Skip to main content

How to verify a signature

Christopher Cowles
  • Updated

You can verify any of your signatures with the attached audit trail. The audit trail is sent out to all the signers once everyone has signed. 

This full process can be done using common tools that already exist on your computer. However, these tools are only accessible via the command line. We have a link to online tools that can be used instead. 

 

An example can be found at https://blocknify.com/signed-example.pdf

 

You can verify a signature in two methods, through our open-source code or manually.

 

Automatically validate your signatures with a simple drag and drop (recommended)

  • This version is hosted by GitHub using our open source code which can be viewed here.
  • Your document will not be uploaded at any time and all your information is pulled directly from your audit trail, as you can see within the code.
  • Our open-source hosted version will verify the signature using the same manual methods. We recommend using this version as it ensures it is done correctly. 

Manual verification method/ detailed step by step process

 

This process is already outlined within your Audit trail within a data URL accessible view the following steps.

  1. You can access all the signature information and directions by copying the signature header link ("Signature:").
    mceclip0.png
  2. You can paste the link within your browser. This isn't a normal URL but rather a way for the browser to open the data locally within your browser. This is also why it can't be clicked and opened.
  3. Here you will see all the information you need to recreate your signature hash and verify it against the Stellar Blockchain. For our example, we will use our example document: (for this example we will replace the step numbers for letters)  
    The following information and steps will allow you to verify that the published hashes within the Stellar transaction are authentic. The signer's private key is locally created via their signer PIN and never uploaded at any time, ensuring the signer has complete control over their signature.

Only trust the posting Stellar source account if it is listed on https://blocknify.com/.well-known/stellar.toml. Stellar transaction is hyperlinked on the audit trail's signature paging token.


            Signature information

            A. Real identity object: {"email":"jess@blocknify.com","name":"Jess Test","phone_number":"+999999999"} 
            B. Document content hash: 327d0e3f92e6fb6930c953a84f046cfda6489ff60c5e07119065f2ceb92b5e6b
            C. Unix timestamp of the signature: 1604310505
            D. Added signer's array (present if this is the document's poster / owner): ["john@blocknify.com"]

            Steps to recreate the final signature hash:
            1. Signature info string (A [hashed] + B + C + D [if exists]): 33ca5c9c12c060cad3388ea70e399d6c3940627b58840945e59a67ca7b8dbfdc327d0e3f92e6fb6930c953a84f046cfda6489ff60c5e07119065f2ceb92b5e6b1604310505["john@blocknify.com"]
            2. Signature info string SHA256 (found within the signer's signed Ethereum Tx): 142f29c1e8491135a6059861ba6a4eec21807e8e850907cffd0fa95c50bb09d8  
            3. Signer's public key: eea2ebd8274cb3b4c73dbfbd118cd84522e9dd167954da3ec9d2aaa35110ddb42aa43c0f888c83dbf92c37e805fd76dce2bbd252b612177175bf45b1be0f1f6a  
            4. Signed Ethereum Tx Hex (Contains signed signature info hash): 0xf885808609184e72a00082271094000000000000000000000000000000000000000080a0142f29c1e8491135a6059861ba6a4eec21807e8e850907cffd0fa95c50bb09d81ba03e8fd2de0f0c8410868265f4fdffdd67376f57f8b023a2919a895e23a82fca43a0069297d67bda818278c44ba07201bffb40d40d1d6fb4149f4c4941d9b49adb56
            5. SHA256 of the Signed Ethereum Tx without hex prefix (found within the memo(hash) of the Stellar transaction as hex): 50d79b5e1b772bf871975a0c04966ea025b88298970dd002ba1263723c756955
  4. Now you need to follow the steps listed. 

A detailed explanation of steps 1-5.

