Breaking Change: Account Key Transaction Signing - 6/23/2021

Announcements Breaking Changes
1

We want to let you know that a breaking change to transaction signing that could impact your development team has been deployed. This is a critical update that was actioned with the 6/23/2021 MainNet Spork in order to address a potential security issue. We will share more details in the future and apologize for the sudden roll out, but addressing the security patch and ensuring network safety was our top priority.

This change is currently deployed across all networks.

Who/What This Impacts

  • This impacts transaction signing.
  • We previously allowed signing the transaction with the same account key multiple times. In particular, we allowed signing the transaction Payload and the transaction Envelope with the same account key, even though it wasn’t necessary to do this. Signing just the envelope was sufficient.
  • This is now changed so that using the same account key for signing more than once will produce an error. In particular, signing both Payload and Envelope with the same account key will produce an error.

Why This Change Happened

  • The change happened to address a security issue, which prompted our team take action quickly

Action Required

  • Generally, there is no action required.
  • If you notice your transactions failing with the error “duplicated signature for key” make sure you are not signing with the same account key index more than once or signing the Payload and the Envelope of the transaction with the same account key.

If you have any questions regarding this breaking change, please ask our team in Discord for further assistance.

Thank you,
The Flow Team :ocean:

2

Hello @DrewGarrison!

We are running into an issue with this exact item and wanted to see if you could help point us in the right direction.

Previously, when we tested business logic on the emulator with the data linked below the transaction was successful. Creation of an account on Testnet through Flow CLI also works (screen 1). But when we try to create an account on Testnet through the endpoint, we get an error:

“invalid transaction: duplicated signature for key (address: 8c6630e44722bfd1, index: 0)”

The same issue happens with NFT minting – it works on the emulator, but there is an issue with Testnet.

Testnet account was created and funded at https://testnet-faucet-v2.onflow.org/

Flow CLI version: v0.21.0

All relevant data is included here. We are uncertain what actions we should take to get transactions working on Testnet. Can you help point us in the right direction?

Much appreciated!