search

sparrowwallet / sparrow

Desktop Bitcoin Wallet focused on security and privacy. Free and open source.
https://sparrowwallet.com/
Apache License 2.0
1.32k stars 188 forks source link

SD Card Message Signing: Newline Character Issue and QR Code Compatibility #1505

Closed odudex closed 4 weeks ago

odudex commented 1 month ago

While adapting Krux to support SD card message signing, I noticed that if a message contains a newline character, the saved message file trims it out. For example, a message like:

"Test message:
Hello world"

gets written to the file as:

"Test message:Hello world!
m/84'/1'/0'/0/8
P2WPKH"

However, when a message is exported as a QR code, the newline character ("\n") is not omitted.

Here are the results after adapting Krux: Using QR codes to export and import: ✅ Works as expected Export to Krux via QR, Krux exports back using SD: ✅ Works as expected Using SD card to export and import: ⚠️ Works only if the message contains no newline characters ("\n") Using SD card to export and then importing by scanning a QR code with Krux: ⚠️ Works only if the message contains no newline characters ("\n")

craigraw commented 4 weeks ago

I noticed that if a message contains a newline character, the saved message file trims it out.

This is required as per https://coldcard.com/docs/sign-text-file/#text-file-format

Using SD card to export and import: ⚠️ Works only if the message contains no newline characters ("\n")

Can you clarify what doesn't work?

odudex commented 4 weeks ago

This is required as per https://coldcard.com/docs/sign-text-file/#text-file-format

Thank you for pointing out!

Can you clarify what doesn't work?

As "Hello\nworld" is different from "Helloworld", Krux produced signature would not match the text still present on Sparrow's message field. Now I learned the standard came from CC I was able to diagnose the incompatibility. Coldcard exports the modified message back, with trimmed '\n, together with signature. When Sparrow receives it, it modifies the message text field contents accordingly, so signature matches text.

I'll modify Krux to export the like Coldcard does:

-----BEGIN BITCOIN SIGNED MESSAGE-----
HelloWorld
-----BEGIN BITCOIN SIGNATURE-----
tb1qlu0x6ucq7g99uy8vyd75zcspan7vw5ulrzty70
J7o7/7f4C3pnt164Vmq+jKiBO7g1FNK0IV0XoHt7qNZweiYK+gsXhvThR50FwfB6PUMpYD4Ju9vd7LDFhSNXvps=
-----END BITCOIN SIGNATURE-----

Thoughts: To prevent issues with message content being altered during the signing process, I believe the standard's limitation (no "\n" in messages) could be enforced while the user is typing. While this would also affect QR code users, if we can't unify the standards for QR codes and SD cards under the hood, at least we can aim for consistency from the user's perspective.

odudex commented 4 weeks ago

I have modified Krux to export a signed message file that includes not only the signature but also the message and address, similar to how CC does it. Thank you for pointing out the specifications.

craigraw commented 3 weeks ago

To prevent issues with message content being altered during the signing process, I believe the standard's limitation (no "\n" in messages) could be enforced while the user is typing. While this would also affect QR code users, if we can't unify the standards for QR codes and SD cards under the hood, at least we can aim for consistency from the user's perspective.

I think it would be better ideally if we could change the file format to avoid stripping newlines. I've asked the Coldcard team, let's see if it's possible.

odudex commented 3 weeks ago

Thank you! With or without newlines, Krux will be compatible.