Hello everyone on such a fine day :-) I've started working on integration with the very popular ledger nano s hardware wallet [1]. The project consists of a dedicated app for stellar [2] that will run on the device and a javascript library [3] for communicating with it -to be used by desktop wallet applications. This way I can focus purely on the device integration part and allow new and existing wallet applications to add support for the Ledger Nano S device. The project is still in the early stages, but the proof of concept is working: I've already activated my Ledger-based Stellar account with Lumens and successfully signed and approved a transaction by running a test script. The next step that will fulfil the minimal requirements for a usability is to show the transaction details on the device so that the user knows what she is signing. I'm hopeful that I can have that running in the next two weeks. A Stellar transaction can contain a lot of (different) operations and supports a rich set of information. My first focus will be on payments. Users will be able to send lumens and other stellar-based assets using their device. Support for other operations, multiple operations in a single transaction, hashed memo's, timebounds, etc. is more of a long term goal. I've been in contact with the Ledger team about donating the code to them. In order to load the app onto the device they use a device manager application. They have confirmed that they accept code donations and that after review and approval will be able to add the app to their manager. https://www.ledgerwallet.com/products/ledger-nano-s https://github.com/lenondupe/ledger-app-stellar https://github.com/lenondupe/stellar-ledger-api Let me know what you think and have a nice day!

@dupe This is great. As the primary developer behind lupoex.com, I would say that we would love to integrate ledger Nano S. The only thing we really need is the ability to sign a transaction similar to this: https://www.stellar.org/developers/js-stellar-base/reference/building-transactions.html As part of your javascript library, I would suggest implementing a function sign(transaction) that takes a transaction of type https://stellar.github.io/js-stellar-sdk/Transaction.html and returns the signed transaction.

Hi! What you are describing is exactly my intention. I am basing the library on Ledger's node js api [1]. The name is a little bit misleading because the library can also be used in supported browsers. The calls will be asynchronous calls that you can pass a callback function. Leaving out some details it basically comes down to: var stlr = ledger.stlr(); var transaction = buildTransaction(); stlr.signTransaction(transaction, function(signedTransaction) { sendTransaction(signedTransaction); }); https://github.com/LedgerHQ/ledger-node-js-api/

Please take the transaction hash as a parameter instead of the transaction, so you can support networks without using the global Network object-hack. And please return the signature, so it works with multi-sig transactions.

Signing arbitrary messages would also be nice, not sure if Ledger supports that. (I'm hashing the messages twice so you can't phish people into signing TXs)

dzham For security reasons I'm afraid it is not possible to take the hash as input for signing a transaction. Remember the purpose of these devices is to be 100% tamperproof. That means the user must be certain of what it is they are signing. So the device needs the actual signature base of the transaction that contains all the transaction details. This way it can show the details on the device for approval. The signature base is also the thing that is then hashed and signed resulting in the signature. If you could just send a hash and receive back the signature it would be easy for malicious code on the client to send a hash that corresponds to a different transaction than the on presented to the user on the client.

dzham Ledger supports signing and decrypting arbitrary messages. In fact, have a dedicated app with full support of the OpenPGP card specification for that. See https://github.com/LedgerHQ/blue-app-openpgp-card for details.

This is great, let me know if you need a tester!

dupe I know how signing works, I'm just telling you what I would need in terms of API, to easily integrate with what I have already. I display the tx for all transactions the user ever does, in the wallet (Stargazer)

dzham And I'm not suggesting you will write malicious code, but a computer can get infected or other wallet applications might ship with malicious code. For a hardware wallet, displaying the transaction on the client (stargazer in this case) is not enough, because a completely different transaction hash can easily be sent to the device for confirmation.This is why devices like this have a display. You can verify that what you are actually signing is what you intended when you entered the details on you computer (and it's really important that you do!). But I'm interested in the problem you see with sending the transaction and why you want to send the hash instead. You mentioned something about "networks without using the global Network object-hack". I'm not familiar with this problem. Can you expand on that?

zcc Thanks a lot! I will post a link with instructions once the code is far enough along. Are you a developer? It will be necessary to set up a development environment to compile and load the app onto the device and then to build the javascript library. My plan is also to ship a small browser-based demo with the javascript library so you don't have to edit and run scripts to test the app.

Ledger Nano S hardware wallet integration

istrau2

dupe Why restrict the "super safe" option to a single operation and why the payment operation specifically?

I may be misunderstanding but you say that 10kb is about 10 payment operations. If so, you can surely support a couple of arbitrary operations in the "super safe" method can't you?

Actually, why can't you relegate the restriction to the javascript library. In other words, the js library could parse the transaction as JSON (or some other human readable format) and check the size of the transaction before passing it on to the ledger. If the size is to big, it could just return an error to the caller. Otherwise, if the size passes inspection, it could pass it on to the ledger.

What happens if you pass too much data? Does the device crash?

dupe

istrau2 I've not tried to pass too much data. I suppose it would crash.

In my initial thinking I was set on displaying all transaction info without allowing simply sending a transaction hash. That would involve a substantial effort to display all the info. Now that I have to let go of that goal because it would mean arbitrary transactions would not be supported the payoff for the effort to display all the different types of transactions does not seem worthwhile anymore. In my mind it would only have been worthwhile if I thereby gained the extra security.

Actually I think it's a good thing. Looking at the ledger UI logic it seems it would have become too complicated to display all the different stuff, especially if you don't know in advance what will be in the transaction. That also means too much risk of things going wrong and possible endless source of bugs. It might become a nightmare to maintain.

The way I propose now also means much quicker availability. What I describe is mostly done, whereas otherwise I don't know how long it would take me.

Hope that makes sense.

dupe

More stuff done:

base32 encoding bug fixed
added keypair validation
xdr parser knows how to skip memos, parse custom assets for display, deal with operation-specific source account
added u2f browser support
lots of small stuff such as guarding against sending transactions that are too big and detecting more error conditions and displaying more user friendly feedback instead
javascript api tests can now be run in the browser (see README for details)
officially submitted app to ledger for review

To be done:
- create stellar dashboard display glyph icon
- more manual testing
- document javascript api usage

cheers

dzham

dupe

A bit unrelated to what you're doing, but maybe you know.

How do the Nano generate the priv keys for other cryptos? I just bought two of these, and I hate their guts already because they don't work with the system I have in place.

dupe

dzham All the crypto keys are generated using the bip32 hierarchically deterministic key derivation method.

You can read more about it here: http://ledger.readthedocs.io/en/latest/background/hd_keys.html

dzham

dupe

Gotcha! So you just define a coin type for Stellar, and that's it?

dupe

dzham Was already registered for Stellar: https://github.com/satoshilabs/slips/blob/master/slip-0044.md But now you made me think about something. The registration mentions Stellar Lumens specifically. But you probably want to use the same account for all Stellar-based assets I guess. At least that's been my assumption.

zcc

dupe But you probably want to use the same account for all Stellar-based assets I guess.

That was also my assumption.

NgocTri

Very nice app,thanks so much!

dupe

NgocTri You're welcome, I'm glad you like it. I'm still applying some finishing touches but it's now more or less done.

dzham

@dupe

Was able to compile the app, and load it, on MacOS.

Trying to communicate with the Nano gives me this though:

MacBook-Pro:stellar-ledger-api Johan$ npm run script testGetPublicKey

> sledger-api@1.0.0 script /Users/Johan/Code/vendor/stellar-ledger-api
> node test/runScript.js "testGetPublicKey"

running: testGetPublicKey
=>0101050000001ae002010115058000002c8000009480000000800000008000000000000000000000000000000000000000000000000000000000000000000000
<=bf00018d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Invalid channel;

Any idea?

dupe

dzham Might be related to Virtual box environment. It is a known issue. The virtual environment locks out the USB port on the host machine. I'm guessing you are trying to run the scripts from the Mac OS host environment after you loaded the app from the virtual box environment. If you want to do that you have to halt the virtual box environment again: 'vagrant halt'. And you may or may not have to reconnect the device. What I did for developing is install nodejs in the virtual environment as well and run the scripts from there.

Alternatively you have enabled browser support in the device. I think you can only use either u2f ('browser support') or node-hid at the same time. In that case, you need to disable browser support again to run the node js scripts.

HTH

dzham

dupe Alternatively you have enabled browser support in the device. I think you can only use either u2f ('browser support') or node-hid at the same time. In that case, you need to disable browser support again to run the node js scripts.

That was it, thanks!

publicKey: GAVTL6QDYNTCMAJP2PDRECXINBI4PPZNXXX37CIEZPOCE2KNVMQFIUFM

umbrel

Oh, I guess I need to order ledger now ? Do you know if Ledger Blue worth it and coming any time soon?

zcc

umbrel Ledger says the Blues are shipping at the end of November.

