Author

Topic: How to securely sign and publish Bitcoin transaction (using Bitcore JS library)? (Read 187 times)

legendary
Activity: 3038
Merit: 2162
It's generally a bad practice to have crypto keys in your source code, because often times developers forget about them and then accidentally expose them by commiting their code on github or sharing the it through other means. The solutions is environmental variables, there are plenty of guides of how to use them for Javascript developers, like this one: https://www.twilio.com/blog/2017/08/working-with-environment-variables-in-node-js.html

Is this a secure way to sign and publish a transaction or can the node intercept the private key?

What do you mean "intercept private key"? In that example the key is in the code, so your node process obviously knows it. If you are working on backend, then your whole codebase should be perfect and you need to always check the news for potential zero-day vulnerabilities, it's often enough to have just one vulnerability to give attackers full access to your servers and steal everything from hot wallets. This is why Bitcoin services keep most of their funds in cold wallets.
member
Activity: 183
Merit: 25
Is this a secure way to sign and publish a transaction or can the node intercept the private key?

Code:
var bitcore = require('bitcore');

let privateKey = "11111111111111111111111111";
let address = "1aaaaaaaaaaaaaaaaaaaa";
let amount = 100;

//creates transaction
var transaction = new bitcore.Transaction();
var transaction.from().to(address, amount);
transaction.sign(privateKey);
transaction.serialize();

//Bitpay's tools
var Insight = require('bitcore-explorers').Insight;
var insight = new Insight('testnet');

//broadcasts transaction using bitpay's server
insight.broadcast(transaction, function (err, id) {
    if (err) {
      console.log(err);
    } else {
      console.log("Transaction Id: " + id);
    }
};

Jump to: