Guard uses 6492 signature for validation of passkey

Author: ScreamingHawk

packages/core/src/commons/signature.ts

@@ -4,6 +4,7 @@ import * as config from './config'
 export type SignaturePart = {
   signature: string
   isDynamic: boolean
+  validationSignature?: string
 }
 
 export type Signature<T extends config.Config> = {

packages/guard/src/signer.ts

@@ -47,7 +47,13 @@ export class GuardSigner implements signers.SapientSigner {
     // Building auxData, notice: this uses the old v1 format
     // TODO: We should update the guard API so we can pass the metadata directly
     const coder = universal.genericCoderFor(metadata.config.version)
-    const { encoded } = coder.signature.encodeSigners(metadata.config, metadata.parts ?? new Map(), [], metadata.chainId)
+    const validationsParts = new Map(
+      Array.from(metadata.parts || []).map(([signer, part]) => [
+        signer,
+        part.validationSignature ? { ...part, signature: part.validationSignature } : part
+      ])
+    )
+    const { encoded } = coder.signature.encodeSigners(metadata.config, validationsParts, [], metadata.chainId)
 
     return (
       await this.guard.signWith({

packages/passkeys/src/index.ts

@@ -43,6 +43,10 @@ export type PasskeySignMetadata = {
   cantValidateBehavior?: 'ignore' | 'eip6492' | 'throw'
 }
 
+function isPasskeySignMetadata(obj: any): obj is PasskeySignMetadata {
+  return typeof obj === 'object' && obj !== null
+}
+
 function bytesToBase64URL(bytes: Uint8Array): string {
   const base64 = btoa(String.fromCharCode(...bytes))
   return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
@@ -181,7 +185,11 @@ export class SequencePasskeySigner implements signers.SapientSigner {
     return Promise.resolve(bundle)
   }
 
-  async sign(digest: ethers.BytesLike, metadata: PasskeySignMetadata): Promise<ethers.BytesLike> {
+  async sign(digest: ethers.BytesLike, metadata: object): Promise<ethers.BytesLike> {
+    if (!isPasskeySignMetadata(metadata)) {
+      throw new Error('expected sequence signature request metadata')
+    }
+
     const referenceChainId = metadata?.referenceChainId ?? metadata?.chainId ?? this.chainId
     const subdigest = subDigestOf(await this.getAddress(), referenceChainId, ethers.hexlify(digest))
 
@@ -233,23 +241,35 @@ export class SequencePasskeySigner implements signers.SapientSigner {
       ]
     )
 
-    if (!!metadata && metadata.cantValidateBehavior !== 'ignore') {
-      let isDeployed = false
-      try {
-        isDeployed = await this.isDeployed()
-      } catch (e) {
-        // Ignore. Handled below
-      }
-      if (!isDeployed && metadata.cantValidateBehavior === 'eip6492') {
-        return this.buildEIP6492Signature(signatureBytes)
-      } else if (!isDeployed && metadata.cantValidateBehavior === 'throw') {
-        throw new Error('Cannot sign with a non-deployed passkey signer')
-      }
+    const cantValidateBehavior = metadata?.cantValidateBehavior ?? 'ignore'
+    let isDeployed = false
+    try {
+      isDeployed = await this.isDeployed()
+    } catch (e) {
+      // Ignore. Handled below
+    }
+    if (!isDeployed && cantValidateBehavior === 'throw') {
+      throw new Error('Cannot sign with a non-deployed passkey signer')
+    }
+    if (!isDeployed && cantValidateBehavior === 'eip6492') {
+      return this.buildEIP6492Signature(signatureBytes)
     }
 
     return signatureBytes
   }
 
+  async buildValidationSignature(signatureBytes: string): Promise<string | undefined> {
+    console.log('passkey buildValidationSignature', signatureBytes)
+    try {
+      if (await this.isDeployed()) {
+        return undefined
+      }
+    } catch (e) {
+      // Ignore. Assume not deployed
+    }
+    return this.buildEIP6492Signature(signatureBytes)
+  }
+
   private async buildEIP6492Signature(signature: string): Promise<string> {
     const deployTransactions = await this.buildDeployTransaction()
     if (!deployTransactions || deployTransactions?.transactions.length === 0) {

packages/signhub/src/orchestrator.ts

@@ -19,7 +19,7 @@ export enum SignerState {
 export type SignerStatus =
   | { state: SignerState.INITIAL }
   | { state: SignerState.SIGNING; request: Promise<ethers.BytesLike> }
-  | { state: SignerState.SIGNED; signature: ethers.BytesLike; suffix: ethers.BytesLike }
+  | { state: SignerState.SIGNED; signature: ethers.BytesLike; suffix: ethers.BytesLike; validationSignature?: ethers.BytesLike }
   | { state: SignerState.ERROR; error: any }
 
 export function isSignerStatusPending(
@@ -183,9 +183,23 @@ export class Orchestrator {
             state: SignerState.SIGNING,
             request: s
               .sign(message, metadata ?? {})
-              .then(signature => {
+              .then(async signature => {
                 const suffix = s.suffix()
-                status.signers[saddr] = { state: SignerState.SIGNED, signature, suffix }
+                let validationSignature
+                if (s.buildValidationSignature) {
+                  try {
+                    validationSignature = await s.buildValidationSignature(signature)
+                  } catch (e) {
+                    // Log and ignore
+                    console.warn(`signer ${saddr} failed to build validation signature: ${e}`)
+                  }
+                }
+                status.signers[saddr] = {
+                  state: SignerState.SIGNED,
+                  suffix,
+                  signature,
+                  ...(validationSignature && { validationSignature })
+                }
                 onStatusUpdate()
                 return signature
               })

packages/signhub/src/signers/signer.ts

@@ -25,6 +25,11 @@ export interface SapientSigner {
    */
   sign(message: ethers.BytesLike, metadata: object): Promise<ethers.BytesLike>
 
+  /**
+   * Build a validation signature for an undeployed contract signer.
+   */
+  buildValidationSignature?(signatureBytes: ethers.BytesLike): Promise<ethers.BytesLike | undefined>;
+
   /**
    * Notify the signer of a status change.
    */

packages/signhub/tests/orchestrator.spec.ts

@@ -54,7 +54,7 @@ describe('Orchestrator', () => {
 
         expect(numErrors).to.be.equal(0, 'No errors should be present')
         expect(numSignatures).to.be.equal(Math.max(callbackCallsA, 3), 'Should have max 3 signatures')
-        expect(numPending).to.be.equal(Math.min(signers.length - callbackCallsA, 0), 'Should have 0 pending')
+        expect(numPending).to.be.equal(0, 'Should have 0 pending')
       })
 
       let callbackCallsB = 0
@@ -73,6 +73,61 @@ describe('Orchestrator', () => {
       expect(callbackCallsB).to.be.equal(3)
     })
 
+    it('Should call callback with status and validation signature', async () => {
+      class SapientValidationSignerMock implements SapientSigner {
+        private readonly wallet: ethers.Signer
+        constructor() {
+          this.wallet = ethers.Wallet.createRandom()
+        }
+        async getAddress(): Promise<string> {
+          return this.wallet.getAddress()
+        }
+        buildDeployTransaction(metadata: object): Promise<commons.transaction.TransactionBundle | undefined> {
+          throw new Error('Method not implemented.')
+        }
+        predecorateSignedTransactions(metadata: object): Promise<commons.transaction.SignedTransactionBundle[]> {
+          throw new Error('Method not implemented.')
+        }
+        decorateTransactions(bundle: commons.transaction.IntendedTransactionBundle, metadata: object): Promise<commons.transaction.IntendedTransactionBundle> {
+          throw new Error('Method not implemented.')
+        }
+        sign(message: ethers.BytesLike, metadata: object): Promise<ethers.BytesLike> {
+          return this.wallet.signMessage(message)
+        }
+        notifyStatusChange(id: string, status: Status, metadata: object): void {
+          throw new Error('Method not implemented.')
+        }
+        suffix(): ethers.BytesLike {
+          return new Uint8Array([2])
+        }
+        async buildValidationSignature(signature: string) {
+          return signature + 'validation'
+        }
+      }
+      const signers = [new SapientValidationSignerMock()]
+      const signerAddress = await signers[0].getAddress()
+
+      const orchestrator = new Orchestrator(signers)
+
+      let signingSuccess = false
+      orchestrator.subscribe((status, metadata) => {
+        expect(Object.keys(status.signers)).to.have.lengthOf(signers.length, 'Should have all signers')
+        expect(status.signers).to.have.property(signerAddress)
+        const signerStatus = status.signers[signerAddress]
+
+        if (signerStatus.state === SignerState.SIGNED) {
+          signingSuccess = true
+          expect(signerStatus.validationSignature).to.be.equal(signerStatus.signature + 'validation')
+        }
+      })
+
+      await orchestrator.signMessage({
+        message: '0x1234',
+      })
+
+      expect(signingSuccess).to.be.true
+    })
+
     it('getSigners should return all signers', async () => {
       const signers = new Array(10).fill(0).map(() => ethers.Wallet.createRandom())
       const orchestrator = new Orchestrator(signers)

packages/wallet/src/wallet.ts

@@ -40,8 +40,13 @@ const statusToSignatureParts = (status: Status) => {
     if (value.state === SignerState.SIGNED) {
       const suffix = ethers.getBytes(value.suffix)
       const suffixed = ethers.solidityPacked(['bytes', 'bytes'], [value.signature, suffix])
+      const validationSignature = value.validationSignature ? ethers.hexlify(value.validationSignature) : undefined
 
-      parts.set(signer, { signature: suffixed, isDynamic: suffix.length !== 1 || suffix[0] !== 2 })
+      parts.set(signer, {
+        signature: suffixed,
+        isDynamic: suffix.length !== 1 || suffix[0] !== 2,
+        validationSignature
+      })
     }
   }