Obsidian Systems - Hardware Wallet Support in CKB-CLI and Additional Ledger Features

Project

We have been working on a Nervos application for the Ledger Nano S and Nano X devices. During our work we’ve identified some changes to CKB-CLI that would allow for the support of hardware wallets with on-device operation validation through plugins specific to each hardware wallet, including but not limited to Ledger devices (see CKB-CLI Issue #268). We’ve also found additional areas of improvement that build upon the work of our initial grant proposal. We intend to make these improvements through this grant proposal. When this is done the Nervos community can use the Ledger application with Nervos’ command line, integrations with additional hardware wallets will be easier, and valuable new features will be supported in the Nervos Ledger app.

Team

Obsidian Systems was founded in 2014 by Ali Abrar and Ryan Trinkle, who continue to serve as its managing partners today. It consists of approximately 39 software developers, quality assurance engineers, management professionals, and other staff.

Obsidian Systems designs and develops high quality software solutions to pressing business problems. Our experienced team has delivered mission-critical solutions to a variety of high-profile clients, including several Fortune 500 companies and national retail firms, and blockchains such as Tezos, Kadena, and Nervos. These solutions secure millions of dollars in cryptographic assets (Tezos Baking/Wallet Ledger applications), lower the technical barrier to participation in consensus (Kiln), and facilitate the development of smart contracts (Pact and Chainweaver).

Our solutions are currently used by thousands of employees and tens of thousands of consumers every day.

You can find us on Github, Gitlab, Medium, and Twitter.

Specification

All work to date has happened transparently in open source repositories for the Nervos Ledger App, CKB-CLI, and LedgerJS. This grant proposal builds upon that existing work in the following ways:

Hardware Support in CKB-CLI

Storage of Hardware wallet root public keys in CKB-CLI

CKB-CLI should store the root public key of hardware wallets in the client so it is able to compute the source and change address according to BIP44 specification. With our work thus far, the client can discover a connected hardware wallet using account-list, which returns an opaque device identifier:

CKB> account list

- "#": 0
account_source: ledger hardware wallet
ledger_id: 0x27fe5acb022cd7b8be0eb7009d42ff4600c597d28b6affefcab6f7396d1311c2

With that device identifier, keys could then be imported with an extension of account-new functionality:

CKB> account new --ledger <opaque-id> —account <num>

* `--ledger` passes ledger_id found using account list (shown above)
* `--account` (optional) defaults to the lowest value upon which it does not find a transaction history. This corresponds to m/44'/309'/ACCOUNT'/change/address_index.

Pass Hardware Wallets Unhashed Transaction and Context Data

The security model of hardware wallets relies on being able to verify all the contents of an operation on the device so the user can operate securely even when the client has been compromised. For this to work properly, the hardware wallet cannot securely sign pre-hashed data, as its contents are not verifiable.

We’ve started making these changes to the extent that it was necessary for development of the Ledger BOLOS application, but some items remain. Specifically:

  • All signing should happen through tx_helper’s functionality instead of directly via a SignerFn
  • Our work thus far on CKB-SDK should be made hardware wallet agnostic with the goal of supporting each hardware wallet through their own plugin. As it stands, it contains some is_ledger booleans throughout CKB-CLI which should be removed.

List Multiple Connected Ledger Devices

When calling the account list function shown above, the client will return the first ledger device it finds. We’ll improve upon this so all connected Ledger devices with the Nervos application open will be found by account list.

Shift Ledger Support to a Plugin

Once all the changes detailed above have been made in CKB-CLI, all relevant Ledger code will be well contained within the CKB-Ledger crate. This create should then be converted to a plugin. Once completed, CKB-CLI will continue to support signing with software wallets, agnostically support signing for hardware wallets, and a plugin for Ledger devices will be available.

Additional Features

We’ll make the following improvements to the Nervos Ledger application and LedgerJS:

Message Signing

Message signing allows an individual to prove ownership of an address without providing a signature which can be used maliciously. Nervos has an existing sign-message utility available in CKB-CLI which we’d extend to call the ledger device when given a Ledger address. We will also prepend message signing operations with a magic byte so they are easily discernible from other operation types and use this as our cue to show a verifiable prompt to the Ledger application which let’s the user know they are signing a message.

Multi-sig Lock Script Signing

The Ledger application can sign transactions and DAO operations when it is the only signature necessary for a given lock script. We will extend this to also support signing of multi-sig transactions from the Ledger device.

LedgerJS Maintenance and Improvements

While LedgerJS is feature complete in its support of Nervos, We’d like to keep it up to date with upstream LedgerJS (now on v5.13.1 as of this writing), ensure new features added to the Ledger application in this proposal are supported, and add refinements so it is more palatable for an upstream merge.

