Skip to content

Add risk warning and decoding to message signing#63

Open
Jim8y wants to merge 6 commits into
neoorder:masterfrom
Jim8y:codex/sign-message-risk-warning
Open

Add risk warning and decoding to message signing#63
Jim8y wants to merge 6 commits into
neoorder:masterfrom
Jim8y:codex/sign-message-risk-warning

Conversation

@Jim8y

@Jim8y Jim8y commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

What

SignMessagePopup showed only the raw message payload (often hex/base64) with no risk framing — classic blind-signing. This adds:

  • A prominent risk warning banner ('only sign messages from sites you trust; never sign an unexpected/unreadable request').
  • A best-effort decode that surfaces the human-readable message when the payload is hex or base64 encoded, shown below the raw value.

Notes

  • Conflict-checked: SignMessagePopup is touched by no open PR (Add transaction preview v2 #50's transaction-preview work is on SendTransactionPopup, a different popup).
  • Builds clean for net10.0-android (0 errors).

SignMessagePopup showed only the raw (often hex/base64) payload with no framing,
so users blind-signed opaque blobs. Add a prominent risk warning and a best-effort
decode that surfaces the human-readable message when the payload is hex/base64.
Builds for net10.0-android (0 errors).
Copilot AI review requested due to automatic review settings June 21, 2026 12:24

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds user-facing anti–blind-signing context to the message signing flow by introducing a prominent risk warning and a best-effort “decoded” view of message payloads (hex/base64) in SignMessagePopup, plus new localized strings to support the UI.

Changes:

  • Add localized strings for a sign-message risk warning and a decoded-message label.
  • Update SignMessagePopup UI to show a warning banner and (when available) a decoded message section.
  • Add best-effort decoding logic in SignMessagePopup.xaml.cs to surface human-readable content.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
OneGateApp/Properties/Strings.resx Adds new base (English) resource strings for decoded message and risk warning.
OneGateApp/Properties/Strings.zh-Hans.resx Adds Simplified Chinese translations for the new strings.
OneGateApp/Properties/Strings.zh-Hant.resx Adds Traditional Chinese translations for the new strings.
OneGateApp/Properties/Strings.Designer.cs Exposes the new resource keys via strongly-typed properties.
OneGateApp/Controls/Popups/SignMessagePopup.xaml Adds the warning banner and conditional decoded-message UI section.
OneGateApp/Controls/Popups/SignMessagePopup.xaml.cs Implements best-effort decoding and binds it into the popup view model.
Files not reviewed (1)
  • OneGateApp/Properties/Strings.Designer.cs: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread OneGateApp/Controls/Popups/SignMessagePopup.xaml.cs
Comment thread OneGateApp/Controls/Popups/SignMessagePopup.xaml.cs Outdated
Comment thread OneGateApp/Controls/Popups/SignMessagePopup.xaml.cs Outdated
Comment thread OneGateApp/Properties/Strings.resx
@Jim8y

Jim8y commented Jun 21, 2026

Copy link
Copy Markdown
Contributor Author

Handled the open #63 review threads.

Changes:

  • Cached ReadableMessage when Message or IsBase64Encoded changes, so XAML bindings no longer repeatedly parse/allocate.
  • Passed options.IsBase64Encoded from LaunchDAppPage.SignMessage() into the popup.
  • Removed heuristic hex decoding from the signing popup. The readable preview now appears only when the actual signed payload is base64-decoded by the signing path, avoiding a misleading preview for raw UTF-8 or hex-looking strings.
  • Added a 16 KiB preview input guard and only catch expected decode exceptions (FormatException / ArgumentException).
  • Added DecodedMessage and SignMessageRiskWarning to all locale resource files; resource parity is now 15 files / 285 keys.
  • Merged current origin/master into the branch with no conflicts.

Validation:

  • git diff --check
  • Conflict scan with rg -n "<<<<<<<|=======|>>>>>>>" OneGateApp
  • Resource parity checked: 15 resource files, 285 keys
  • iOS simulator build/install/launch verified, then Wallet -> Send UI verified
  • Android emulator build/install/launch verified, then Wallet -> Send UI verified
  • Android crash buffer remained empty after launch and navigation

Note:

  • I did not submit a real dApp signature during simulator QA; the sign-message path is covered by compile-time verification and the popup binding/resource changes, while the simulator smoke test confirms the final build starts and navigates cleanly on both platforms.

Screenshots:

…risk-warning

# Conflicts:
#	OneGateApp/Controls/Popups/SignMessagePopup.xaml
@Jim8y

Jim8y commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Base refresh / conflict-resolution update.

Changes pushed to codex/sign-message-risk-warning:

  • Merged current origin/master into the PR branch.
  • Resolved the only manual conflict in OneGateApp/Controls/Popups/SignMessagePopup.xaml.
  • Kept this PR's sign-message risk warning and decoded-message section, while preserving the current master bottom-divider/button layout.

