Topic: Question about sign message. (Read 424 times)

Thanks for doing that, but looks like it won't verify signed messages from BIP49 addresses. I have tested the original site and worked when I signed a message with my Trezor. I'll play a little more with your copy of the kenkarlo, maybe I did something wrong.

Hey, you're in luck. Internet Archive had a snapshot of that site here. But don't use that, because it's not working properly. Instead I found the website's github project, since it was hosted on Github Pages. The owner tried to wipe the repository but Git saves all commits ever made, so I cloned it to my server and reverted to the previous commit (this one). Then I served a copy of it using nginx, with a Let's Encrypt certificate on my domain. The end result is that it's now available at https://brainwallet.notatether.com/. Enjoy!

Edit: Looks like I cloned brainwallet repository instead of the site you used, but kenkarlo's site was using BrainwalletX repo instead https://github.com/brainwalletX/brainwalletX.github.io. I can host that as well. That's not the correct one, but I managed to somewhat restore the archived site at my other domain, https://walletx.notatether.com/. See if that one is what you're looking for.

I use Mycelium on the phone, most of the messages that are not possible to be verified with brainwalled (and all the variations of it) I manage to verify with mycelium, So if you need to do a quick check, i can suggest you try it. Not BIP49 unfortunately.
No need to use it as a wallet, I even didn't backup the private keys, I'm simply using it as tool to verify messages.

There was a tool before : https://kenkarlo.com/bitcoin/verify-signed-message where you could verify the BIP49 messages ( I have Trezor and it's a pain) but seems like it's down now If anyone knows a working replacemet of it please let me know.

I am not a tech guy. So I both addresses wasn't compressed by me. I just signed a message and had trying to verify via Brainwallet. Then I discover the message isn't verifying from the same nested address that I signed in, rather than it was verified from a Legacy address that wasn't actually listed in my wallet. Perhaps there is a way how Brainwallet detects address.

Because the same public key can generate a legacy address, a nested segwit address, and a native segwit address. And he isn't signing a message with an address - he is signing it with the private key.

If 1 private key can create only 1 public key then how is @coolcryptovator able to sign the message with the nested segwit address and also able to verify it with the derived legacy address ?


Could you please let us know if the nested segwit address and the derived legacy address are both compressed or is either of them uncompressed?


Let's assume the private key has derived two different addresses (different representation of pubkey scripts as you say).
One has the Unspent outputs while the other doesn't. How can we use the second address to spend the funds from the first address ?
If it's possible I wonder how the block explorer will display the inputs in the given transaction.

Thanks for this great info  

That's exactly where I am confused. Can someone please explain what's the difference between the below two statements ?

Actually 1 private key creates 1 public key (point) and that point can be represented in 3 different ways: compressed, uncompressed and hybrid. if you has each representation you will get a different hash hence a different address and all are valid but some are non-standard.

you areoverthinking it. different addresses are no more than different representation of pubkey scripts. as long as your wallet application is capable of performing hash on your public key and knows how to spend certain scripts (eg. P2WPKH script) you can spend from any of the "addresses" created from your private key.

I have tried to sign a message from Nested SegWit address starting with '3', and there are fund and transaction history as well. But the derived Legacy address from the same private key was with ZERO balance, and there was no transaction history. Means you can only spend unspent transaction from your address and there is no chance of losing your funds from other address. How can you spend if you don't have any input in the address?

Just when I was reading Pooya's post I was imagining how would it be if I would create  an online verifier and use an algorithm to verify signed messages through segwit addresses.
But then to derive a legacy address we would need the private key so that method won't work. I guess as Pooya said changing the "first byte of the message which is called a recovery ID" might help us execute this thing. I am already so excited I guess I would definitely give it a try.

I thought of the exact same thing but then I guessed that it doesn't make any sense if the exact same balance is available on all the derived addresses.
So it would most probably be on one of the derived address i.e. each address will have a separate balance as if a different address but a common private key.

There is nothing stopping someone from coding the Electrum message verification as an online tool and using that to verify Electrum signatures. It remains a theoretical possibility though.