While we have submitted an upstream merge to LedgerJS, Ledger has this to say on the topic:

We invite all third party app developers to not send PR to this repository to provide more implementations but instead to maintain your own version in your own repository and we would be happy to reference them here :heart:.

Whether merged into upstream LedgerJS or maintained in our repository and referenced upstream, wallet providers and the community can expect no difference in their ability to use this library to communicate with the Nervos Ledger application.

Estimated Timeline

We estimate the implementation of this spec will take between 5 and 8 developer weeks.

There are four checkpoints we can use to track progress:

  1. Client Changes Complete Natively - We feel it is cleaner to be feature complete first, then address organization.
  2. Ledger Features Complete - This includes message signing and multisig lock script signing. Note that message signing will include adjustments in the client.
  3. Ledger-Specific code moved into the plugin - Once the client is feature complete and the corresponding Ledger development is done, it should be clear which sections of code should be moved into the plugin system and which should stay within the client.
  4. LedgerJS Maintenance and Improvements Complete - Once the new Ledger features are ready, we can support them in LedgerJS. Maintenance tasks to LedgerJS can be done in parallel with other checkpoints listed above.
3 Likes

Great work.

2 Likes

Is there any way to use it now? This is so critical for security… I understand timelines need to be extended, but is there anything that we can use? What was the biggest roadblock? Why do you need another grant to accomplish the same task, but with some extra goodies? This is a genuine question from a non tech person. The way I’m looking at this is the basic concept needs to be done so we can get our security. The first grant had a goal, I don’t see that goal accomplished. I don’t see why you’re asking for more funds if the original grants goal is not accomplished. It reminds me of those “free” websites that make you put all the info in and then ask for $19.99 to complete it. Here’s a fresh PR tip. NEVER put timelines. Especially if you arnt going to execute. Its sloppy. If I’m in the wrong here, sorry. But ive been waiting a month and now the timeline starts right back at day 1… another month. Only this time your credibility is 0, so It’s a worse situation. Is the next grant proposal going to be to code the loading animation for the app? We estimate the implementation of this spec will take between 5 and 7 developer weeks. This sentence right here makes me want to jump into a riptide with a backpack full of bricks. Guys, get it done… just get it done.

Disclaimer: this is passive aggressive, yes. But the questions are all still valid.

not very passive at all…

Timelines are required as part of the grant application process.

Response from the team (Telegram):

Hi - sure, I’m happy to chat. The ledger application is feature complete - you can do transfers, DAO operations, etc. Technically you can use it on mainnet following the instructions in our repo, however I don’t recommend it yet because upstream CKB-CLI doesn’t yet support it. Until that happens, it’s not clear if breaking changes may be necessary in either codebase and, since we’re dealing with where people store their assets, I prefer to be cautious.

We’ve talked to the team at Nervos about the right way to support Ledger and our app in ckb-cli (see https://github.com/nervosnetwork/ckb-cli/issues/268 (https://github.com/nervosnetwork/ckb-cli/issues/268) for most of the discussion). The work that resulted from that discussion is found in our second proposal

Thanks for pasting @mathoticus. Beyond that I just wanted to chime in that I’ve seen your message and appreciate your concerns. We’re happy to talk to the community throughout the development process and will continue to share updates as we have them, formal or informal.

I don’t have too much to say in addition to what he copied from Telegram, but I do recommend reading our last development update if you’d like more information - it addresses a lot of your questions.

Thats passive, I didnt swear. I wasn’t out of line. Mike responded and hes alright… His feelings arn’t hurt.

Okay, understood. I’m storing my CKB in a android wallet and everyday is uneasy because of this. Its like ordering a pizza and now its delayed by an hour. I can assume software is a female dog to deal with. Just dont put timelines anymore. Its software.

Why not use Neuron ?

Ive tried 2 different PC’s, Ive tried downloading the checkpoint, ive tried everything and I cannot connect to the network.

how will this work with the nervos dao? will i still be able to stake my tokens?

Definitely! The Ledger device will be able to sign all NervosDAO operations (deposit, prepare, withdraw) so you can safely stake using your hardware wallet.

So what’s the status of the project, has it been approved?

2 Likes

Seriously…?

1 Like

we’re one community and the way we speak to each other matters greatly, please keep this in mind when posting.

2 Likes

it’s pending

2 Likes

Check out the Ledger Hardware Wallet Demo by Mike from obsidian systems.

Using the Ledger Hardware wallet app to detect your ledger device, access addresses, make transfers, and all Nervos DAO operations! :rocket:

Video demo: youtu.be/OFgRwY_RVfw

Repo: https://github.com/obsidiansystems/ledger-app-nervos

2 Likes

This grant has been approved

2 Likes

Any update? I’m not very versed in github but it doesn’t look like anything really has been done for a couple of weeks in either of them

Work is underway and that should be apparent on the repos soon :slight_smile:

2 Likes

Any ETA from here?