Message signing discretely malforms provided message

[evilfrog]

Signing message with: https://github.com/Hashpack/hashconnect#sign

What it says it does is it takes dataToSign and signs it. What it actuall do is (AFAIK) it first JSON.stringify the dataToSign and then signs it.

Extra characters are added discretely to the message (which changes the signature):

const msg = 'Hello World!'; // => Hello World!
const jmsg = JSON.stringify(msg); // => "Hello World!"

The end result is the returned signature cannot be verified (or to be precise: cannot be verified unless you know about JSON.stringify).

It may not be a problem for JS/Node, but it is a problem if you sign a message on fronted with JS and try to verify it on backend (tested with hashgraph/hedera-sdk-go/v2 and crypto/ed25519).

I see two solutions to this problem:

1. Keep the behavior but document it (with examples of JSON.stringified values for backend devs)
2. Get rid of the behavior. Remove JSON.stringify and replace string | object with Uint8Array | string where the string is expected to be hex encoded byte array: https://github.com/Hashpack/hashconnect/blob/main/lib/src/message/relayMessage.ts#L115

[jruffer]

Had a conversation with Pluto @teacoat on Discord.

try to sign a message which is 'Hello World!', but apparently, the library is JSON.stringifying it, which changes 'Hello World!' into '"Hello World!"' - it adds these double quotes.

We have a work around but just wanted to make sure you were going to use this as it stands?