Add the ability to sign a message to the Solana Ledger app

[fragosti]

Problem

At Phantom, we've implemented a signMessage feature that allows an application to request signing an arbitrary message. This feature is being used by Audius on Solana to authenticate users, and is popular on Ethereum for applications like OpenSea that also rely on it to authenticate their users.

A long-standing issue with this feature is that the Solana Ledger app (https://github.com/LedgerHQ/app-solana) does not support signing arbitrary messages, and so this feature does not work for Ledger users.

Proposed Solution

Add support for signing arbitrary data (or just utf8 strings) to the Solana Ledger app. @t-nelson mentioned that support would need to be added to solana-remote-wallet and the CLI as well.

[t-nelson]

Would ASCII do? The Ledger's font doesn't support all of UTF8 and I'm fairly certain a UTF8 compliant transaction message could be constructed

[fragosti]

If there are security reasons for just doing ASCII, sure, but our preference would be UTF8.

https://docs.phantom.app/integrating/signing-a-message

[t-nelson]

Yeah the inability of the ledger to actually display all UTF8 messages is pretty much a non-starter IMO

[kinosang]

Is there any draft or standard about the signature? Does it use the similar algorithm as BIP-322 and ERC-191?

[dahifi]

Star Atlas would like this fixed as well. The profile update page uses the message signing to allow clients to select avatar pics, and it works fine w Phantom and SolFlare, but Ledger users are not. I've been trying to trace the issue down and dealing with Ledger support the last few days. I've pinged their Discord admin and asked for a dev to pop in here for help figure out whether they can contribute utf support of if it'll have to be one of these 'allow blind signing' types of things.

[mralbertchen]

Genopets would like this fixed as well - our summoning / hatching function requires a signature of the answers to the hatching questions. It works well on Phantom but Ledger users currently have to send the eggs over to a non-ledger address in order to hatch.

[dahifi]

I spoke to @t-nelson via TG last week, he said that they actually don't need Ledger's assistance with this and that they (Solana) should be able to deliver a fix in 22Q1.

This works for Star Atlas team but obviously might need higher priority based on other projects' needs.

[adamq-q]

Portals would like this fixed as well! 🌀

[bmeeder22]

Phantasia would like this feature as well 🏈 🏀 ⚽

[Caribosaurus]

Same thing for https://piratesdelsol.com

[emperorgurgeh]

Planet owners at www.desolate.space are also begging for this :)

We need this for server side authentication of a user whose key is secured in a Ledger

[kirksgithub]

I will bump this also from Grape (https://verify.grapes.network with over 250k verified wallets) - we use message signing to verify user wallets, currently Ledger is supported only with a transaction from/to the same wallet, drawback is that the user will end up paying the gas fees until support for message signing is rolled out with Ledger

[GoJiTa972]

And I bump because I can't sign in into https://game.playmysteria.com/ nor grape as above.

[xavierleung]

We at https://solparasites.com/ also make use of message signing for our verification system and have many users with Ledger wallets waiting for message signing support with Ledger.

[GrimLothar]

Adding a vote to this feature from https://grimsyndicate.com

[HappySean2845]

CyberConnect at https://sol.cyberconnect.me also want this to be fixed as well

[quarantaquatro]

Metavillage at https://metavillage.app/ also want this to be fixed as well

[t-nelson]

... would like to vote for this fix as well

This is Github, not a DAO. It's clear that this is desired, finding time to do the work is the remaining factor

[0xWernher]

Engineer behind Metavillage here. We'd also really appreciate this fix, as hundreds of our members use Ledger for security reasons.

Our use case: we ask users to sign a message with their wallets to authenticate with our web app. ASCII support should be enough but UTF8 is preferable.

[rez-cpu]

any update on this?

[dahifi]

... would like to vote for this fix as well

This is Github, not a DAO. It's clear that this is desired, finding time to do the work is the remaining factor

Trevor,

I see the Ledger program is written in C. Is the availability of C developers an issue here? I think at this point that we might be able to put a gitcoin bounty on this and move things forward.

What will it take to make this happen before April 1?

[RustySol]

Solanalanders at liqnft.com would also love the fix!!

[nonfungible-dev]

Pesky Penguins would love a fix for this as well 😁. We need this feature for creating JWT tokens that we can use to authenticate with our server.

[zkRemda]

Same for me

[t-nelson]

tfw the issue is brigaded by people who don't know the difference between a fix and a feature request

[zkRemda]

tfw the issue is brigaded by people who don't know the difference between a fix and a feature request

To be fair, it is a fix for a broken functionality. You could argue it is a feature request although the user experience needs to be considered.

[t-nelson]

What never existed cannot be broken

[zkRemda]

What never existed cannot be broken

It does exist, just not for ledger 😊

[quarantaquatro]

You can call it certainly as you want, it's a problem that needs to be addressed urgently if Solana doesn't want to fall behind!

Every day when another user lost his assets, more Ledgers will be out there and this is a serious problem for every Solana project. Many things are on hold because of that.

