Skip to content

hackshare/cosign

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Cosign

A native iOS signer for Squads v4 multisigs on Solana. Review a squad's vault and pending proposals, then co-sign to execute, with your keys held on your device.

License: MIT Platform: iOS Swift 6 Rust

Beta software. The current build runs on Solana devnet (a test network) and is not security audited. Do not use it to manage real funds. See SECURITY.md.

Decoded proposal detail Sign sheet with threshold ring Verifiable receipt

What it is

Cosign is a thin, verifiable client for Solana Squads v4 multisig signing:

  • Decoded, inspectable proposals. Every instruction is decoded into plain language with a severity and a confidence read. Nothing is hidden behind a blind signature.
  • Co-sign to a threshold. See who has approved, add your signature, and watch the threshold close. Routine proposals hold-to-confirm; high-risk ones require typing a phrase.
  • Self-custody. Keys are generated on-device or imported — from a BIP-39 recovery phrase or a raw Solana secret key — stored in the iOS Keychain or on a hardware signer, and never leave the device.
  • Hardware signers. Ledger over Bluetooth, YubiKey over NFC or USB, with on-device address verification.
  • Relay-only. The app talks only to the Cosign relay, which proxies Solana RPC and helps decode proposals. It holds no keys and cannot move funds.
  • Verifiable builds. Each release embeds a signed provenance claim you can check on-device and against the published GitHub Release — see docs/build-verification.md.

Architecture

  • core/: the Rust crate cosign_core (key derivation, signing, transaction decoding), exposed to Swift via UniFFI, plus the relay server at core/src/bin/relay-server.rs.
  • Modules/: the Swift app, split into focused modules: Core, CosignCore (the FFI bridge), Indexer, Persistence, Signers, Squads, UI.
  • App/: the iOS app target.
  • The Xcode project is generated by Tuist, so there is no .xcodeproj in git.

Getting started

Requirements:

  • macOS with a recent Xcode (Swift 6)
  • Tuist: brew install tuist
  • Rust (stable) with iOS targets:
    rustup target add aarch64-apple-ios aarch64-apple-ios-sim x86_64-apple-ios
  • Lint and hooks: brew install swiftformat swiftlint lefthook gitleaks

Build:

lefthook install                 # wire git pre-commit hooks
./scripts/build-xcframework.sh   # build the Rust core into an XCFramework
tuist generate                   # generate the Xcode project
open Cosign.xcworkspace

Test:

cd core && cargo test            # Rust core + relay
# iOS: build and test the Cosign-Workspace scheme from Xcode or xcodebuild

The relay

The app is a client of a single relay (the relay-server binary in cosign_core). It proxies Solana RPC with a method allowlist, proxies the Solana WebSocket so credentials stay server-side, and serves cosign/v1 endpoints for decoded squads, proposals, account activity, and prices.

Run it locally:

cd core
COSIGN_RELAY_RPC_URL="https://devnet.helius-rpc.com/?api-key=YOUR_KEY" cargo run --bin relay-server

The relay can optionally serve the project's marketing site behind the landing cargo feature (cargo build --bin relay-server --features landing); the default build serves none.

Security

Keys never leave the device, and the relay holds none. Please report vulnerabilities privately per SECURITY.md rather than opening a public issue.

Contributing

See CONTRIBUTING.md. The pre-commit hooks and CI enforce rustfmt + clippy and swiftformat + swiftlint; keep them green.

License

MIT.

About

Native iOS signer for Solana Squads v4 multisigs. Self-custody, decoded proposals, relay-only.

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors