Skip to content
This repository has been archived by the owner on Jun 2, 2019. It is now read-only.

eth_sign sometimes produces invalid signature. #947

Open
leroldary opened this issue Jan 3, 2019 · 2 comments
Open

eth_sign sometimes produces invalid signature. #947

leroldary opened this issue Jan 3, 2019 · 2 comments

Comments

@leroldary
Copy link

Using eth_sign and then verifying the signature (recovering the address) the recovered address in sometimes wrong.

E.g. Signing the data
0x68bfc34d28afcb7ae03691816548965dffba6c427c79d15fe6ef548384395fb0
with the address
0xe3aAd2d4f9545D3cE53Bb5cd9Ca929a9f7995837
the result of TrustWallet is
0xa20bdcf11c4c689edba3af62c531240c09d365233cc7e8934ad9c8ea7085b37a1f781f59e558e8dc8f46cf56964f373deaf70b61bd2b896b87a49c8b293cc3311b

Now if we recover the address we get
0x4d8d9d89b133024249651d9161F52a8c0D9d4e7e
@yoheinishikubo
Copy link

yoheinishikubo commented Jan 9, 2019
edited
Loading

I got wrong signed hashes every time with the function web3.personal.sign.

With the following minimum PoC code, the generated result is wrong.
Of course, this code works perfectly with other environments like MetaMask and the Android version of Trust.

<html>
  <head>
    <script>
	const sign = ()=>{
		const message = 'Hello world!';
		const signer = web3.eth.accounts[0];
		web3.personal.sign(message, signer, (err, signature) => {
			if (!err){
			    document.querySelector(".signer").innerText = signer;
			    document.querySelector(".message").innerText = message;
			    document.querySelector(".signature").innerText = signature;
			}
      		});
	}
      
    </script>
  </head>
  <body onload="sign()">
    <div>Signer: <span class="signer"></span></div>
    <div>Message: <span class="message"></span></div>
    <div>Signature: <span class="signature"></span></div>
  </body>
</html>

The code above can be tested on the following URL.

https://gist.githack.com/yoheinishikubo/65e51a60fad63fefcc2af7e8d7fe5508/raw/d1dc153c76a6cbce676e339c3df0a00d3eb24955/index.html

It makes me confused that the service like OpenSea using this API works fine with Trust.
Is there another way to make a message personal-signed?

@yoheinishikubo
Copy link

I found that the first parameter of web3.personal.sign is needed to be converted to hex manually with the method like web3.fromUtf8 or web3.utils.utf8ToHex.
I can get the correct result with iOS version of Trust.

The original code working with MetaMask and Android version of Trust mislead me.

@hewigovens hewigovens mentioned this issue May 16, 2019
Closed
@846200 846200 mentioned this issue May 12, 2022
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yoheinishikubo @leroldary