CryptoSign

CryptoSign allows users to sign their Airtable bases and tables into the Blockchain, and verify integrity of signatures. This is a blockchain alternative to signing solutions like DocuSign.

Hash

Let's first talk a little about hashes in order to understand the concept of CryptoSign. A hash is a fixed-size and unique representation of some data, like a fingerprint. The same data will always have the same hash, but if the data changes by even a single character, then the hash changes entirely. It is impossible from the hash to go back to the original data, therefore we can safely store hashes in a public blockchain without compromising the privacy of the original data. Here are some examples: “Hello world” => 0x185f8db32271fe25f561a6fc938b2e264306edu343gu The entire Lord of the Rings collection => 0x5aee9a0d38ffe31fe100042698edc9fbe905njh343

So what is CryptoSign?

The CryptoSign Airtable Block computes the hash of all the data in all the tables of an Airtable base, and sends the hash to an Ethereum Smart Contract that I wrote to store the hash and automatically associate it with the sender’s public address and current date. Users can then later verify signatures by computing the hash of the data themselves and checking that this hash does exist in the smart contract and has been signed by the correct public address.

CryptoSign

Let's install a wallet

To send data to the smart contract, you need a wallet. The wallet will sign every blockchain operations (called transactions) with your private key that only you alone knows, proving you are the originator of the transaction. You can use many wallets, but for this demo we are going to use Metamask, the most popular in-browser wallet.

To install metamask, just go to the https://chrome.google.com/webstore/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn?hl=en. Then install it and create your wallet to define your private key.

CryptoSign

Using a testnet

CryptoSign is production-ready and can be used on the Ethereum Mainnet using real Ethers. However, when sending data to the blockchain you need to pay a small network processing fee (usually a few cents), so for demo purposes, you can switch Metamask to the Ropsten test network so you can use fake test Ethers to pay for transactions. To get test Ethers, go to https://faucet.ropsten.be/

Let's get started (finally!)

You are now ready to use CryptoSign. Open any base document and load the CryptoSign block. You can see two buttons: “Sign Document” and “Verify Signature”. Below you can see the current document hash computed from the data of all the cells from all the tables of this base. Note the current hash begins with 0xe7... Now if you change any data, the hash changes instantly.

Now, if you click ‘Sign Document’, the current hash of the document will be sent to our smart contract. For this, Metamask will automatically open and asks you to sign the transaction for sending data to the blockchain. You need to pay some Ethers. Since we are on the testnet we are paying with test Ethers. Notice that this corresponds to only a few US cents. Pay and wait for the transaction to be verified by the network, this usually take a few seconds but can go up to a few minutes if the network is very busy. In the meantime, you can check on the status of the transaction in Metamask and even click on the Etherscan link to check the status on the official Ethereum block explorer.

Tadaaaa

Once the transaction is done, the document is signed! You can see that CryptoSign shows some metadata captured by the smart contract from the transaction, i.e. the date and time of the signature and the sender’s public address. If you check your metamask address, you can see that it does indeed correspond to your public address.

Let’s take a quick look at the code of the smart contract so you can understand what is under the hood.

pragma solidity 0.5.16;

contract Cryptosign {
    struct Metadata {
        address sender;
        uint256 date;
    }

    mapping(string => Metadata) public hashToMetadata;

    event Signed(string hash, address sender, uint256 date);

    function sign(string memory hash) public {
        hashToMetadata[hash] = Metadata(msg.sender, now);
        emit Signed(hash, msg.sender, now);
    }

    function verify(string memory hash) public view returns (address sender, uint256 date) {
        Metadata memory metadata = hashToMetadata[hash];
        require(metadata.date > 0, "Invalid Signature");
        return (metadata.sender, metadata.date);
    }
}

As you can see it is quite simple. We have a mapping that stores the document hashes and their corresponding metadata, and the "sign" function that accepts the hash as input. Notice that the sender’s public key and the date of signing are not part of the function input. They are fetched automatically from the transaction itself so they cannot be faked or altered by the signer.

Notice also that data stored like that in the blockchain becomes immutable and inalterable for life! Even if the CryptoSign block gets discontinued, the smart contract data will always be publicly available in the blockchain and signatures will always be verifiable.

Now the "verify" function works just the other way. You call it with a hash and it will check if this hash exists in the smart contract storage. If so, it will return the stored signer’s public address and signing date. If not, it will send an invalid signature error.

Back to Airtable

You can then go back to Airtable and refresh the page as if you were checking it out as another user. You can click "Verify Signature" and this will send the hash to the smart contract. You should see almost immediately that the hash was found so the signature is confirmed. The smart contract sends back the metadata and we display them on the block itself so users can verify them.

Now let’s try to change some data. Modify some cell(s) and click "Verify Signature" again. The smart contract sends back ‘Invalid Signature’ because the new document hash does not correspond to any hash stored in the smart contract. This proves someone has tempered with the document since the signature was done.

Try removing your modifications to revert to the original document and click "Verify Signature" again. The signature is now correct again. Notice you could alternatively decide to keep the modified version and sign this new version instead. You would therefore have 2 signatures, one for each version of the document, but one would have a more recent date than the other. Further developments could include displaying an history of signatures.

What about security ?

As noted above, it is impossible to fake or cheat a signature sent to the blockchain because the protocol fetches it automatically from the transaction signed with the private key of the signer. The whole Ethereum blockchain relies on these cryptographic principles and Ethereum has never been hacked, despite constant attempts.

CryptoSign is more cryptographically secured than DocuSign and way less expensive. The signer only has to pay the network fee when signing a document to pay for the execution of the smart contract

Caveat

For the sake of transparency, there is one caveat to be noted. You have to know the identity of the person behind the public Ethereum address. The cryptographic signature guarantees that a public address has indeed signed the document, but it doesn’t prove the identity of the person behind that public address.

There are multiple ways to solve that issue, the most popular being that the user has to pass a KYC before using CryptoSign. We can therefore associate his public address with his identity. There are multiple services online offering to pass a "Crypto KYC" with easy API integrations. Further developments of CryptoSign could include such integration.

CryptoSign

Conclusion

CryptoSign offers a quick and cheap solution to sign data on Airtable and provide a cryptographic proof that can be to verify the document has not been altered since the signature. Any change would immediately be visible as an Invalid Signature, and either require the data to come back to the original signed version or to sign the new version.

The use cases for this are numerous :

  • a consultant could agree on a pricing by signing the client’s requirements (so the client cannot change them later)
  • an architect could certify measurements by signing them
  • an auditor could sign an audit trail or a financial inspection
  • etc...

Anything requiring a proven signature can now be done on Airtable!

Built With

Share this project:

Updates