Cryptographic message signing (CIP-8) to sign in with CIP-30 wallets doesn't work for Hardware wallets

Hi everyone!

We are building a web3 data-gating solution called VAULT3 that allows content creators and enterprises to share confidential files exclusively with their communities, customers and investors through customizable access conditions such as whitelists of wallets, policy IDs, and stake pools delegation.

We are using the Mesh library to interact with Cardano wallets from our app. However, we realized that CIP-30 wallets can’t sign in (by signing a nonce) when users are using a hardware wallet.

We also realized that even Cardano Foundation’s official dapps like the voting portal for the Cardano Summit 2023 have this issue as well.

Does anyone know a workaround for this problem? Where could I create a feature request to support this important use case?

Thank you very much!

Best Regards,
Vito Melchionna
Co-Founder of VAULT3
Co-SPO of GranADA Pool

Up to now, the hardware wallets did not want to support that, allegedly because of security concerns (the arbitrary data given to sign could also be transactions in disguise or something like that).

But now a Catalyst proposal has been funded to implement those for Trezor as well as Ledger. Will probably take some months and some of that persuasion.

Workaround is to let the users sign a transaction instead of a message and check the signature on that. That does not have to be and should not be submitted, just signed, checked, and thrown away.

You can use a transaction message to explain to the user what that is (and to make the login unique to prevent replay attacks). And you can use inputs and outputs for example on the zero address to make even clearer that no user funds will be moved by that and then just add the user’s addresses as required signers.


Thank you, @HeptaSean! I wasn’t aware of this situation. I’m very glad that a Catalyst proposal is on the way and is being addressed. I figured some other devs might run into the same problem so thank you very much for the hint! I’ll try to implement this workaround. In case you have some source code to show how this is done, it might be very helpful to open source it as an article, as it might save a lot of time and effort for other builders. :pray: