Signing arbitrary messages #1409
Description
I've tried six signing functions mentioned in the docs, but non of them provide functionality to sign arbitrary messages of arbitrary length.
signMessage requires data to be structured in a JSON object of TypedData type with message limited to 76 chars.
signRaw requires data to be a hash (no more than 65 hex chars).
signTransaction, signDeployAccountTransaction, signDeclareTransaction, ec.starkCurve.sign don't allow arbitrary messages.
Why not sign a hash of an arbitrary message?
A workaround for this limitation is to hash a message and then sign that hash. However, this is a bad security practice because a malicious website can show a legit message to a user in the UI, but then push a malicious hash that corresponds to a malicious message to a signing app (browser extension). In other words, it will be easy to replace a hash, and signing an unknown hash is, obviously, a very bad practice.
Such an architecture will require each signing app to implement additional security checks like requiring an original message to be provided before prompting a user to sign its hash. However, such an approach has its own downsides. Firstly, there are some legit use cases for simply signing a hash without revealing the original message. Secondly, unnecessary increasing the basic list of required security features leads to more centralization and locking of users to a few most trusted vendors.
Signing arbitrary messages on Ethereum apps
It's a common practice in the Ethereum ecosystem to sign arbitrary messages that has been used for many years and leading npm libraries like ethers.js provide that API.
Signing arbitrary messages for Spasm
Spasm is the most advanced protocol in the decentralized social media space due to its agnostic and highly modular architecture that supports multiple private keys and different message formats (JSON objects). Think of Nostr, but one generation above, because users can sign messages with different keys and propagate events to different networks. At the moment, Spasm supports Ethereum and Nostr private keys only, but I'm thinking about introducing other communities to the Spasm ecosystem this year and the Starknet community looks interesting since it has a similar agnostic vision and tries to expand to new chains with the push for OP_CAT and bitcoin covenants.
Spasm already supports Spasm, DMP, Nostr, and RSS events, so I can, technically, hack the current limitation by signing a hash of a message and creating a new JSON object format specifically for a Starknet event that will hold an original message and its hash with a corresponding signature, but it's highly preferred to directly sign a Spasm event as an arbitrary message with a Starknet private key.
Unlocking the Spasm ecosystem for the Startknet community will allow users to sign all messages in a truly web3 way on Spasm-powered forums and other Spasm-compatible apps, providing a censorship-resistant alternative to centralized web2 platforms (Twitter, Discord, Telegram, Reddit, Hackquest, Luma). Starknet community leaders will be able to self-host forums for various events, hackathons, local Startknet discussions, and optionally federate with each other, creating a Starknet-focused social media network with the most upvoted posts eventually popping up on the main Starknet forum similar to how most upvoted posts from various subreddits are shown on the main Reddit page.
Users will also be able to multi-sign messages and push them to the Nostr network, which is very popular among bitcoiners, essentially, creating a bridge for communication between Ethereum and Bitcoin communities.
Let me know what you think about adding support for arbitrary message signing.