---

Another question though, if you can derive multiple address types from the same private key, would it cause a loss of funds if you try to spend from a derived address that doesn’t have your inputs? Or would those derived addresses have a zero balance attached to them, as if they were completely different addresses?

here is the thing, as long as you can sign a transaction from any address you should also be able to sign a message from that address. even if it is an address with multiple signers (a P2SH with multi-sig redeem script). simply because the signing process (apart from the hashing step) is exactly the same.
however, the problem is that so far nobody has come up with any complete standard for message signing. BIP-322 comes close but it has some issues and most importantly it is not adopted by anyone yet.

that is because Electrum (and some others) did a tiny modification to BIP-137 (the usual way of signing messages) to extend it for the new address formats introduced in 2017 but others (specifically online tools) did no such thing. so they don't recognize that tiny change. tiny because it just changes the first byte of the message which is called a recovery ID! the rest is exactly the same.
BIP-137 was actually updated later on with the modification.

in ECDSA if you know the signature (r and s or the base64 you provide) and the message that was signed and produced that signature you can recover up to 4 (since we are using secp256k1, the number is different for other curves) possible public keys that belonged to the private key that were used in signing process.
in transaction verification, we already include the public key so there is no need for recovery so there won't be "checking multiple pubkeys" step. but in message verification, since we don't include the pubkey it has to be recovered. during recovery we use the first byte that helps us know which pubkey to use. for example if the first byte is 27 we know the address type is P2PKH and the uncompressed public key was used. it also tells us which one of those 4 pubkeys to use.

what brainwallet does is that whenever you don't provide any address or if it can't recognize the address or if something goes wrong, it simply recovers a pubkey, computes its address and shows that address. which for the sake of correctness whenever it didn't recognize the address or the recid it should show all the addresses of all pubkeys recovered not just one.

Thanks, everyone for your contribution to this thread. I have got my answer. That means the random address belongs to my private key which has been used to sign a message. There wasn't any major issue or problems. But I was just curious to know the address which has been showing on brain wallet that belongs to whom.

Hope I will try to derive the address to check it practically. Of course not from Ledger. Perhaps I will use some random new private keys.

I will keep this thread open, so others would know about it and contribute to the discussion.

Actually, it depends on which script type you choose. You can quite happily generate any type of address at any derivation path. Electrum will let you generate native segwit at m/44'/0'/0', for example.

Electrum generates the necessary code, and simply passes it to the Ledger to be signed, same as it would do for a transaction.

Any up to date version of Electrum would be able to verify it. No hardware wallet needed.

A single private key can generate native segwit, nested segwit and legacy addresses. It all depends on the derivation path you choose on your Electrum wallet. And it's not strange that legacy address shown isn't familiar to OP; there are too many to know them all. Even your current wallet doesn't show all the possible addresses; and unless you have some different range or settings, you will never see them all.

---

---

This thread has made me think, however. In this case, is the signature created by electrum or ledger? AFAIK the private keys never leave the HW, and thus, the signature is created there. But if it's created on the device; would you be able to verify it on Electrum, or only on Electrum with a HW device connected? Or should that HW be a Ledger one? Or could it be verified from any Electrum with no HW attached?

Your private key generates one public key. The public key can generate multiple addresses in multiple formats.

He does. There is only one private key between the address he wants to sign the message and the one showing up on Brainwallet. He just thinks he doesn't, because the address is different than the one he sees.

Not sure what OP's problem is exactly (or rather the solution to his problem!), but yeah. actually, you just need the public key which you can encode in a legacy vs segwit format.

How this can be made? If i well understood you, the pk for a segwit address can generate also a legacy address? Right?
OP said that he hasn't access to its private key so litterally it doesn't belong to him. I am not a ledger user but really interested to understand things clearly.

The legacy address showing up is another address which can be derived from your same private key. The reason it's so hard to sign and verify messages with a Segwit address is that there is no standard all wallets use.

There was a discussion about a workaround you can use here: How to verify SegWit signature with Brainwallet ?

Apologies for the noob question . I am not a tech guy. As far as I know, we can't sign a message from SegWit address. Even we can sign its verifiable only on the same platform. For example, if sign messages from Electrum, then it's only verifiable from Electrum. We can't verify it online.

Now the question is, I had signed a message from my Ledger SegWit address via Electrum. It was verified on Electrum only. When I had been tried to verify from the Brain wallet, it wasn't verified. No matter signature wasn't verified from the same address I had used for sign message. The concern is that the signature verified from some other Legacy address that doesn't belong to my wallet. There is a random address that I am not familiar with. Even I have searched it on my Legacy address list belong to the same wallet (Ledger). I have used Electrum to create a Legacy address on the Ledger device.

So that random Legacy address belongs to whom? Since I don't have access to its private key, then how its verifiable to the  Brain wallet?