lotus icon indicating copy to clipboard operation
lotus copied to clipboard

Published 20 hours ago verified publisher icon filecoin-project

Make it clear that Ledger accounts cannot be used for client commands

Open parkan opened this issue 3 years ago • 4 comments

Checklist

  • [X] This is not a new feature or an enhancement to the Filecoin protocol. If it is, please open an FIP issue.
  • [X] This is not a new feature request. If it is, please file a feature request instead.
  • [X] This is not brainstorming ideas. If you have an idea you'd like to discuss, please open a new discussion on the lotus forum and select the category as Ideas.
  • [X] I have a specific, actionable, and well motivated improvement to propose.

Lotus component

lotus client

Improvement Suggestion

The Ledger documentation currently does not make it clear that the hardware device can NOT be used for any deal-making functionality, which appears to be the case based on my attempts.

Attempting to set a ledger wallet as default produces a confusing error:

lotus wallet set-default f16fw44ez2vngkzrsaagpxpadgzem5xudmrm5d2qy
ERROR: opening key 'wallet-f16fw44ez2vngkzrsaagpxpadgzem5xudmrm5d2qy': key info not found

The only way to get a useful error (ERROR: failed to start deal: signing deal proposal failed: ledger can only sign chain messages) is to pass the --from parameter to lotus client deal, which is also undocumented and only works preceding the positional arguments.

My suggestion would be to update the introductory text in the ledger guide:

~~Lotus supports using a Ledger hardware wallet as a backend for FIL transfers.~~ → Lotus supports using a Ledger hardware wallet for FIL transfers **ONLY**. Accounts backed by a Ledger cannot make deals or interact with miners. Do not send DataCap to these accounts.

Of course the preferred solution would be to add support for signing offline messages :dog:

parkan avatar Jul 30 '21 22:07 parkan

everyone seems to be surprised by this so I am happy to be wrong! but I'm not seeing a way to do it

parkan avatar Aug 01 '21 00:08 parkan

oh, one further confusing thing is that I was able to view a "private key" using ./lotus-shed ledger key-info "m/44'/461'/0'/0/0" and even tried to import it using lotus wallet import but that command seems to expect a different format

{"Type":"secp256k1-ledger","PrivateKey":"e..."}

this is confusing because dumping the seed or the derived keys from a ledger should not be possible (without compromising the HSM with malicious firmware and fuzzing) so I don't know what this value is

the code (https://github.com/filecoin-project/lotus/blob/5048c3f717ba40d56934b4eeaa6b743750902ad1/cmd/lotus-shed/ledger.go#L180) doesn't shed much light

~~what's extra extra confusing is that the account does seem to have a KeyInfo in the keystore (based on this command's output) so the "key info not found" error when attempting to set it as default doesn't line up~~

EDIT: never mind the last bit, the key info is assembled by shed

EDIT2: I base64decoded the "private key" value and it actually contains a JSON string with address and derivation path only:

{"Address":"f16fw44ez2vngkzrsaagpxpadgzem5xudmrm5d2qy","Path":[2147483692,2147484109,2147483648,0,0]}

so there's nothing fishy going on with the private keys, it's only the json packing that gives it a misleading label

parkan avatar Aug 01 '21 00:08 parkan

ok so it looks like ledger is restricted to signing MTChainMsg and not MTDealProposal, so it's probably more accurate to say ledger wallets cannot propose deals, but other on-chain deal-related messages would still work

I'm not sure what the motivation is -- both are going to be cbor blobs and I don't see why the signing code couldn't handle deal proposals

you can also use ethereum's message_sign with ledger in offline contexts, so at least on a high level it's not an unsound idea -- no obvious issues like replays or chosen plaintext attacks are immediately apparent (or at least uniquely present in this case vs non-ledger wallets)

one possibility I can see is that maybe MTBlock block headers were meant to be excluded as it would not be practical to sign those interactively, and deal proposals got trampled?

parkan avatar Aug 01 '21 02:08 parkan

Indeed this would have been good to know before adding my DataCap to a ledger backed address.

both are going to be cbor blobs and I don't see why the signing code couldn't handle deal proposals

While I don't know if this is what's actually blocking the issue, I do know Ledger apps are not supposed to do "blind signing" https://developers.ledger.com/docs/nano-app/functional-requirements/#blind-signing (not without explicit warnings anyway). For your own safety the messages are supposed to be interpreted and shown in human readable form on the Ledger display, so you can review what you're about to sign.

Edit: indeed it seems like the Ledger app implements a transaction parser https://github.com/LedgerHQ/app-filecoin/blob/3b213b3009f1e7395de258b9cc0140b71f8005c6/app/src/parser_impl.c#L368

But no UI action to blind sign something. Or sign deals. While of course the actual signing code is generic. https://github.com/LedgerHQ/app-filecoin/blob/3b213b3009f1e7395de258b9cc0140b71f8005c6/app/src/crypto.c#L109

Beanow avatar Dec 01 '21 13:12 Beanow

Closing this ticket as Ledger supports this now: https://github.com/Zondax/ledger-filecoin/pull/130

rjan90 avatar Oct 21 '24 10:10 rjan90