Skip to content

Add ADR-36 Signature Support and Dual-Mode Index Verification for JS SDK Compatibility#231

Merged
mateeullahmalik merged 1 commit intomasterfrom
add_ADR-36_Signature_support
Nov 16, 2025
Merged

Add ADR-36 Signature Support and Dual-Mode Index Verification for JS SDK Compatibility#231
mateeullahmalik merged 1 commit intomasterfrom
add_ADR-36_Signature_support

Conversation

@mateeullahmalik
Copy link
Collaborator

@mateeullahmalik mateeullahmalik commented Nov 16, 2025

PR Summary

This PR introduces full ADR-36 signature compatibility and JS SDK alignment for Cascade uploads, while preserving backward compatibility with all existing Go-based clients and legacy signatures.

Why

The JS SDK signs Cascade metadata (layout + index) using ADR-36 envelopes, while the existing Supernode verification logic expected raw secp256k1 signatures over base64-encoded payloads.
This mismatch caused Supernode to reject uploads initiated from the JS SDK with:

signature or index validation failed: signature verification failed

The issue affected:

  • Cascade index signature verification
  • Start-cascade auth signatures (in some flows)
  • Layout signature verification consistency across clients

What’s Changed

1. Add ADR-36 verification support in index signature validation

VerifyIndex() now attempts two verification modes:

  1. Legacy mode

    • Message = indexB64
    • Signature = raw or ADR-36

  2. JS-SDK mode

    • Message = canonical JSON index bytes (base64(indexJSON))
    • Signature = raw or ADR-36 (JS SDK uses ADR-36)

This makes the verification layer fully backward compatible while enabling JS SDK signatures.

2. Introduce unified ADR-36 verification path

All verification paths now go through VerifyStringRawOrADR36, allowing:

  • Raw secp256k1 signatures
  • ADR-36 amino sign docs
  • Base64 or raw message sources

This standardizes verification across:

  • Layout signatures
  • Index signatures
  • Upload-auth signatures
  • Download-auth signatures

3. No breaking changes

  • Existing sn-api-server signatures continue to verify normally
  • Existing Cascades remain readable and valid
  • No metadata format changes
  • No changes to on-chain Action metadata
  • SDK and tooling remain compatible

🔧 Highlights

  • Added ADR-36-aware signer helpers
  • Added dual-message verification for index signatures
  • Added better error surfaces for signature validation
  • Cleaned and hardened validator paths for Cascade metadata
  • Improved logging for signature verification failures

Result

With these changes:

  • All JS SDK generated signatures are now accepted by the Supernode
  • sn-api-server and Go SDK signatures continue to function without modification
  • The system can gradually migrate toward the ADR-36 scheme without disruption
  • We have a unified and future-proof signature model across Go and JS ecosystems

Testing

  • Uploaded Cascades using JS SDK → PASS
  • Uploaded Cascades using sn-api-server → PASS
  • Mixed-layout and mixed-signature scenarios → PASS
  • Legacy raw signatures → PASS
  • ADR-36 doc signature replay detection → PASS

@mateeullahmalik mateeullahmalik force-pushed the add_ADR-36_Signature_support branch from 2968056 to d457dd5 Compare November 16, 2025 12:29
@mateeullahmalik mateeullahmalik merged commit b84ceee into master Nov 16, 2025
6 of 7 checks passed
@mateeullahmalik mateeullahmalik deleted the add_ADR-36_Signature_support branch December 15, 2025 08:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@j-rafique j-rafique j-rafique approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mateeullahmalik @j-rafique