We would like to announce new functionality implemented on Sourcery. We've done a couple of vendor specific features per request and added additional safety for buyers. A recap of our new features:
- "Bulk Shipping" functionality - to avoid having to flip back and forth between screens and pages, Sourcery presents a vendors orders that need to be shipped with crucial metadata for fulfillment (such as item, quantity and user address). Also allow vendors to see a flatfile of these orders that can be copied and pasted locally for workflow/script integration. Finally, mark all of those orders as shipped - will help vendors deal with multiple orders in a more streamlined fashion.
- Ability for vendors to PGP sign keys used in multisig addresses to help protect the integrity of the multisig process (see below for details).
- Script to easily sign each multisig address and copy/paste result on Sourcery. Enables the previous feature to be much easier.
Signing Addresses for Multisig
In the spirit of keeping multisig safe and transparent, we've implemented an additional safety net for buyers.
The Problem: How do you actually know that the vendor BTC address/key used in creating the multisig address actually belongs to the vendor? An unscrupolous market could put in an address the market actually controls, cancelling out the benefits of multisig. The buyer has no real way of knowing that the right keys are being used.
Our Solution: Enable vendors to sign each Bitcoin address the vendor controls with their vendor PGP key, which can be verified by buyers. When a buyer purchases an item, along with each of the addresses used to create the multisig address, the buyer will also be presented with a PGP signed message with the vendor's address - guaranteeing that the vendor does indeed control the address being used in the transaction. Given that signing each address would be a major pain for a vendor, we have a simple shell script that is run locally by the vendor and will create the signatures. In a matter of minutes, a vendor could sign dozens of addresses - giving their customers piece of mind that they actually do control the signing key used in the multisig address. See http://sourcel3zg2kzu4k.onion/open-source.php for source code. This feature is optional currently until we get vendors educated about this new feature. Once that happens, it will be mandatory for vendors to provide this for buyers. We believe we've made it really easy to do and it should take little time to pre-sign dozens of addresses.
See http://sourcel3zg2kzu4k.onion/multisig-overview.php#verify-ms for instructions and tips for verifying a multisig address.
Future Enhancements
- Scripts for aiding in the bulk shipping process for vendors.
- Ability for vendors to "pre-sign" a withdrawal against a multisig address at any point before finalization.
The last feature will enable vendors to get their funds as soon as an order is finalized and avoid having to complete the signing step after finalization. Presently, this part occurs after finalization. We will make it optional for a vendor to have a signed transaction ready for broadcast as soon as an order finalizes. At any point before finalization, a vendor will be able to upload the signed transaction to Sourcery. When the order finalizes, we will add our signature to it and broadcast it. That way, a vendor gets his/her coin as soon as the order is complete. In the current process, when an order finalizes, Sourcery creates a transaction, signs it, and then presents it to the vendor. The vendor then signs it and broadcasts it. The option for the vendor to sign before finalization will enable the vendor to get coin as soon as the order is done and not have to complete these steps afterwards. We expect this to be implemented in the next couple of days.
A note about our scripts - all scripts will be posted publicly for inspection by anyone. No scripts will expose any keys or compromise a vendor in any way. We simply want to help with the process and make multisig easier. They will be simple shell scripts that can be run offline that will make calls to electrum command line and GPG. They can of course be tweaked by a vendor to fit their own process.
We are still looking for more vendors for the market side of our service. If interested, reach out to me and we will get you set up and step you through any part of the multisig process. We are constantly working with our vendors to make this painless and easy. Our goal is truly to make multisig as simple as possible and as least intrusive to business operations. We do listen to all of our vendors and their pain points.
Sourcery Market http://sourcel3zg2kzu4k.onion/
Better hope your market doesn't get hacked ! Bug hunter and cypher might be all up in that ass.