New look, same great product! HelloSign is now Dropbox Sign.
Alexandre Krispin is the winner of the Dropbox Sign Go Paperless Hackathon Most Creative prize. His hardware-wallet-inspired Encrypted Signer App lets users sign contracts and receive private communications for documents through cryptographic keys. Check out his full submission.
From hobbyist to hackathon winner
Alexandre started teaching himself to code after moving from France to Japan. While working as a network engineer in Tokyo, he picked up a book about automating "boring” work tasks using Python, then put his learnings into action at his job.
After automating several mundane tasks in his day-to-day work, he looked for a new challenge to set his growing coding skills upon. "I wanted to create something that involved authentication like what I was learning about in my coding books. That’s when I found the Dropbox Sign hackathon, which seemed like a perfect opportunity." That marked the beginning of Alexandre’s winning Encrypted Signer App.
An app built for total user privacy
Alexandre’s Encrypted Signer App ensures the information of both eSignature senders and signers remains private through the use of cryptographic keys.
The Encrypted Signer app is for people who don't want to share their information on centralized servers and who don’t want to confirm their identity through Dropbox Sign. Existing eSignature tools all use cloud services like AWS to host documents, and then send email requests with links to the server asking for the other party to sign. There are two problems here: First, the information on the server isn’t private, third parties can see it. And second, while you can verify that a signature request has been signed by someone, you can't verify that it has been signed by the intended person.
Alexandre’s command-line Encrypted Signer App set out to solve both of these problems by recording no information about users or what they do within the app. He accomplished this level of privacy using three core technologies: IPFS—a distributed peer-to-peer network to store the documents; OpenPGP to encrypt the documents and verify signers’ identities using public and private keys; and the Dropbox Sign API to send and sign signature requests, and share the public keys.
To ensure the highest levels of privacy, Alexandre has also made the Encrypted Signer App compatible with “air-gapped” devices—physically segregated devices incapable of connecting wirelessly or physically with other computers or network devices—like Yubikey hardware keys.
The inner working of the Encrypted Signer App
Using Javascript from the command line, the Encrypted Signer App fetches information such as the name, client ID, owner ID, and owner email address from the Dropbox Sign API.
With the returned email address, an API call is made to the OpenPGP server to look up public keys and display fingerprints for the email address, and either the fingerprint ID or the public key is returned from the OpenPGP server. Only the owner of the fingerprint ID or public key can decrypt the document with their private key. While detailing this part of the process, Alexandre explained that ”I use the OpenPGP server because it confirms that the email address you’re using is the email address that belongs to the signer.”
To send a signature request, users then provide the file name of a document they want to sign, the client ID, the email address, and the public key to encrypt the document. With this information, the Encrypted Signer App fetches the public key from the email address of the signer, via the OpenPGP API, which then encrypts the document with a private key that only the signer—the owner of the email address and public key—has access to.
The Encrypted Signer app then pushes the public key information to the Dropbox API which in turn sends a custom signature request. The body of this message is automatically written by Alexandre’s command line application which adds the public key and a URL to the encrypted version of the signature request ”The API does the heavy work in handling communications with signers. We used the Dropbox Sign JavaScript SDK which made building the custom email and the entire development process much easier.”
On the signer’s end, they receive a custom email sent via the Dropbox Sign API. When putting the public key information from the email into the Encrypted Signer App, the app makes an API call to OpenPGP and asks the user for their private key. Once a signer’s ID is verified, they’re redirected to the Dropbox Sign application to sign their document.
A vision for Encrypted Signer App’s future
"I learned a lot about the ins and outs of digital signatures. This hackathon has been a great way for me to improve my knowledge about signatures, verification, and PGP."
However, if Alexandre were to develop his Encrypted Signer App further, with more time there are several improvements he’d make. "I would think about how to export and import documents easily. Perhaps provide a PDF or text for encrypted documents. Also, I would like to add support so multiple users can sign.”
Congrats again Alexandre! We’re looking forward to seeing what creative ideas you’ll build in the future.
Stay in the loop
Thank you!
Thank you for subscribing!
