Skip to content

feat(hive): HiveSignMessage — Keychain signBuffer, unblocks dApp login (rc10)#308

Merged
BitHighlander merged 4 commits into
developfrom
feat/hive-sign-message
Jul 15, 2026
Merged

feat(hive): HiveSignMessage — Keychain signBuffer, unblocks dApp login (rc10)#308
BitHighlander merged 4 commits into
developfrom
feat/hive-sign-message

Conversation

@BitHighlander

Copy link
Copy Markdown
Owner

Re-targeted to develop for the rc10 merge (original #306 auto-closed when its stacked base branch fix/hive-sign-hardening was deleted on merge of #305). Same content, head cbf33967c (includes the clang-format lint fix). Full review is in #306; stack CI verified green on the combined tip via the mirror branch.

…ks dApp login

Digest is SHA256(raw message bytes) ONLY — no chain_id prepend, no
message prefix (the hive-js Signature.signBuffer contract every Hive
dApp verifies against). Output: 65-byte compact recoverable sig
(27+recid+4) + the 33-byte compressed pubkey so the host can build
Keychain's publicKey response field without a second round-trip.

- Full SLIP-48 path shape enforced like the tx handlers; any of the
  four roles may sign (dApp login uses posting')
- Messages beginning with the mainnet chain id are refused: such a
  buffer would hash to a broadcastable TRANSACTION digest
  (tx digest = SHA256(chain_id || tx))
- 1024-byte cap in proto AND handler (memo-length lesson)
- Printable text shown as-is, other payloads as a hex preview
- hive_sign_raw_digest factored out of hive_sign_digest (shared
  header/recid logic, no duplication)
- IDs 1610-1613 skipped: NEAR holds them on device-protocol master
- pyk: sign_message + 7 signBuffer tests (recovery, roles, boundary,
  oversize, path fence, chain-id collision)
…ffer

Finding 1: printable text over 128 bytes now routes through the hex
preview + byte count instead of confirm()'s silently-truncating body
buffer (BODY_CHAR_MAX) — a long message could otherwise show a benign
prefix while the device signs hidden trailing content. Same budget as
SolanaSignMessage.

Finding 2: owner' removed from the accepted signBuffer roles. Keychain's
requestSignBuffer surface is Posting | Active | Memo only; no consumer
offers owner', and the cold owner key must not be normalized into dApp
flows.

Also: comment now says printable ASCII (0x20-0x7e), not UTF-8.
Pins: device-protocol a793934 (role doc), python-keepkey ed8cbdf
(19/19 on emulator incl. new >128B printable boundary + owner' reject).
@BitHighlander BitHighlander merged commit 09304df into develop Jul 15, 2026
4 checks passed
@BitHighlander BitHighlander deleted the feat/hive-sign-message branch July 15, 2026 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant