🙋♂
Demonstrate ownership of a tz address
To ask someone to prove that he owns a specific address, you have several options.

Option 1:

Ask the wallet owner to send a transaction to your wallet with a random amount of your choice.
The risk of this method is that the verification will happen on-chain, publicly. Malicious actors could find a way to attack and exploit this process.
Another drawback of this method is that it will cost some XTZ tokens for transaction fees.

Option 2:

Choosing the data to sign

In the situation where sending a transaction is not possible, you can use the tezos-client for that. The first step is to pick the data we want the buyer owning the wallet to sign, it could be the ID of a Hic et Nunc NFT he owns, for example: OBJKT#63886

Converting the data to hexadecimal for the tezos-client

We now need to transform the ID in hexadecimal, for that we can use websites like: https://www.convertstring.com/
or the following script in linux:
1
#!/bin/bash
2
3
echo '0x'"`echo $1 | hexdump -vC | awk 'BEGIN {IFS="\t"} {$1=""; print }' | awk '{sub(/\|.*/,"")}1' | tr -d '\n' | tr -d ' '`" | rev | cut -c 3- | rev
Copied!
Usage:
1
# We called our script string-to-hex.sh
2
> chmod +x string-to-hex.sh
3
> ./string-to-hex.sh OBJKT#63886
4
0x4f424a4b542332333438
Copied!

Signing the data with the tezos-client

The owner will have to sign the transaction with the tezos-client.
1
> tezos-client sign bytes 0x4f424a4b542332333438 for <YOUR_ADDRESS_ALIAS>
2
3
Signature: edsigtmihaqxqsbT5DRM39PaofMD9ibfNQgtVZFAmno1EtmFo8Co51nu9udgsepbSHhZNuntvpSGTCjksF3pssFvmRvPR3msEwi
Copied!

Verifying the signature

Finding the public key

To be able to verify the owner's signature, you need to retrieve its public key. For that you have two options:
  • either ask the owner directly if he knows how to find it,
  • or retrieve it yourself from an explorer by looking for the "Reveal key" operation on the owner address.
To find the key on Tzkt, it would look like this:
  • Go to the wallet page (example: https://edo2net.tzkt.io/tz1cCG4Af5qkgBr2zGkG9W54mfCJ2s5Ltmyq/operations/), and look for one of the first operations called "Reveal key" as in the example below. Once you find it, click on the brackets highlighted on the screenshot below, located at the top right of the page
  • Once you opened the JSON you should be able to see the public key like in the screenshot below
RPC JSON View
Reveal public key operation

Importing owner's public key in the client

You now need to import the owner's public key in your tezos-client with the following command:
1
# We need to set an alias for the key, here we used the ID of the Hic et Nunc object with the "_BUYER" suffix
2
> tezos-client import public key OBJKT#63886_SIGNER unencrypted:edpkutsvRtP75QQaYAfyhyw52u8Rt4ZkuTgfhYSKeVkTEh8bQAZ8er
Copied!

Verifying the signature

The final step will be to verify that the signature matches the public key of the buyer:
1
> tezos-client check that 0x4f424a4b542332333438 was signed by OBJKT#63886_SIGNER to produce edsigtmihaqxqsbT5DRM39PaofMD9ibfNQgtVZFAmno1EtmFo8Co51nu9udgsepbSHhZNuntvpSGTCjksF3pssFvmRvPR3msEwi
2
3
Signature check successful.
Copied!