Validation:

  • git diff --check passed.
  • Android build passed: dotnet build OneGateApp/OneGateApp.csproj -f net10.0-android -r android-arm64 -p:AndroidSdkDirectory=/opt/homebrew/share/android-commandlinetools -p:JavaSdkDirectory=/opt/homebrew/opt/openjdk@17/libexec/openjdk.jdk/Contents/Home -p:EmbedAssembliesIntoApk=true.
  • iOS simulator build passed: dotnet build OneGateApp/OneGateApp.csproj -f net10.0-ios -p:RuntimeIdentifier=iossimulator-arm64 -p:BuildIpa=false -p:EnableCodeSigning=true -p:CodesignKey=-.
  • Android emulator install/launch passed on emulator-5554; app reached Home and process stayed running.
  • iOS simulator install/launch passed on OneGate-PR51-iPhone17; app reached Home.

Screenshots are uploaded as GitHub release assets and are not committed to the repository:

Current PR state after push: mergeStateStatus=BLOCKED, reviewDecision=REVIEW_REQUIRED (the previous DIRTY conflict state is cleared).

Known existing warning during build: SQLitePCLRaw NU1903 advisory, unrelated to this merge refresh.

@erikzhang

Copy link
Copy Markdown
Contributor

Conflicts

…risk-warning

# Conflicts:
#	OneGateApp/Properties/Strings.de.resx
#	OneGateApp/Properties/Strings.es.resx
#	OneGateApp/Properties/Strings.fr.resx
#	OneGateApp/Properties/Strings.id.resx
#	OneGateApp/Properties/Strings.it.resx
#	OneGateApp/Properties/Strings.ja.resx
#	OneGateApp/Properties/Strings.ko.resx
#	OneGateApp/Properties/Strings.nl.resx
#	OneGateApp/Properties/Strings.pt-BR.resx
#	OneGateApp/Properties/Strings.ru.resx
#	OneGateApp/Properties/Strings.tr.resx
#	OneGateApp/Properties/Strings.vi.resx
#	OneGateApp/Properties/Strings.zh-Hant.resx
@Jim8y

Jim8y commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

Resolved the conflict reported by Erik.

What changed in this follow-up:

  • Merged latest origin/master into this branch.
  • Resolved localized .resx conflicts by keeping this PR's DecodedMessage and SignMessageRiskWarning strings while preserving master's newer localized strings.

Validation on branch head 6e661aa:

  • No conflict markers remain.
  • Localized .resx key parity passed: 307 keys across 15 files.
  • git diff --check passed.
  • Android build passed: dotnet build OneGateApp/OneGateApp.csproj -f net10.0-android -r android-arm64 ....
  • iOS simulator build passed: dotnet restore ... -p:TargetFramework=net10.0-ios -r iossimulator-arm64 + dotnet build ... -f net10.0-ios -r iossimulator-arm64 --no-restore ....

Notes: builds still report existing SQLitePCLRaw NU1903 warnings and existing iOS duplicate asset warnings, with no errors.

@erikzhang

Copy link
Copy Markdown
Contributor

Conflicts

…risk-warning

# Conflicts:
#	OneGateApp/Properties/Strings.Designer.cs
#	OneGateApp/Properties/Strings.de.resx
#	OneGateApp/Properties/Strings.es.resx
#	OneGateApp/Properties/Strings.fr.resx
#	OneGateApp/Properties/Strings.id.resx
#	OneGateApp/Properties/Strings.it.resx
#	OneGateApp/Properties/Strings.ja.resx
#	OneGateApp/Properties/Strings.ko.resx
#	OneGateApp/Properties/Strings.nl.resx
#	OneGateApp/Properties/Strings.pt-BR.resx
#	OneGateApp/Properties/Strings.resx
#	OneGateApp/Properties/Strings.ru.resx
#	OneGateApp/Properties/Strings.tr.resx
#	OneGateApp/Properties/Strings.vi.resx
#	OneGateApp/Properties/Strings.zh-Hans.resx
#	OneGateApp/Properties/Strings.zh-Hant.resx
@Jim8y

Jim8y commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Resolved latest master conflicts.

Changes pushed:

  • Re-merged latest master.
  • Preserved this PR's message-signing risk warning changes.
  • Carried forward latest master DApp report and transaction-failure baseline changes.
  • Resolved resource conflicts without dropping either side's strings.

Validation:

  • iOS simulator build passed: dotnet build -f net10.0-ios -r iossimulator-arm64 -p:EnableCodeSigning=false
  • Android build passed: dotnet build -f net10.0-android -r android-arm64 -p:EmbedAssembliesIntoApk=true

Notes:

  • Build warnings are existing SQLitePCLRaw NU1903 advisories.
  • The local keychain has no valid Apple signing identities, so iOS validation used simulator build with code signing disabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants