VerifyMessageWithAddr

VerifyMessageWithAddr returns the validity and the recovered public key of the provided compact signature (base64 encoded). The verification is twofold. First the validity of the signature itself is checked and then it is verified that the recovered public key of the signature equals the public key of the provided address. There is no dependence on the private key of the address therefore also external addresses are allowed to verify signatures. Supported address types are P2PKH, P2WKH, NP2WKH, P2TR.

This method is the counterpart of the related signing method (SignMessageWithAddr) and aims to provide full compatibility to bitcoin-core's implementation. Although bitcoin-core/btcd only provide this functionality for legacy addresses this function enhances it to the address types: P2PKH, P2WKH, NP2WKH, P2TR.

The verification for P2TR addresses is a special case and requires the ECDSA compact signature to compare the reovered public key to the internal taproot key. The compact ECDSA signature format was used because there are still no known compact signature schemes for schnorr signatures.

Source: walletrpc/walletkit.proto

gRPC

rpc VerifyMessageWithAddr (VerifyMessageWithAddrRequest) returns (VerifyMessageWithAddrResponse);

REST

HTTP Method	Path
POST	/v2/wallet/address/verifymessage

Code Samples

gRPC

Javascript

const fs = require('fs');
const grpc = require('@grpc/grpc-js');
const protoLoader = require('@grpc/proto-loader');

const GRPC_HOST = 'localhost:10009'
const MACAROON_PATH = 'LND_DIR/data/chain/bitcoin/regtest/admin.macaroon'
const TLS_PATH = 'LND_DIR/tls.cert'

const loaderOptions = {
  keepCase: true,
  longs: String,
  enums: String,
  defaults: true,
  oneofs: true,
};
const packageDefinition = protoLoader.loadSync(['lightning.proto', 'walletrpc/walletkit.proto'], loaderOptions);
const walletrpc = grpc.loadPackageDefinition(packageDefinition).walletrpc;
process.env.GRPC_SSL_CIPHER_SUITES = 'HIGH+ECDSA';
const tlsCert = fs.readFileSync(TLS_PATH);
const sslCreds = grpc.credentials.createSsl(tlsCert);
const macaroon = fs.readFileSync(MACAROON_PATH).toString('hex');
const macaroonCreds = grpc.credentials.createFromMetadataGenerator(function(args, callback) {
  let metadata = new grpc.Metadata();
  metadata.add('macaroon', macaroon);
  callback(null, metadata);
});
let creds = grpc.credentials.combineChannelCredentials(sslCreds, macaroonCreds);
let client = new walletrpc.WalletKit(GRPC_HOST, creds);
let request = {
  msg: <bytes>,
  signature: <string>,
  addr: <string>,
};
client.verifyMessageWithAddr(request, function(err, response) {
  console.log(response);
});
// Console output:
//  {
//    "valid": <bool>,
//    "pubkey": <bytes>,
//  }

Python

import codecs, grpc, os
# Generate the following 2 modules by compiling the walletrpc/walletkit.proto with the grpcio-tools.
# See https://github.com/lightningnetwork/lnd/blob/master/docs/grpc/python.md for instructions.
import walletkit_pb2 as walletrpc, walletkit_pb2_grpc as walletkitstub

GRPC_HOST = 'localhost:10009'
MACAROON_PATH = 'LND_DIR/data/chain/bitcoin/regtest/admin.macaroon'
TLS_PATH = 'LND_DIR/tls.cert'

# create macaroon credentials
macaroon = codecs.encode(open(MACAROON_PATH, 'rb').read(), 'hex')
def metadata_callback(context, callback):
  callback([('macaroon', macaroon)], None)
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# create SSL credentials
os.environ['GRPC_SSL_CIPHER_SUITES'] = 'HIGH+ECDSA'
cert = open(TLS_PATH, 'rb').read()
ssl_creds = grpc.ssl_channel_credentials(cert)
# combine macaroon and SSL credentials
combined_creds = grpc.composite_channel_credentials(ssl_creds, auth_creds)
# make the request
channel = grpc.secure_channel(GRPC_HOST, combined_creds)
stub = walletkitstub.WalletKitStub(channel)
request = walletrpc.VerifyMessageWithAddrRequest(
  msg=<bytes>,
  signature=<string>,
  addr=<string>,
)
response = stub.VerifyMessageWithAddr(request)
print(response)
# {
#    "valid": <bool>,
#    "pubkey": <bytes>,
# }

REST

Javascript

const fs = require('fs');
const request = require('request');

const REST_HOST = 'localhost:8080'
const MACAROON_PATH = 'LND_DIR/data/chain/bitcoin/regtest/admin.macaroon'

let requestBody = {
  msg: <string>, // <bytes> (base64 encoded)
  signature: <string>, // <string> 
  addr: <string>, // <string> 
};
let options = {
  url: `https://${REST_HOST}/v2/wallet/address/verifymessage`,
  // Work-around for self-signed certificates.
  rejectUnauthorized: false,
  json: true,
  headers: {
    'Grpc-Metadata-macaroon': fs.readFileSync(MACAROON_PATH).toString('hex'),
  },
  form: JSON.stringify(requestBody),
}
request.post(options, function(error, response, body) {
  console.log(body);
});
// Console output:
//  {
//    "valid": <boolean>, // <bool> 
//    "pubkey": <string>, // <bytes> 
//  }

Python

import base64, codecs, json, requests

REST_HOST = 'localhost:8080'
MACAROON_PATH = 'LND_DIR/data/chain/bitcoin/regtest/admin.macaroon'
TLS_PATH = 'LND_DIR/tls.cert'

url = f'https://{REST_HOST}/v2/wallet/address/verifymessage'
macaroon = codecs.encode(open(MACAROON_PATH, 'rb').read(), 'hex')
headers = {'Grpc-Metadata-macaroon': macaroon}
data = {
  'msg': base64.b64encode(<bytes>),
  'signature': <string>,
  'addr': <string>,
}
r = requests.post(url, headers=headers, data=json.dumps(data), verify=TLS_PATH)
print(r.json())
# {
#    "valid": <bool>,
#    "pubkey": <bytes>,
# }

Shell

$ lncli wallet addresses verifymessage --help

NAME:
   lncli wallet addresses verifymessage - Verify a message signed with the private key of the provided address.

USAGE:
   lncli wallet addresses verifymessage [command options] address sig msg

DESCRIPTION:
   
  Verify a message signed with the signature of the public key
  of the provided address. The signature must be in compact ECDSA format
  The verification is independent whether the address belongs to the
  wallet or not. This is achieved by only accepting ECDSA compacted
  signatures. When verifying a signature with a taproot address, the
  signature still has to be in the ECDSA compact format and no tapscript
  has to be included in the P2TR address.
  Supports address types P2PKH, P2WKH, NP2WKH, P2TR.

  Besides whether the signature is valid or not, the recoverd public key
  of the compact ECDSA signature is returned.
  

OPTIONS:
   --address value  specify the address which correspondingpublic key will be used
   --sig value      the base64 encoded compact signature of the message
   --msg value      the message to sign
   

Messages

walletrpc.VerifyMessageWithAddrRequest

Source: walletrpc/walletkit.proto

Field	gRPC Type	REST Type	REST Placement
msg The message to be signed. When using REST, this field must be encoded as base64.	bytes	string	body
signature The compact ECDSA signature to be verified over the given message ecoded in base64.	string	string	body
addr The address which will be used to look up the public key and verify the the signature.	string	string	body

walletrpc.VerifyMessageWithAddrResponse

Source: walletrpc/walletkit.proto

Field	gRPC Type	REST Type
valid Whether the signature was valid over the given message.	bool	boolean
pubkey The pubkey recovered from the signature.	bytes	string