Skip to content

fix(realunit): forward the signed name/address variant to Aktionariat#3839

Merged
TaprootFreak merged 3 commits into
developfrom
fix/realunit-aktionariat-signed-variant
Jun 8, 2026
Merged

fix(realunit): forward the signed name/address variant to Aktionariat#3839
TaprootFreak merged 3 commits into
developfrom
fix/realunit-aktionariat-signed-variant

Conversation

@TaprootFreak

@TaprootFreak TaprootFreak commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Aktionariat re-verifies the EIP-712 registration signature against the payload we POST and updates its record from it. The wallet signs either the raw UTF-8 fields (legacy software wallets, still accepted by fix(realunit): accept BitBox-safe ASCII transliterations in registration #3709's verify) or the BitBox-safe ASCII transliteration (current app; a BitBox cannot sign non-ASCII bytes).
  • forwardRegistration always sent the stored UTF-8 fields. For an ASCII-signed registration, Aktionariat then recovers a different address and rejects with Invalid signature, leaving the KYC step in MANUAL_REVIEW.
  • Fix: resolve which representation the signature verifies against (raw vs ASCII) and forward exactly that. The UTF-8 originals stay on user_data for PDF/mail.

Why not "always transliterate to ASCII"

That simpler variant would regress legacy wallets that signed the raw UTF-8 fields (umlaut names): forwarding ASCII would no longer match their UTF-8 signature → Invalid signature. verifyRealUnitRegistrationSignature accepts both representations (#3709), so the forward must preserve both. This change forwards the matched variant, so legacy UTF-8 signers and current ASCII/BitBox signers both keep working.

Changes

  • verifyRealUnitRegistrationSignature → thin wrapper over a new resolveSignedRegistrationMessage, which returns the exact signed field set (raw or ASCII) or undefined. Behaviorally identical to the previous two-attempt boolean.
  • forwardRegistration builds the Aktionariat payload from the resolved (signed) variant. Field set, types and excluded kycData unchanged. No schema/migration changes.

Test plan

  • Real EIP-712 signatures over synthetic umlaut fixtures: forwarded payload equals the signed variant AND verifies against the signature (exactly Aktionariat's check).
  • Regression guard: legacy UTF-8 signer → forwarded fields stay UTF-8.
  • Current-app ASCII signer (dto stores UTF-8) → forwarded fields ASCII.
  • Software-wallet → hardware-wallet (ASCII-only) case.
  • lint, format:check, build, full test suite green locally; independent regression review = NO_REGRESSION.

Operational note

Registrations stuck in MANUAL_REVIEW for this reason can be drained after deploy via the existing admin re-forward endpoint.

@TaprootFreak
fix(realunit): forward the signed name/address variant to Aktionariat
6ba16e7 
Aktionariat re-verifies the EIP-712 registration signature against the
payload we POST. Wallets sign either the raw UTF-8 fields (legacy
software wallets) or the BitBox-safe ASCII transliteration (current app;
a BitBox cannot sign non-ASCII bytes), but forwardRegistration always
sent the stored UTF-8 fields. ASCII-signed registrations were therefore
recovered to a different address and rejected with "Invalid signature",
leaving the step in MANUAL_REVIEW.

Resolve which variant the signature verifies against and forward exactly
those bytes. The UTF-8 originals stay on user_data for PDF/mail. This
also unblocks the software-wallet -> hardware-wallet migration path,
since both wallet types can produce the ASCII variant.
@TaprootFreak
refactor(realunit): minimize the Aktionariat forward fix
d4ae93a 
Drop the verify refactor and keep only the behavioral change: transliterate
the free-text fields to BitBox-safe ASCII in forwardRegistration so the
payload matches the signed bytes. verifyRealUnitRegistrationSignature is
left untouched.
@TaprootFreak TaprootFreak marked this pull request as ready for review June 8, 2026 16:00
@TaprootFreak TaprootFreak requested a review from davidleomay as a code owner June 8, 2026 16:00
@TaprootFreak TaprootFreak changed the title fix(realunit): forward signed name/address variant to Aktionariat fix(realunit): transliterate Aktionariat registration payload to ASCII Jun 8, 2026
@TaprootFreak TaprootFreak marked this pull request as draft June 8, 2026 16:06
@TaprootFreak
fix(realunit): forward the signed name/address variant, not always ASCII
5433d15 
The minimal "always transliterate to ASCII" approach regressed legacy wallets
that signed the raw UTF-8 fields (still accepted by #3709's verify): forwarding
ASCII no longer matched their UTF-8 signature. Resolve which representation the
signature verifies against (raw or BitBox-safe ASCII) and forward exactly that,
so both legacy UTF-8 signers and current ASCII/BitBox signers keep working.
@TaprootFreak TaprootFreak changed the title fix(realunit): transliterate Aktionariat registration payload to ASCII fix(realunit): forward the signed name/address variant to Aktionariat Jun 8, 2026
@TaprootFreak TaprootFreak marked this pull request as ready for review June 8, 2026 16:15
@TaprootFreak TaprootFreak merged commit c41ce5a into develop Jun 8, 2026
7 checks passed
@TaprootFreak TaprootFreak deleted the fix/realunit-aktionariat-signed-variant branch June 8, 2026 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidleomay davidleomay davidleomay approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TaprootFreak @davidleomay