Releases: arcsignio/arcsign
Release list
ArcSign v1.5.4
ArcSign v1.5.4
What's Changed
Changed
- WalletDetail refactored from a 2979-line component into focused units.
The largest frontend file after v1.5.3 is now a ~2142-line coordinator.
Extracted: pure token-metadata enrichment (enrichTokens.ts, deduping three
identical copies), pure formatters (walletDetailFormat.ts), the seven
full-screen sub-view dispatch blocks (walletDetail/WalletDetailViews.tsx),
and the unlock → passphrase → load-balances state machine (useWalletData.ts).
Behavior is unchanged; the signing-sensitivevalidatedPassphraseand
passwordRefplumbing is byte-identical to before, verified end-to-end.
The asset-list render body stays in the main component (its extraction is
planned for a later release).
Downloads
| Platform | File |
|---|---|
| macOS (Apple Silicon) | ArcSign-macOS-ARM64.dmg |
| Windows (x64) | ArcSign-Windows-x64.msi |
| Linux (x64) | ArcSign-Linux-x64.deb, .AppImage |
Verification
SHA256SUMS covers both the installer bundles and the Go
shared library (libarcsign.dylib / .so / .dll). See
docs/reproducible-builds.md
for how to rebuild from source and verify the hash matches.
Install (macOS / Linux)
bash <(curl -fsSL https://arcsign.io/install.sh)ArcSign v1.5.3
ArcSign v1.5.3
What's Changed
Changed
- SwapTransaction refactored from a 3238-line component into focused units.
Pure formatters moved toswapFormat.ts, the flow state machine to a
useSwapFlowhook, and each step rendered by a small presentational component
undercomponents/swap/. The main component is now a ~355-line coordinator.
Behavior is unchanged; the mandatory backend sign-gate and its
acknowledgedRiskplumbing are byte-identical to before. - Swap orchestration extracted into a pure
swapService.ts. The multi-step
build → sign → broadcast → record sequence (for both approval and swap) now
lives in a React-free service that the hook calls; the service reports progress
via a callback and throws stable error codes the hook maps to i18n. Every
signTransactioncall is byte-identical to the pre-refactor code, verified
field-by-field. No Go / backend changes.
Fixed
- Return to the asset list and refresh balances after a successful swap.
Previously the swap success handler only logged; the view stayed open and
balances weren't refreshed. It now closes the swap view and re-fetches
balances. The same pre-existing bug in the Send flow is fixed the same way.
Downloads
| Platform | File |
|---|---|
| macOS (Apple Silicon) | ArcSign-macOS-ARM64.dmg |
| Windows (x64) | ArcSign-Windows-x64.msi |
| Linux (x64) | ArcSign-Linux-x64.deb, .AppImage |
Verification
SHA256SUMS covers both the installer bundles and the Go
shared library (libarcsign.dylib / .so / .dll). See
docs/reproducible-builds.md
for how to rebuild from source and verify the hash matches.
Install (macOS / Linux)
bash <(curl -fsSL https://arcsign.io/install.sh)ArcSign v1.5.2
ArcSign v1.5.2
What's Changed
Security
- Mint-page connection pairing gate. The localhost WebSocket (
127.0.0.1:9527)
used by the Pro NFT mint page now requires a one-time 8-digit pairing code
(shown in the desktop app, entered in the mint page) before any account or
signing method is allowed — 60s TTL, 3-attempt lockout, constant-time
comparison. Replaces the prior boolean-authenticated model. - Origin allowlist hardening. Production builds reject empty Origin
(non-browser local processes) and localhost dev ports; only the apex mint-page
origin and Tauri's own webview origins are allowed. Origin comparison is now
case-insensitive per RFC 6454. - Pairing-code comparison length gate. A length mismatch now folds into the
same wrong-attempt path as a content mismatch, removing a distinguishable
early return so the constant-time compare is honest end-to-end.
