We are building a web3 data-gating solution called VAULT3 that allows content creators and enterprises to share confidential files exclusively with their communities, customers and investors through customizable access conditions such as whitelists of wallets, policy IDs, and stake pools delegation.
We are using the Mesh library to interact with Cardano wallets from our app. However, we realized that CIP-30 wallets can’t sign in (by signing a nonce) when users are using a hardware wallet.
We also realized that even Cardano Foundation’s official dapps like the voting portal for the Cardano Summit 2023 have this issue as well.
Does anyone know a workaround for this problem? Where could I create a feature request to support this important use case?
Thank you very much!
Co-Founder of VAULT3
Co-SPO of GranADA Pool
Up to now, the hardware wallets did not want to support that, allegedly because of security concerns (the arbitrary data given to sign could also be transactions in disguise or something like that).
But now a Catalyst proposal https://projectcatalyst.io/funds/10/f10-products-and-integrations/message-signing-for-trezor-and-ledger-cip-8-cip30 has been funded to implement those for Trezor as well as Ledger. Will probably take some months and some of that persuasion.
Workaround is to let the users sign a transaction instead of a message and check the signature on that. That does not have to be and should not be submitted, just signed, checked, and thrown away.
You can use a transaction message https://cips.cardano.org/cips/cip20/ to explain to the user what that is (and to make the login unique to prevent replay attacks). And you can use inputs and outputs for example on the zero address https://adastat.net/addresses/addr1vyqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqkdl5mw to make even clearer that no user funds will be moved by that and then just add the user’s addresses as required signers.
Thank you, @HeptaSean! I wasn’t aware of this situation. I’m very glad that a Catalyst proposal is on the way and is being addressed. I figured some other devs might run into the same problem so thank you very much for the hint! I’ll try to implement this workaround. In case you have some source code to show how this is done, it might be very helpful to open source it as an article, as it might save a lot of time and effort for other builders.