Skip to content

ArcSign v1.5.2

Choose a tag to compare

@github-actions github-actions released this 01 Jul 02:11

ArcSign v1.5.2

What's Changed

Security

  • Mint-page connection pairing gate. The localhost WebSocket (127.0.0.1:9527)
    used by the Pro NFT mint page now requires a one-time 8-digit pairing code
    (shown in the desktop app, entered in the mint page) before any account or
    signing method is allowed — 60s TTL, 3-attempt lockout, constant-time
    comparison. Replaces the prior boolean-authenticated model.
  • Origin allowlist hardening. Production builds reject empty Origin
    (non-browser local processes) and localhost dev ports; only the apex mint-page
    origin and Tauri's own webview origins are allowed. Origin comparison is now
    case-insensitive per RFC 6454.
  • Pairing-code comparison length gate. A length mismatch now folds into the
    same wrong-attempt path as a content mismatch, removing a distinguishable
    early return so the constant-time compare is honest end-to-end.

Changed

  • Dev / production build split. Developer-only WebSocket auto-sign helpers
    are compiled behind a dev-mode feature; production builds return a friendly
    error instead. CI publishes both a production release (3 platforms) and a
    -dev build (macOS/Linux).
  • Signing paths (transaction / message / typed-data) consolidated through a
    single deriveSecureSigner (decrypt + derive), byte-identical to the prior
    per-path code.

Fixed

  • Swap quote resilience. OpenOcean and KyberSwap clients send a browser-like
    User-Agent to avoid Cloudflare 403s. Free users whose OpenOcean quote/build
    fails now fall back to KyberSwap automatically (no referrer fee on the
    fallback), for both quote and transaction build.
  • Swap confirm shows the route you'll actually sign. When a free-user swap
    falls back to a different provider between quote and build, the confirmation
    step shows a "route updated" notice with the actual provider and fee.

Downloads

Platform File
macOS (Apple Silicon) ArcSign-macOS-ARM64.dmg
Windows (x64) ArcSign-Windows-x64.msi
Linux (x64) ArcSign-Linux-x64.deb, .AppImage

Verification

SHA256SUMS covers both the installer bundles and the Go
shared library (libarcsign.dylib / .so / .dll). See
docs/reproducible-builds.md
for how to rebuild from source and verify the hash matches.

Install (macOS / Linux)

bash <(curl -fsSL https://arcsign.io/install.sh)