Verbose Signing: How to Confirm Any Tezos Operation on your Ledger Device

Verbose Signing: How to Confirm Any Tezos Operation on your Ledger Device

Thanks to recent developments, it is now possible to verify any Tezos operation being signed by a ledger device!

Some Background

Confirming operations on a hardware wallet's UI is a vital part of what makes using them so secure. When you are using a web app or desktop wallet, it is possible the software running on your computer or in your browser could be compromised. While the website might say you are sending XTZ to your friend, the operation they are asking you to sign might really be sending it to a different address. It is far less likely the hardware wallet's UI is compromised; that's why we always recommend that you confirm the operation you are signing on your ledger device.

For the hardware wallet to show details on what you are signing, the ledger application must parse the operation it is signing. This currently happens for all the most common Tezos operations, and everyday users should not encounter situations where they can't confirm what they are signing. However, for operations that it doesn't parse, Tezos Wallet has historically shown the message “Unparsed operation, Sign unverified?” If you've ever seen that screen before, now you know why!

Teaching the ledger app how to parse operations is a good step, but it can be nearly impossible to account for every situation. For instance, what about batching payouts to delegates or submitting multiple proposals? We could try to account for every possibility, but each operation the devices has to understand costs memory which places an upper bound on total operations it can parse. Not to mention some operations can't be feasibly confirmed on a tiny screen anyway (would you want to confirm 100 individual payout transactions on a 1 inch screen?).

This new feature takes a different approach - instead of a solution for each individual possibility, verbose signing can be applied to nearly every operation type.

John Hancock is famous for his large signature on the Declaration of Independence. With Verbose signing, you too can sign big (operations)! Photo Credit: Slate

Verbose Signing

This new feature was introduced to the Tezos codebase in MR !994 and Tezos Wallet v2.0.1, currently available in Ledger Live! You can find documentation on its use here.

When constructing an operation in tezos-client, you can now include -- verbose-signing as a parameter on any operation the ledger can sign. This will show you the operation's bytes and produce a blake2b hash of the operation in tezos-client. Here's an example output produced from proposing two amendments:

Pre-signature information (verbose signing):

  • Branch:
BMRELbkCkHvCAr2vZfavjYUKXLbKrGvX6oN3qNEDKPjp8aJHqRm
  • Watermark:
Generic-operation (0x03)
  • Operation bytes:
e0ac9e16f0005865f71bcf039d10ec2bb8d604210c9139968949f64ea5c9d1320500aed01

1841ffbb0bcc3b51c80f2b6c333a1be3df00000000000000040ab22e46e7872aa13e366e4

55bb4f5dbede856ab0864e1da7e122554579ee71f876cd995a324193bbe09ac2d5c53f69f

93778f8d608f1fea885f9b53e0abdb6e4
  • Blake 2B Hash (raw):
Hnw7wQsfv8fvMUejXNJ31NauapEtzLZg859JwqNUEDEE
  • Blake 2B Hash (ledger-style, with operation watermark):
C5Qkk9tTwaUbhnrN29JpXSmsYCEi1uhM8rSsentBwmbN
  • JSON encoding:
{
  “branch”: “BMRELbkCkHvCAr2vZfavjYUKXLbKrGvX6oN3qNEDKPjp8aJHqRm”,
  “contents”: [
    {
      “kind”: “proposals”,
      “source”: “tz1baMXLyDZ7nx7v96P2mEwM9U5Rhj5xJUnJ”, “period”: 0,
      “proposals”: [
        “Pt24m4xiPbLDhVgVfABUjirbmda3yohdN82Sp9FeuAXJ4eV9otd”,
        “Psd1ynUBhMZAeajwcZJAeq5NrxorM6UCU4GJqxZ7Bx2e9vUWB6z”
      ]
    }
  ]
}

You will see the Blake 2B Hash (ledger-style, with operation watermark) and the prompt “Sign Hash” in your Ledger device's UI when using verbose signing. This feature is supported for the following operations:

  • Set Delegate: set delegate for <source> to <manager>
  • Withdraw Delegate: withdraw delegate from <source>
  • Register Delegate: register key <manager> as delegate
  • Contract Origination: originate account <new> for <manager> transferring <quantity> from <source> or originate contract <new> for <manager> transferring <quantity> from <source> running <prg>
  • Transfers: transfer <quantity> from <source> to <destination>
  • Revelations: reveal key for <source>
  • Submit Proposals: submit proposals for <delegate> proposal

We recommend trying this with --dry-run for your first time. Just be aware that the head block level impacts the hash generated, so if you attempt to generate a hash of the same operation at different block levels, the hash will differ. To mitigate this, you can include --block <block-hash> to tie the operation to a given block hash. This is particularly useful if you are confirming an operation on more than one device to increase confidence that your local tezos-client has not been compromised.

Next Steps

While we don't have additional development surrounding this feature planned at this time, we do intend to circle back to specific instances that should be parsed by the Ledger application but are not. A high priority target here is dataTypes in Michelson smart contracts, allowing DApp developers to display custom signing screens for their smart contracts!

It would also be nice for the community to have a simple web app simply for generating operation hashes so the entire Tezos community can quickly and easily gain additional confidence that their instance of tezos-client has not been compromised.

Have questions? Please ask on Tezos Stack Exchange! We do our best to answer promptly.

Want to say hi? Send us an email (tezos@obsidian.systems) or tweet (@obsidian_llc)!

After receiving requests from the community, we have also set up a donation address: tz1gddTh1i6qpviichg4e2GiSoNQer4FyAiM