I see that I have the address in the headers and I also have the ed25519 signature, but I’m not sure how am I supposed to determine the public key for this and I obviously don’t have access to the secret at that point. I was trying something like:
import { eddsa } from "elliptic";
const EdDSA = new eddsa("ed25519");
const key = EdDSA.keyFromPublic(
? // what do I put here? Is there a way I can get the public key from the address hex?
);
const verifies = key.verify(
"hello world",
"D1FCCD8B340A46FD9573FE6A0F6BFC8373562019E9FCD8BDFD7A7D08A89FE98BF28E6736BAE823C024C7B20081C6D30FC4676D2A314299F22CB0264EE7E6AB04"
);
console.log("Valid:", verifies);
I don’t think you can get the public key from the address. The address just contains a hash of the public key, not the key itself. For transactions, the key is sent in the witness set, not in the transaction body itself.
I don’t know what the design rationale is for that, but it is that way. So, you’d request the public key from whoever signed it and not only verify the signature, but also check that the hash of that public key fits with the public key hash in the address.
Note: this won’t help you with JavaScript but the output will aid debugging and looking at the implementation will show pretty printing and decoding not only of CBOR but also BECH32 etc
I think I wasn’t that clear and I may have put the wrong category in this topic. This is not related to transactions, but more related to CIP-0008
I’m not looking into submitting or verifying transactions, I just want to check if a message was really signed by a specific user.
For example, in Nami wallet, you would use the signData function from the dApp connector. After you do that, you get the signed message with the signature and I send that to my back end. But after it gets there, how can I verify that the message was really signed by the address X? If I don’t verify that I would allow any user to send a message in name of any wallet address they want