fix: use a signing domain prefix for offline message signing

solana-foundation · Oct 24, 2024 · 9e26177 · 9e26177
1 parent 68867cb
commit 9e26177
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/app/components/message/MessageForm.tsx b/app/components/message/MessageForm.tsx
@@ -5,7 +5,7 @@ import dynamic from 'next/dynamic';
 import { SetStateAction, useCallback, useEffect, useMemo, useState } from "react";
 
 import { MeteredMessageBox } from "./MeteredMessageBox";
-import { SigningContext, SignMessageBox } from "./SignMessageButton";
+import { SigningContext, SignMessageBox, SIGNING_DOMAIN } from "./SignMessageButton";
 
 const ConnectButton = dynamic(async () => ((await import('@solana/wallet-adapter-react-ui')).WalletMultiButton), { ssr: false });
 
@@ -72,7 +72,7 @@ export const MessageForm = (props: { reportVerification: ReportMessageVerificati
 
     const handleVerifyClick = useCallback(() => {
         try {
-            const verified = ed25519.verify(bs58.decode(signature), new TextEncoder().encode(message), bs58.decode(address));
+            const verified = ed25519.verify(bs58.decode(signature), new TextEncoder().encode(SIGNING_DOMAIN + message), bs58.decode(address));
             if (!verified) throw new Error("Message verification failed!");
             setVerified(true)
         } catch (error) {

diff --git a/app/components/message/SignMessageButton.tsx b/app/components/message/SignMessageButton.tsx
@@ -4,6 +4,8 @@ import { Message, Transaction } from '@solana/web3.js';
 import bs58 from 'bs58';
 import React, { useCallback } from 'react';
 
+export const SIGNING_DOMAIN = String.fromCharCode(0xff) + 'solana offchain\n';
+
 export interface SigningContext {
     input: string;
     address: string;
@@ -41,8 +43,9 @@ export const SignMessageBox = (props: Props) => {
             if (!shouldSign(formattedMessage)) {
                 throw new Error('Message may be used in a transaction! Refusing to sign.');
             }
-            const signature = await signMessage(new TextEncoder().encode(formattedMessage));
-            if (!ed25519.verify(signature, new TextEncoder().encode(formattedMessage), publicKey.toBytes())) {
+            const message = new TextEncoder().encode(SIGNING_DOMAIN + formattedMessage);
+            const signature = await signMessage(message);
+            if (!ed25519.verify(signature, message, publicKey.toBytes())) {
                 throw new Error('Message signature invalid!');
             }