Changed
- Dev / production build split. Developer-only WebSocket auto-sign helpers
are compiled behind adev-modefeature; production builds return a friendly
error instead. CI publishes both a production release (3 platforms) and a
-devbuild (macOS/Linux). - Signing paths (transaction / message / typed-data) consolidated through a
singlederiveSecureSigner(decrypt + derive), byte-identical to the prior
per-path code.
Fixed
- Swap quote resilience. OpenOcean and KyberSwap clients send a browser-like
User-Agent to avoid Cloudflare 403s. Free users whose OpenOcean quote/build
fails now fall back to KyberSwap automatically (no referrer fee on the
fallback), for both quote and transaction build. - Swap confirm shows the route you'll actually sign. When a free-user swap
falls back to a different provider between quote and build, the confirmation
step shows a "route updated" notice with the actual provider and fee.
Downloads
| Platform | File |
|---|---|
| macOS (Apple Silicon) | ArcSign-macOS-ARM64.dmg |
| Windows (x64) | ArcSign-Windows-x64.msi |
| Linux (x64) | ArcSign-Linux-x64.deb, .AppImage |
Verification
SHA256SUMS covers both the installer bundles and the Go
shared library (libarcsign.dylib / .so / .dll). See
docs/reproducible-builds.md
for how to rebuild from source and verify the hash matches.
Install (macOS / Linux)
bash <(curl -fsSL https://arcsign.io/install.sh)ArcSign v1.5.1
ArcSign v1.5.1
What's Changed
Security
- Every signing path now passes through one mandatory backend gate before a
private key is touched. Previously,eth_signTypedData(EIP-712) and
personal_signreached signing without any security check — the main attack
surface for phishing signatures (maliciousPermit/Permit2/
setApprovalForAll). Transactions, EIP-712 typed data, and messages now all
route through the same architecturally-unbypassable gate. - EIP-712
verifyingContractnormalization defense. A non-canonical
verifyingContract(e.g. a decimal number instead of a0xaddress — the
ScamSniffer/SlowMist bypass that affected 40+ wallets) is flagged as danger
instead of rendering blank. - Blocklist screening of signature contents. The
spender/operator/
verifyingContractembedded in an EIP-712 request, and any0xaddress in a
personal_signmessage, are screened against the embedded blocklist
(OFAC-sanctioned + known scam spenders). Free, offline, no API key. - Danger detected and not acknowledged → the backend refuses to sign; the
private key is never decrypted or touched.
Changed
- Private-key derivation is consolidated into a single entry point
(deriveAndSign) whose first step is the security gate — no signing path can
reach key material without passing it. mapSignErrordelegates toMapWalletError, restoring specific error codes
(e.g. wrong-password) for message/typed-data signing, consistent with
SignTransaction.
Fixed
- Rust
SignMessageInput/SignTypedDataInputwere missing the
acknowledged_riskfield, so the user's risk acknowledgement was silently
dropped before reaching the backend gate. Plumbed end-to-end.
Downloads
| Platform | File |
|---|---|
| macOS (Apple Silicon) | ArcSign-macOS-ARM64.dmg |
| Windows (x64) | ArcSign-Windows-x64.msi |
| Linux (x64) | ArcSign-Linux-x64.deb, .AppImage |
Verification
SHA256SUMS covers both the installer bundles and the Go
shared library (libarcsign.dylib / .so / .dll). See
docs/reproducible-builds.md
for how to rebuild from source and verify the hash matches.
Install (macOS / Linux)
bash <(curl -fsSL https://arcsign.io/install.sh)ArcSign v1.5.0
ArcSign v1.5.0
Downloads
| Platform | File |
|---|---|
| macOS (Apple Silicon) | ArcSign-macOS-ARM64.dmg |
| Windows (x64) | ArcSign-Windows-x64.msi |
| Linux (x64) | ArcSign-Linux-x64.deb, .AppImage |
Verification
SHA256SUMS covers both the installer bundles and the Go
shared library (libarcsign.dylib / .so / .dll). See
docs/reproducible-builds.md
for how to rebuild from source and verify the hash matches.
Install (macOS / Linux)
bash <(curl -fsSL https://arcsign.io/install.sh)ArcSign v1.4.0
ArcSign v1.4.0 — Open Source Launch
This is ArcSign's first public release. Apache 2.0 licensed, open source, with reproducible builds.
ArcSign is a USB-only cold wallet for Bitcoin and 6 EVM chains. Private keys
never leave the USB drive. The .arcsign backup file is AES-256 encrypted at
export, so a stolen backup file is not a stolen wallet.
Why this exists
Hardware wallets cost $79–$149, lock you into a specific device, and aren't
something you can carry through a border crossing without questions. Software
wallets are convenient but store keys on a hard drive that any malware can
read. ArcSign is the middle path: install on any USB stick you already own,
unplug it when you're done, and your keys are out of reach of anything
running on the computer.
The original audience I had in mind was people who need to actually carry
their money with them — refugees, journalists in hostile jurisdictions,
people whose bank accounts have been frozen. They don't have time to wait
for a Ledger to arrive in the mail. But the same tradeoffs make sense for
everyone who wants strong cold-storage security at zero hardware cost.
What's in this release
- Multi-chain HD wallet — Bitcoin + 6 major EVM chains
(Ethereum, BSC, Polygon, Arbitrum, Optimism, Base) - USB-only cold storage — private keys generated and stored only on the
USB device, never on the host filesystem .arcsignencrypted backup — AES-256 at export, replaces paper seed
phrases- DEX swap aggregator — OpenOcean + KyberSwap parallel quotes, picks the
best route automatically - Token approval manager — view and revoke ERC-20 approvals across 6
chains. Pro members get batch revoke. - NFT gallery — cross-chain ERC-721 / ERC-1155 display
- DeFi positions — liquid staking (stETH, ankrETH, ankrBNB) with real-time APY
- WalletConnect — sign transactions from cold storage when connecting to
dApps - Pro membership — optional 30 USDT/year NFT on BSC for advanced features
Downloads
| Platform | File |
|---|---|
| macOS (Apple Silicon) | ArcSign-macOS-ARM64.dmg |
| Windows (x64) | ArcSign-Windows-x64.msi |
| Linux (x64) — Debian/Ubuntu | ArcSign-Linux-x64.deb |
| Linux (x64) — universal | ArcSign-Linux-x64.AppImage |
Also included: libarcsign.dylib, libarcsign.so, arcsign.dll (the Go
shared library that the desktop app loads — published so you can verify the
bundled copy matches).
Verification
Every release ships with SHA256SUMS covering both the installer bundles
and the Go shared library. To verify your download:
shasum -a 256 -c SHA256SUMS --ignore-missingFor full reproducible builds — clone the source at this tag, run
make build-reproducible, and the resulting SHA-256 should match what's
published here. If it doesn't, something was tampered with. See
docs/reproducible-builds.md
for the full procedure.
Install (macOS / Linux)
bash <(curl -fsSL https://arcsign.io/install.sh)The install script verifies the SHA-256 against the published SHA256SUMS
before installing. Source: install.sh.
Open source
- License: Apache 2.0 — see LICENSE
- Trademark policy: fork-friendly, see TRADEMARK.md
- Security policy: SECURITY.md — PGP-signed disclosures welcome
- Contributing: CONTRIBUTING.md — DCO sign-off required, no CLA
Every official on-chain address (Pro NFT contract, referral contract, swap
referrer) is a compile-time Go constant. They are printed at app startup
and documented at
OFFICIAL_ADDRESSES.md
so you can verify against BscScan.
Known limitations
- macOS Intel and Linux ARM are not yet built. Open an issue if you need them.
- The macOS DMG is unsigned (no Apple Developer Program enrollment yet) —
you'll need to right-click → Open the first time, or run
xattr -d com.apple.quarantine /Applications/ArcSign.appafter install. - Windows installer is unsigned (no EV cert yet) — SmartScreen will warn on
first launch.
These are funding constraints, not technical ones. They'll get fixed as
the project matures.
What's next
See ROADMAP.md.
Mobile companion app, additional chains, hardware wallet bridging are the
next priorities — in roughly that order.
Bug reports, security disclosures, and pull requests welcome.
Thanks for taking a look.