  1. To create step 1 you will need to hash (SHA256) the identity information Blocknify collected from the signer. As stated before you can use the command line or here is an open-source tool for hashing.
  2. Copy the information below (make sure not to copy any extra spaces): 
    {"email":"jess@blocknify.com","name":"Jess Test","phone_number":"+999999999"}
  3. Paste it into the hashing tool
  4. You will get the following. This will then match up to the first part of A [hashed] on step 1. 
    33ca5c9c12c060cad3388ea70e399d6c3940627b58840945e59a67ca7b8dbfdc
  5. Download the original document and then go here to calculate your document fingerprint and verify it matches your PDF. 
    327d0e3f92e6fb6930c953a84f046cfda6489ff60c5e07119065f2ceb92b5e6b
  6. Then we append document content hash, timestamp, and signer's list that Jess added. However, to make things easier, we do it for you in step 1. Make sure you copy the whole thing.  
    33ca5c9c12c060cad3388ea70e399d6c3940627b58840945e59a67ca7b8dbfdc327d0e3f92e6fb6930c953a84f046cfda6489ff60c5e07119065f2ceb92b5e6b1604310505["john@blocknify.com"]
  7. Now we hash this information as we did in step C with step F information. 
    142f29c1e8491135a6059861ba6a4eec21807e8e850907cffd0fa95c50bb09d8
  8.  This hash now includes all of the identity information with the document content fingerprint (hash) and the included signers. We do this to ensure everyone's privacy and ensure that all the information can be verified on the blockchain.
  9. What we call a signature is us creating this hash locally and then having the signer use their signing PIN, which then allows them to sign this information with their private key. In this case, the signer's public key is: 
    eea2ebd8274cb3b4c73dbfbd118cd84522e9dd167954da3ec9d2aaa35110ddb42aa43c0f888c83dbf92c37e805fd76dce2bbd252b612177175bf45b1be0f1f6a
  10. Temporary step: To sign the signature hash, we add it to an ethereum transaction as we used to publish this to ethereum. In the future, we will sign the information using AES. 
  11. Now we can decode the attached signed ethereum transaction. We can prove that the signer's public key signed the hash from step G.  
    0xf885808609184e72a00082271094000000000000000000000000000000000000000080a0142f29c1e8491135a6059861ba6a4eec21807e8e850907cffd0fa95c50bb09d81ba03e8fd2de0f0c8410868265f4fdffdd67376f57f8b023a2919a895e23a82fca43a0069297d67bda818278c44ba07201bffb40d40d1d6fb4149f4c4941d9b49adb56
  12. We can use the following tool to decode the above transaction to see the signature hash.
    mceclip0.png
  13. Within the tool, we can also recreate the public key that was used to sign this data. 
    mceclip3.png
  14. We have verified the signer's identity, timestamp, and document fingerprint signed by the attached public key. We can verify that this information has not been modified. We can check if this information has not been modified by hashing the ethereum transaction and checking if it is on the Stellar blockchain. 
  15. Copy the signer ethereum transaction without the hex prefix (0x) 
    f885808609184e72a00082271094000000000000000000000000000000000000000080a0142f29c1e8491135a6059861ba6a4eec21807e8e850907cffd0fa95c50bb09d81ba03e8fd2de0f0c8410868265f4fdffdd67376f57f8b023a2919a895e23a82fca43a0069297d67bda818278c44ba07201bffb40d40d1d6fb4149f4c4941d9b49adb56
  16. Hash this information, which will result in: 
    50d79b5e1b772bf871975a0c04966ea025b88298970dd002ba1263723c756955
  17. Now, let's match this information with the Stellar transaction. You can find the Stellar transaction as a hyperlink on the audit trail after "Signature:" 
    mceclip0.png
    mceclip1.png
  18. This will open the Stellar transaction on stellar.expert. Here you will be able to view the live Stellar network.
  19. Go to the memo (HASH) field and then change the format to hex
    mceclip2.png
  20. You will be able to verify the hash is the same one from step P.
    mceclip3.png
  21. One last check is to make sure that this transaction came from Blocknify. Click on the source account.
    mceclip4.png
  22. This will allow you to view the account number that posted this transaction. Here you can then match it against our verified accounts on https://blocknify.com/.well-known/stellar.toml
    mceclip5.png

 

This process can be done for each signature listed on the audit trail at any time. 

Related articles

Powered by Zendesk