Enable Message Signatures on EVM accounts

This article is for Administrators only.

Overview

Signing messages serves a crucial purpose in the web3 ecosystem. It allows users to confirm their identity, authenticate transactions, and interact with smart contracts without the need to share their private keys.

The EIP-191 and EIP-712 formats are Ethereum Improvement Proposals that standardize signed messages:

  • EIP-191 provides a basic signed data scheme. It is mostly used to let users prove that they control an address without revealing their private key, typically when logging into a DApp.
  • EIP-712 improves upon EIP-191 and makes the process of data signing more user-friendly. It displays the data in a structured and readable format, improving user understanding and control over what they are signing. It is used when users are required to sign complex data to interact with a decentralized application (dApp), for instance, when placing an order on an NFT marketplace, or to allow a DEX to swap their tokens.

Ledger Enteprise supports the signature of messages in the EIP-191 and EIP-712 formats, and enables operators to review their content on the Trusted Display of their Personal Security Devices.

The signature of messages with Ledger Enterprise accounts opens up multiple opportunities in the web3 ecosystem. Here are a few examples:

  • Decentralized Finance (DeFi) apps such as MakerDao, Aave or Curve Financeoften require users to sign transactions for lending, borrowing, or trading assets
  • Decentralized Exchanges (DEXs) such as Uniswap or Sushiswap's trading process involve signing messages to authorize trades and liquidity provisions
  • NFT Marketplaces such as OpenSea, Rarible or Blur involve transactions where users purchase, bid for, or transfer digital assets. These marketplaces often require message signatures to ensure these transactions are secure and valid.
  • Identity and social apps such as ENS (Ethereum Name Service) or Lenster use signatures to verify identities, prove ownership or facilitate secure communication
  • DAOs and governance apps such as Snapshot or Aragon often require members to sign messages to participate in voting and other governance actions.

You can enable message signatures for any Ethereum or EVM account. The step 4 web3 rules of the account creation or edition procedure now lets you activate and configure a rule to govern message signatures for the account. Activate the feature by clicking on the Toggle button, and configure your Message Signature governance rule according to your needs.

Signing DApp messages can put funds at risk. We advise users to educate themselves about the risks of signing messages, before activating message signatures.

Instructions

msg sign governance

  1. Select creator to define which operators can create signature requests for DApp messages. You can select up to 20 operators or a single group. The selected operators will be able to initiate a message signature process through a DApp. See Sign DApp Messages for details.
  2. (optional) Use the approval workflow section to define which Operators must review and approve message signature requests for DApp messages. You can define up to three steps.
    • Click Add approval step .
    • Select up to 20 Operators or a single group.
    • Operators and groups pending to be created, edited, or deleted aren't listed.
    • Click the chevrons left arrow right arrow to define the number of approvals required from these Operators.
    • Click Add approval step .
  3. Confirm the creation of your Message Signature rule and review the rule on your Personal Security Device. Once you've reviewed the rule on your PSD and confirmed, an account creation or edition request is created. msg sign rule PSD
  4. Once all required Administrators have reviewed and approved the account creation or edition request, according to your workspace's admin rule , the Message Signature rule will be effective for the account. msg sign gov request

General best practices

DApp Message Signing Process

Please note that the signature of messages is a time-sensitive process. The connection between Ledger Vault and the DApp must be maintained between the time the DApp requests a message signature, and the time Ledger Vault returns a signed message.
We recommend the following good-practices to ensure the message reaches the DApp after all approvals have been collected:
  • Once an operator initiates a message signature process through a DApp, they should maintain the connection with the DApp through the Ledger Enterprise message signature process. Whether they use a Vault DApp or connect to an external DApp via WalletConnect, operators who create message signing requests should leave their UI focused on the Vault DApp or WalletConnect, and avoid initiating other parallel operations.
  • If you choose to enforce review and approvals from other operators for message signature requests, make sure that approvals are provided fast enough, i.e. while the operator who initiated the message signature process is still connected to the DApp.

Web3 Risk Management

  • Do not enable Message Contract Signatures for an account holding higher amounts of funds than what you intend to use with Smart Contracts & DApps.
  • Try segregating Smart Contract & DApp accounts with one account per smart contract or DApp you wish to interact with. For example:
  • One account dedicated to Paraswap trading, which you top up before trades and withdraw from after trades
  • One account dedicated to ETH liquid staking on Lido
  • One account dedicated to to NFT trading on NFT marketplaces
  • Although Vault DApps have been audited by multiple independent third-party firms, we encourage you to carry out your own due diligence before signing messages for any DApp or smart contract.

See also