A native iOS signer for Squads v4 multisigs on Solana. Review a squad's vault and pending proposals, then co-sign to execute, with your keys held on your device.
Beta software. The current build runs on Solana devnet (a test network) and is not security audited. Do not use it to manage real funds. See SECURITY.md.
Cosign is a thin, verifiable client for Solana Squads v4 multisig signing:
- Decoded, inspectable proposals. Every instruction is decoded into plain language with a severity and a confidence read. Nothing is hidden behind a blind signature.
- Co-sign to a threshold. See who has approved, add your signature, and watch the threshold close. Routine proposals hold-to-confirm; high-risk ones require typing a phrase.
- Self-custody. Keys are generated on-device or imported — from a BIP-39 recovery phrase or a raw Solana secret key — stored in the iOS Keychain or on a hardware signer, and never leave the device.
- Hardware signers. Ledger over Bluetooth, YubiKey over NFC or USB, with on-device address verification.
- Relay-only. The app talks only to the Cosign relay, which proxies Solana RPC and helps decode proposals. It holds no keys and cannot move funds.
- Verifiable builds. Each release embeds a signed provenance claim you can check on-device and against the published GitHub Release — see docs/build-verification.md.
core/: the Rust cratecosign_core(key derivation, signing, transaction decoding), exposed to Swift via UniFFI, plus the relay server atcore/src/bin/relay-server.rs.Modules/: the Swift app, split into focused modules:Core,CosignCore(the FFI bridge),Indexer,Persistence,Signers,Squads,UI.App/: the iOS app target.- The Xcode project is generated by Tuist, so there is no
.xcodeprojin git.
Requirements:
- macOS with a recent Xcode (Swift 6)
- Tuist:
brew install tuist - Rust (stable) with iOS targets:
rustup target add aarch64-apple-ios aarch64-apple-ios-sim x86_64-apple-ios
- Lint and hooks:
brew install swiftformat swiftlint lefthook gitleaks
Build:
lefthook install # wire git pre-commit hooks
./scripts/build-xcframework.sh # build the Rust core into an XCFramework
tuist generate # generate the Xcode project
open Cosign.xcworkspaceTest:
cd core && cargo test # Rust core + relay
# iOS: build and test the Cosign-Workspace scheme from Xcode or xcodebuildThe app is a client of a single relay (the relay-server binary in cosign_core). It proxies Solana RPC with a method allowlist, proxies the Solana WebSocket so credentials stay server-side, and serves cosign/v1 endpoints for decoded squads, proposals, account activity, and prices.
Run it locally:
cd core
COSIGN_RELAY_RPC_URL="https://devnet.helius-rpc.com/?api-key=YOUR_KEY" cargo run --bin relay-serverThe relay can optionally serve the project's marketing site behind the landing cargo feature (cargo build --bin relay-server --features landing); the default build serves none.
Keys never leave the device, and the relay holds none. Please report vulnerabilities privately per SECURITY.md rather than opening a public issue.
See CONTRIBUTING.md. The pre-commit hooks and CI enforce rustfmt + clippy and swiftformat + swiftlint; keep them green.
MIT.


