid - I think we should instead validate that the public key is a valid signing key for the author's accountId
There was a problem hiding this comment.
Yeah, as a next step we ned to retrieve the publicKey from the author and pass it in. At the moment afaik I need to reconstruct it, since it's a required argument for the verify function.
There was a problem hiding this comment.
What I mean is we don't need to call the verify function. Once you retrieve the author's public key and compare it to the one you recovered, you have essentially verified the signature
There was a problem hiding this comment.
added an issue for it: #138
2 participants
Uh oh!
There was an error while loading. Please reload this page.