Skip to content

Add ADR-36 Signature Support and Dual-Mode Index Verification for JS SDK Compatibility #231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 16, 2025
Merged

Add ADR-36 Signature Support and Dual-Mode Index Verification for JS SDK Compatibility #231

merged 1 commit into from
Nov 16, 2025

Conversation

@mateeullahmalik
Copy link
Collaborator

@mateeullahmalik mateeullahmalik commented Nov 16, 2025

PR Summary

This PR introduces full ADR-36 signature compatibility and JS SDK alignment for Cascade uploads, while preserving backward compatibility with all existing Go-based clients and legacy signatures.

Why

The JS SDK signs Cascade metadata (layout + index) using ADR-36 envelopes, while the existing Supernode verification logic expected raw secp256k1 signatures over base64-encoded payloads.
This mismatch caused Supernode to reject uploads initiated from the JS SDK with:

signature or index validation failed: signature verification failed

The issue affected:

  • Cascade index signature verification
  • Start-cascade auth signatures (in some flows)
  • Layout signature verification consistency across clients

What’s Changed

1. Add ADR-36 verification support in index signature validation

VerifyIndex() now attempts two verification modes:

  1. Legacy mode

    • Message = indexB64
    • Signature = raw or ADR-36

  2. JS-SDK mode

    • Message = canonical JSON index bytes (base64(indexJSON))
    • Signature = raw or ADR-36 (JS SDK uses ADR-36)

This makes the verification layer fully backward compatible while enabling JS SDK signatures.

2. Introduce unified ADR-36 verification path

All verification paths now go through VerifyStringRawOrADR36, allowing:

  • Raw secp256k1 signatures
  • ADR-36 amino sign docs
  • Base64 or raw message sources

This standardizes verification across:

  • Layout signatures
  • Index signatures
  • Upload-auth signatures
  • Download-auth signatures

3. No breaking changes

  • Existing sn-api-server signatures continue to verify normally
  • Existing Cascades remain readable and valid
  • No metadata format changes
  • No changes to on-chain Action metadata
  • SDK and tooling remain compatible

🔧 Highlights

  • Added ADR-36-aware signer helpers
  • Added dual-message verification for index signatures
  • Added better error surfaces for signature validation
  • Cleaned and hardened validator paths for Cascade metadata
  • Improved logging for signature verification failures

Result

With these changes:

  • All JS SDK generated signatures are now accepted by the Supernode
  • sn-api-server and Go SDK signatures continue to function without modification
  • The system can gradually migrate toward the ADR-36 scheme without disruption
  • We have a unified and future-proof signature model across Go and JS ecosystems

Testing

  • Uploaded Cascades using JS SDK → PASS
  • Uploaded Cascades using sn-api-server → PASS
  • Mixed-layout and mixed-signature scenarios → PASS
  • Legacy raw signatures → PASS
  • ADR-36 doc signature replay detection → PASS

@mateeullahmalik mateeullahmalik force-pushed the add_ADR-36_Signature_support branch from 2968056 to d457dd5 Compare November 16, 2025 12:29
@mateeullahmalik mateeullahmalik merged commit b84ceee into master Nov 16, 2025
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@j-rafique j-rafique j-rafique approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mateeullahmalik @j-rafique