-
Notifications
You must be signed in to change notification settings - Fork 3.6k
A SIG_K1 generated by eosiopy library is not accepted anymore on EOSIO 2.0 #8534
Comments
Verified behavior change between 1.8 and 2.0 |
The string parser for keys & sigs in 2.0 is more strict and will not accept a base58 string with more data than expected. This change was unintentional. However, this may actually be good behavior. If an impl is buggy enough to include extra junk in a signature, maybe that extra junk is sensitive information. |
And to add a bit on that, for other people that might get here. The extra length in the signature generated by the The thing is that the maintainer never released a new version of his library. And all was good until EOSIO 2.0 since it's less lenient. From my point of view, this indeed does not deserve a fix. Maybe just a note in the upgrade guide about this that EOSIO 2.0 is stricter now seems enough. |
It looks like there are 2 issues:
So far, it looks like eosjs 20 doesn't have an issue. |
Once the release documentation reflects this change, going to close this one as wontfix. As mentioned before, there is concern that if an implementation leaks extra data in to signatures it may be leaking something sensitive. It's prudent to discourage such behavior. |
How to solve this problem in the end? |
How to solve this problem in the end? |
@yiailongsimon Use |
@maoueh hello,eosiopy git has only one master branch, https://github.com/eosmoto/eosiopy |
Yeah ok... The master branch contains the fix. The default pip install eosiopy does not install a version with the fix in it. Just ensure you are using the master branch and you are good to go. Check the last commit on master branch and validate against your local copy that you have the bug fix in there. If present and still have an issue, it’s not related to this bug report. |
@maoueh ok,I try first, thanks! |
Here a packed transaction that fails on EOSIO 2.0 node:
But properly decode itself using a EOSIO 1.8 node:
My current hypothesis is that the signature
SIG_K1_Aq4qpUtK3ar5CWcisdgCkMHrBm6oXgWw3FsVGwFuNTfuzuGTGV5XjGm7mtbfcxXokgJu2gh15hhC7u5fHvhPJwVNduDXxdAg9aZCSzjA6CpNJr54VUbJ
contains more data than just the signature payload (85 bytes here in the decodable part of the string).I think this signature was accepted before when dealing with EOSIO 1.8, but now, it's not accepted anymore.
This was reported by one of our dfuse user. Personally, I'm not sure it warrant a bug fix in EOSIO.
Wanted to report the issue nonetheless since it still some kind of breaking change between EOSIO 1.8 and 2.0 and gather feedback.
Maybe when transforming the string to a binary format, maybe we could just truncate straight the extra bytes of the signature, so the rest could still work like in EOSIO 1.8.
The text was updated successfully, but these errors were encountered: