ArcSign v1.5.1
ArcSign v1.5.1
What's Changed
Security
- Every signing path now passes through one mandatory backend gate before a
private key is touched. Previously,eth_signTypedData(EIP-712) and
personal_signreached signing without any security check — the main attack
surface for phishing signatures (maliciousPermit/Permit2/
setApprovalForAll). Transactions, EIP-712 typed data, and messages now all
route through the same architecturally-unbypassable gate. - EIP-712
verifyingContractnormalization defense. A non-canonical
verifyingContract(e.g. a decimal number instead of a0xaddress — the
ScamSniffer/SlowMist bypass that affected 40+ wallets) is flagged as danger
instead of rendering blank. - Blocklist screening of signature contents. The
spender/operator/
verifyingContractembedded in an EIP-712 request, and any0xaddress in a
personal_signmessage, are screened against the embedded blocklist
(OFAC-sanctioned + known scam spenders). Free, offline, no API key. - Danger detected and not acknowledged → the backend refuses to sign; the
private key is never decrypted or touched.
Changed
- Private-key derivation is consolidated into a single entry point
(deriveAndSign) whose first step is the security gate — no signing path can
reach key material without passing it. mapSignErrordelegates toMapWalletError, restoring specific error codes
(e.g. wrong-password) for message/typed-data signing, consistent with
SignTransaction.
Fixed
- Rust
SignMessageInput/SignTypedDataInputwere missing the
acknowledged_riskfield, so the user's risk acknowledgement was silently
dropped before reaching the backend gate. Plumbed end-to-end.
Downloads
| Platform | File |
|---|---|
| macOS (Apple Silicon) | ArcSign-macOS-ARM64.dmg |
| Windows (x64) | ArcSign-Windows-x64.msi |
| Linux (x64) | ArcSign-Linux-x64.deb, .AppImage |
Verification
SHA256SUMS covers both the installer bundles and the Go
shared library (libarcsign.dylib / .so / .dll). See
docs/reproducible-builds.md
for how to rebuild from source and verify the hash matches.
Install (macOS / Linux)
bash <(curl -fsSL https://arcsign.io/install.sh)