[zkRemda]

You can call it certainly as you want, it's a problem that needs to be addressed urgently if Solana doesn't want to fall behind!

Every day when another user lost his assets, more Ledgers will be out there and this is a serious problem for every Solana project. Many things are on hold because of that.

I don't see it that urgent, I know it is important but not crucial. Sign arbitrary messages current usage is mainly for NFTs and web3 apps. There are much more priorities on Solana development.

What we could do is collect a bounty between all the projects interested in this feature and leave the Solana developers handling core issues.

[mvines]

What we could do is collect a bounty between all the projects interested in this feature and leave the Solana developers handling core issues.

Yep, there seems to be enough brigaded here that there ought to be somebody from the community that is willing to do more than just direct other users to comment on this issue. Brigading will not be rewarded around here

[t-nelson]

FWIW I'm not generally interested in a community contribution to the Ledger App for this issue. There's some refactoring that should take place first and it will take longer to communicate the requirements to an unfamiliar contributor than to implement it myself.

I intend to prioritize this work before the end of Q1

[GrimLothar]

What we could do is collect a bounty between all the projects interested in this feature and leave the Solana developers handling core issues.

Yep, there seems to be enough brigaded here that there ought to be somebody from the community that is willing to do more than just direct other users to comment on this issue. Brigading will not be rewarded around here

How are the replies here considered brigading? Comments are not THAT often and AFAIK they are all coming from project devs who are looking forward to use this in their apps. I don't see anyone directing their users to comment here.

Also, although I'm sure there must be other priorities for Solana core, NFTs and web3 apps are giving HUGE exposure to the whole Solana environment, so I don't see why there is a need to undermine them?

Thank you @t-nelson for trying to prioritize this

[kryptoj]

Thank you @t-nelson. The MLK Fam @ milktoast.world is looking forward to this issue being fixed! 🙏

[karnaker]

I would also like to see this fixed. I'm a user; I purchased a Ledger Nano S directly from Ledger, and my primary use case for Ledger is the Solana app. The ability to securely sign a message via the Solana Ledger app has value. For example, several dApps on Solana implement this to authenticate users. Because Ledger does not support this, then I have to use alternative wallets. I would prefer to use my Ledger Nano S because of the additional security Ledger provides. FWIW, nobody brigaded me -- I was simply Google searching for a solution to this problem, and thought to add a user's perspective in the hope it is helpful.

[vjohnston]

+1, thank you for trying to prioritize this, @t-nelson! Little Atlas is also really looking forward to a fix 🙏🙏

[cryptowazza]

Hopefully this will be added soon. SolanaFloor and many other platform users have been requesting this for months.

[Gousi1991]

Hello, it is really needed for www.monkeyleague.io right now. There is a sign-in necessary to claim gifts and many users dont feel safe without ledger in this space. Please find a workaround for this. would be much appreciated.

[0xfunfacts]

Same for me. i do not want to put my stuff into an unsave browserwallet. so please add this as soon as possible!

[quarantaquatro]

Hi everybody, I know it won't solve it for everyone but as a simple workaround, I basically let the user authorize a mini transaction from his wallet to his wallet! This costs him some micro cents but works fine in my project. Of course, it's not a solution for people who have to sign in nonstop but it works well for some situations where you just want to verify something or authorize something special for this moment. At least in my case, no users have any issue with this workaround.

Having said that, YES this feature is really needed and at least some type of news/update would help to either build on better workarounds or wait until we get this feature. Thank you everyone!

[t-nelson]

highly recommend against training users to sign transactions for this use-case. you're grooming them to be socially engineered

[AndyQDesign]

Please add this functionality , games need it .

[akalasol]

monkeyleague.io is in urgent need of this feature, please add it! appreciate your work.

[quarantaquatro]

highly recommend against training users to sign transactions for this use-case. you're grooming them to be socially engineered

As I said, it's a temp solution for those of us who can't wait any longer! Plus, it is a matter of making clear to the user what is happening. They are free to use or not to use it. However, if you have a project with hundreds or thousands of users who cant participate otherwise, I still prefer to give them a choice.

[pdesgrip]

Would also like to see this fixed as I can't use Ledger with Monkeyleague.io

[karnaker]

highly recommend against training users to sign transactions for this use-case. you're grooming them to be socially engineered

I agree with this. The crypto ecosystem is full of scams, frauds, and bad actors. I appreciate products -- such as Ledger -- that can deliver a good experience in this context. Hopefully folks with @t-nelson's mindset will make crypto safer for people who are trying to do good work or perform legitimate transactions.

[rivendale]

would love to have a fix for sites like: https://app.monkeyleague.io/store

[zkRemda]

For all the people requesting this for monkeyleague, ask your developers to seek for an alternative to this, take a look at implementations from other projects like pesky penguins, yawww, matrica, grape, etc.

To sign arbitrary data with a ledger is not a priority for Solana core rn.

[ianlandsman]

It's absolutely nuts that this wouldn't be a priority.

[quarantaquatro]

o sign arbitrary data with a ledger is not a priority for Solana co

Ridiculous! Not much more I can say about this comment.