Proposal: Verify ASA Ownership for Pull Requests

Question

Proposal: Verify ASA Ownership for Pull Requests

Opened this issue 3 years ago · 2 comments

Is there any plan to verify ASA ownership for pull requests? Currently it seems to be run on trust that someone won't attempt to upload an incorrect/unauthorised logo for another ASA.

A solution such as a signed message could be used. E.g. I open a pull request, I commit my logo(s), I create a signed message including the previous commit ID, I commit the signed message to the PR.

Take my PR 301 as an example. My commit ID is e61c5dbd9180cd6a97608725bf23735d3b72cbc7. To verify ownership I can now sign a message which includes the commit ID using my Algorand address private key:

{
	"msg": {
		"asa": "540605589",
		"commit": "e61c5dbd9180cd6a97608725bf23735d3b72cbc7"
	},
	"addr": "VEGASPDWGUX2KTFFJFVZ6IE7TPSY4NVFVOKHXZGBBERXNF3JOWOZB2PZPU",
	"sig": "s6pDjIsm9ChW+UQh58XyKqfYSxeO21VWlAvcBDyeuxt4Gpzdxx1ktLSx6eNEwvCr1AXOe\/1x1vVlQ315m8aQBQ=="
}

To verify we take the following steps:

Verify msg, addr and sig are present
Verify asa and commit are present inside msg object
Verify addr is the owner of msg.asa using an indexer API
Verify signature

Answer 1 · 2022-06-24T18:23:57.000Z

i like this.. and i think it would be great if there would be some json describing project, listing project links and so on..

also i would like to see the same thing for testnet tokens or other algo cochains tokens..

Answer 2 · 2023-02-11T13:04:46.000Z

I was wondering the same thing, some verification of creator account address does seem like a great idea.