What is the desired UX for signing transactions?

I just voted for the ICC election: https://icc-election.intersectmbo.org/

It seemed like I could not use Daedalus to vote for this, so I used Lace wallet with my Ledger X hardware wallet. When I connected, my hardware wallet just said: “confirm transaction y/n”. However, there was no way to see what I was signing!

So my question is: what is the right way to verify such transactions, and/or are ways developed to create some verifiability of what you’re signing on the hardware wallet (e.g. if you would somehow have a compromised software system)? I am not looking for an answer like “make sure your system is not compromised” – my question is how a user can currently (or should in the future be able to) make sure that the hardware wallet is the trusted component, and not the software system.

What components play a role here, and what aspects is the ecosystem able (and unable) to address? This could be e.g. communication/documentation, software wallet features/UX, hardware wallet features/UX, etc.

Maybe I’m doing something with the suboptimal process or tools, but I wonder where we stand currently w.r.t. this usability and security – I’m a huge fan of the Cardano vision, and I’m not sure whether I should be using better tools instead, but it feels clumsy now.

2 Likes

How did you manage to vote with Ledger X? I get “CIP-8 message signing not supported by Ledger app version 6.1.2” with Eternl and with Lace I get a “create error”…

If I remember correctly, you have to activate another “My Ledger provider” in the settings of Ledger Live to get access to the app version that already has message signing.

Unfortunately, I couldn’t find any document about it and couldn’t get it to work with me. (I’m suspecting that the firmware update I just got is incompatible with the provider that has the update, Almost all numbers just result in “invalid provider”.)

I admit I’m not even sure and don’t exactly remember – I just followed the UI on the voting site, clicked ‘hardware wallet’, connected Lace… and somehow it worked. I have Cardano app version 4.1.2 for Ledger, maybe that even matters.

I realize this is a bit of a poor report, I’m really looking for a description of what the assumed flow is (to whatever extent that’s a constant, given that different hardware/software-wallet combinations and transaction types may have different flows).

Ah, wait, then you probably did not use message signing, but the transaction signing workaround that you can choose with this:
screenshot-2024-06-24-22:35:31

Because most hardware wallets still do not allow to sign messages (Ledger has a beta implementation for that, but that seems to be not obvious to get as I tried in the answer to @_2072 above), Summon (the project providing the system behind the ICC vote) have implemented a workaround that has the vote signed in a (fake) transaction’s metadata instead of signing it directly as a message with the other method.

This transaction will never be submitted to the chain. In fact, it is built in a way that it cannot be carried out. Its only purpose is that you sign the whole transaction and it contains your vote that you thereby sign.

Voting period has unfortunately ended, so I cannot show you where you could have seen what exactly you sign in some wallet apps (Eternl, for example, lets you see the complete metadata of the transaction).

The Summon team seems kind of eager to improve their system and it has already been proposed to them to put the content to be signed in a field that is shown to the user in most wallet apps.

1 Like

Ah indeed, that’s it! I used that switch for tx signing. Thanks for the clarification.

So when transferring ada, I can see the amount and recipient address, but this voting-kind of transaction is as apparently work in progress. As I don’t know the types of transactions and risks, it did not feel safe, I hope this UX will improve in the future.

Regards
Eric

The transaction had an expiry date in the past so that it could never have been successfully submitted to the chain.

I proposed a slightly different approach to them where it explicitly says that the effect on the wallet is zero. Also shown here:

Yes, I hope this will be improved. (And once the on-chain governance is started, those things will be used instead for a lot of things, anyway.)