Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get frames signing in V3 #320

Draft
wants to merge 21 commits into
base: main
Choose a base branch
from
Draft

Get frames signing in V3 #320

wants to merge 21 commits into from

Conversation

nplasterer
Copy link
Contributor

We need a way to sign in V3

nplasterer
nplasterer commented Nov 6, 2024
View reviewed changes
library/src/main/java/org/xmtp/android/library/frames/FramesClient.kt Outdated
Comment on lines 48 to 52
private suspend fun signDigest(digest: ByteArray): Signature {
val signedPrivateKey = xmtpClient.keys.identityKey
val privateKey = PrivateKeyBuilder.buildFromSignedPrivateKey(signedPrivateKey)
return PrivateKeyBuilder(privateKey).sign(digest)
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there is no more key bundles how might we do the signing in V3? @neekolas

Copy link
Contributor

@neekolas neekolas Nov 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would need to sign with the installation keys (and include the pub key in the payload so it could be verified since installation key signatures are not recoverable without the pub key).

This does change how the verification works. The verifier would need to pull down the identity update history for the right inbox ID to make sure the public key is registered.

That’s going to require some work on the Node SDK side, since the verifier isn’t necessarily a full client with a database. We would want some static methods to help support workflows like this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For security reasons we are going to want a different context/label on the Frames signatures than what we use for messages or identity updates. That’ll help prevent replays.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like there might be some libxmtp work here. Probably makes sense to write up a tech doc or something. @mchenani this might be a great next task for you if you're up for it.

@nplasterer nplasterer mentioned this pull request Nov 6, 2024
Open
Base automatically changed from np/update-example-app to np/fix-all-tests November 7, 2024 01:00
Base automatically changed from np/fix-all-tests to np/remove-v2-client November 7, 2024 01:17
Base automatically changed from np/remove-v2-client to np/remove-contacts November 7, 2024 01:20
Base automatically changed from np/remove-contacts to np/remove-decrypted-message November 7, 2024 01:31
Base automatically changed from np/remove-decrypted-message to np/v3 November 7, 2024 01:33
Base automatically changed from np/v3 to main November 7, 2024 04:54
@nplasterer nplasterer changed the title [V3] Get frames signing in V3 Get frames signing in V3 Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neekolas neekolas neekolas left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nplasterer @neekolas