Signer v1.3.0
Signer v1.3.0
There were three primary focuses for this release:
Security Enhancements 🔒
- Strong password enforcement - based on OWASP guidelines.
- The Signer will now automatically lock after an idle timeout (currently 60s).
- Your vault password will be required before deleting an account.
- The secret key field has been removed from the Create Account screen to prevent users copying or storing the raw
base64
key. - The Signer will lockout for 5 minutes after five failed attempts to unlock it.
- Improved Reset Vault prompt to ensure users understand the consequences.
- Account names will be restricted to A-Z, a-z, 0-9, and _ (incl. accented characters). Pre-existing names that don't abide by the constraints won't be changed. Constraints will be enforced when names (including legacy accounts) are edited.
- File formats are verified before importing Secret key files. Users can upload
.pem
or.cer
formats..cer
is being supported as some macOS versions convert the key files (from.pem
to.cer
) from the Signer during the download process. - When a site requests to connect, the URL will now be displayed within the confirmation prompt.
The Event Bus 🚌
To provide context: Currently, client sites are required to poll the Signer's state to update their site dynamically.
We have now implemented an Event Bus that emits events to which client sites can listen; this should improve the developer experience when integrating. Monitoring the Signer would also be a more efficient and more straightforward process.
For example, here is a full list of the available events and how to listen for them.
Events
connected
disconnected
tabUpdated
activeKeyChanged
locked
unlocked
// The sytax for each event is "signer:<event>" e.g.
window.addEventListener('signer:connected, msg => {
console.log(msg)
}
// msg has the following structure
msg: {
detail: {
isConnected: boolean;
isUnlocked: boolean;
activeKey: string;
};
};
Extended Support for Stored Contract Deploys 📑
There is now the functionality to display the runtime arguments and entry point for stored contract calls.
This support doesn't yet cover more complex types like tuple
or list
. These will be displayed but not in a human-readable manner - e.g. [Object,...,Object]
Integration with CasperHolders.io 🎉
CasperHolders provides a user-friendly interface to interact with the Casper network - developed by a community member; @KillianH. His site has now been approved for use with the Signer - congrats Killian, we're excited to see your project thrive!
Minor Changes 🔍
- The connection toggle will only be enabled for integrated sites i.e., those included in the
manifest.json
. Any non-integrated sites (saved from prior versions) will be removed from the 'Connected Sites' list. - The signing screen has been updated - Gas Price has been removed, Body Hash added and labels made more user-friendly.
Bug Fixes 🐜
Description | GitHub Issue |
---|---|
On initial install the user would be presented with the Unlock screen as if there was an existing vault. Users now get the Create Vault page as expected. | #104 |
Active Account resets to the most recently added after locking. It now persists between sessions | #120 |
Viewing account details would set it as the Active Account. Viewing no longer changes account | #119 |
Known Issues 🔴
Listed below are the issues we are currently tracking for the Signer. Please check out the GitHub issues page for the Signer repo to see more details.
We are continuously looking to improve and community feedback in the form of Bug Reports and Feature Requests are always welcome to aid with this.
Description | GitHub Issue |
---|---|
The Signer goes blank (instead of showing the Unlock screen) after the idle-timeout from some pages. | #112 |
Longer account names overlap the icons on the Account Management page. | #88 |
Some pages require mouse clicks where they used to be submittable by typing Return / Enter |
#116 |
The same ed25519 key can be uploaded twice. |
#79 |
In some instances, multiple Signer windows will be open i.e. if you click Import twice. | #76 |
The Signer errors when trying to sign deploys on cspr.live whilst the Keplr extension is installed and active. | #132 |