Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nested Keys #1325

Open
Vyryn opened this issue Jan 5, 2023 · 1 comment
Open

Nested Keys #1325

Vyryn opened this issue Jan 5, 2023 · 1 comment
Labels
anchor bug Something isn't working

Comments

@Vyryn
Copy link

Vyryn commented Jan 5, 2023

Description

Related to #1183

Ledger keys can not sign anything that uses an "account@permission" permission instead of a direct key permission.
Issue #1183 says this is due to Ledger API not providing enough info.
However, I accidentally stumbled on something that may make a potential workaround easy to implement.

Steps:

  • Log into Bloks.io on WAX network with an active permission set to a ledger key
  • Update the permissions for this account:
  • create a new key account@signer1, set to the same ledger key

  • change the permission for account@active, removing the key and adding the account account@signer1
  • Import account@signer1 into anchor
  • Log into bloks with account@signer1
  • Attempt to sign an action that requires account@active

Error
action declares irrelevant authority '{"actor":"account","permission":"signer1"}'; minimum authority is {"actor":"account","permission":"active"}
This is expected per 1183.

  • Switch active bloks accounts to the still-present account@active login (which, recall, now only has the indirect account@signer1 permission as signer, not the key directly)
  • Attempt to sign the same action that requires account@active

Bloks sends the action to anchor as account@active. Sign it on ledger, and it successfully executes.

This seems to indicate that altering the signing account, as long as it is a valid signer for the requested account, is completely transparent to applications and to Ledger.
Thus a possible workaround for 1183 is, on the "Identity Request" page, add an option to allow users to manually edit the "Prove Identity" field to the desired top level permission without editing the "Select an account" field, which can be unchanged from present. I've made a rough mock up below of what this might look like to the user:

image

Platform

Desktop (MacOS)

Steps To Reproduce

Steps:

  • Log into Bloks.io on WAX network with an active permission set to a ledger key
  • Update the permissions for this account:
  • create a new key account@signer1, set to the same ledger key

  • change the permission for account@active, removing the key and adding the account account@signer1
  • Import account@signer1 into anchor
  • Log into bloks with account@signer1
  • Attempt to sign an action that requires account@active

Error
action declares irrelevant authority '{"actor":"account","permission":"signer1"}'; minimum authority is {"actor":"account","permission":"active"}

Relevant log output

No response

Contact Details

No response

Anything else?

A workaround like this would be greatly appreciated, in that it would allow most of the range of robust permission management EOSIO offers to be used by Ledger users.
@Vyryn Vyryn added anchor bug Something isn't working labels Jan 5, 2023
@aaroncox
Copy link
Member

aaroncox commented Jan 9, 2023

Hey - thanks for the report here. I haven't had a chance yet to reproduce the issue and check it out, but it's on my radar to check out. I'll leave this here until we get a chance to dive in and take a look at this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
anchor bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaroncox @Vyryn