In Trezor news, today I was able to generate a public key and sign a transaction with my custom firmware that implements a generic ED25519 signing method. My next step is to put together a PR so it can hopefully make it into the official firmware!

dupe

umbrel I don't have a blue and so it is not supported yet by the app. But I plan on buying one and adding support for it next.

zcc

@dupe Do you have the javascript API you're working on available anywhere? I'd like to coordinate on this so that we can come up with a consistent API for "external" signing done by hardware devices.

I think in an ideal world there would be a single library that website and wallet developers could use that would detect whether the user had a Ledger, Trezor, or something else and gave them a consistent interface to access it.

dupe

zcc It's here: https://github.com/lenondupe/stellar-ledger-api

There is a section in the README that shows the API usage.

I'm hooking into the Ledger Node JS API: https://github.com/LedgerHQ/ledger-node-js-api/ . Which is actually exposed in the form of the comm object (two versions, one using node-hid for node js and one using u2f for in the browser). If we want to make that transparent to the user and expose a single api we would need to provide something like that.

Good idea to have a common interface for the hardware wallets. I imagine there will be some more in the future.

zcc

dupe Great, thank you! I've also submitted a proposal for how to handle BIP32 paths so we can make sure those are consistent as well. I'd like your feedback: https://github.com/stellar/stellar-protocol/issues/61

dupe

Hello everyone on another fine day :-)

Good news! The Stellar app is now available from the Ledger Store! Here's a quick tutorial to get you started.

Install the app on the Nano S using the Ledger Manager [1].
Open the Stellar App and go to Settings > Browser support to enable Browser support.
Using Chrome or Opera go to https://www.stellar.org/account-viewer/#!/
If you have the Stellar app open and browser support enabled you should be able to click the 'Sign in with Ledger' button. This will sign you in with your default Ledger-based account.
As this is a brand new account it and not yet funded, send some Lumens to the new address to activate the account and try it out.
When you make a payment or other operation on the Stellar network the device prompts you to confirm the transaction. In the case of a payment it will automatically loop through the following information: type of operation, qualified amount, destination address, memo, transaction fee, network (Test, Public, or Unknown). Press the buttons to confirm or cancel the transaction.

Some notes about wallet support.

At this early stage the only Stellar wallet that has support for the Ledger is the Stellar account viewer. But expect more wallets to add support soon. For instance I've sent in a patch for Stellarterm [2] that adds Ledger support. If it gets accepted you will be able store and send any Stellar-based token with the Ledger, add trust lines, and make trades on the decentralised exchange from your Ledger-based account directly using Stellarterm. The device will prompt you with details to confirm all those different operations. The developer of Stargazer is also adding Ledger support.

Note about some limitations.

The app can sign all the Stellar transaction types. However, for some types of transactions, details cannot be shown. Currently details are shown for the following operations: create account, payment, manager offer (create offer, change offer, delete offer), and change trust (add trust, remove trust). Also no details are available when signing transactions that contain more than one operation (Stellar allows for 100 operations per transaction).

Browser support.

Communication with the browser occurs over u2f. You need a u2f enabled browser to use web-based wallets with Ledger support. Currently only Chrome and Opera support u2f. Firefox v57 which will be out shortly also adds u2f support.

In the future when more wallets add support for Ledger and you want to use multiple wallets, you need to turn browser support on and off if you want to switch between a web-based wallet and a desktop wallet.

Multiple Ledger-based accounts.

When you open the Stellar account viewer you will see a checkbox with the label 'Use default account'. Many users will only need the default account but you actually have an almost infinite number of accounts at your disposal. Unchecking the checkbox will reveal an input field where you can enter the path to an alternative account. Valid values are of the form 44'/148'/n' where n is the account index. The default account is located at 44'/148'/0', your next account is 44'/148'/1', etc.

A note about security.

The Ledger is designed to be tamper-proof. Secret keys cannot leave the device. Transactions for your account can only be signed on the device. However, it has no control over what transactions it is sent. This is why it is important to check the details of the transaction on the device before approving it. Since not all Stellar transactions can be shown on the Nano, some advanced usages require that you trust the host that sent the transaction. For all other types of transactions the rule is that if you are not presented with the transaction details then it is probably wise not to approve it.

Acknowledgments

Although most of the work on this app was done by me I'd like to thank Bartek for his support with code reviews and improvement suggestions both for the app and the account-viewer. zcc was also very helpful for initiating the discussion on bip32 account paths. Ledger team has an amazing support channel that is very responsive and it's great that they put in the effort to accept code donations even during busy times.

bkolobara

dupe Awesome work!! ?

It's great to see a project going from idea to quality result in such a short time. Especially the integration with Account viewer is wow!

« Previous Page Next Page »