Know what
you sign.
Squads multisig proposals arrive encoded, and most signers approve what they cannot read. Cosign is a native iOS signer that decodes every instruction into plain language, so you review the real action before you add your signature. One app, two networks: test on devnet, operate on mainnet, where you are signing real funds.
A signature on bytes you cannot read.
A Squads proposal is a serialized transaction. The Squads web app can decode it, but the moment you confirm on a hardware wallet you are back to approving a hash the device cannot explain. Cosign keeps the decoded action in front of you through to the signature, so approving stays a decision rather than a leap of faith.
The decode happens on your phone.
Cosign reads the instruction bytes and works out the action locally, on the device. The relay only transports data and can run an optional simulation. It never decides what you are signing, so the plain-language action you approve is computed where your keys live.
Test on devnet.
Operate on mainnet.
Rehearse the whole flow on devnet, create squads, build proposals, sign, with nothing real at stake. Switch to mainnet in Settings when you are ready to operate. The switch is deliberate: mainnet asks you to confirm, and every mainnet signature is marked, so you always know which network you are on.
From encoded proposal to verifiable receipt.
how it worksRead the action, not the bytes.
Every instruction is decoded into plain language with a severity and a confidence read on the data. Open the raw fields whenever you want them. Nothing is hidden behind a blind signature.
Add your signature, watch the threshold close.
See who has approved and how many signatures remain. The threshold ring fills as co-signers sign, and Face ID confirms before anything is broadcast. Hold to approve keeps an accidental tap from spending anything.
Your keys stay on the device.
Keys are generated and held on your iPhone, in the iOS Keychain. Import an existing wallet from its recovery phrase or a raw Solana secret key, all behind Face ID. Cosign cannot move your funds.
Hardware signer support is on the roadmap.
A receipt you can check on-chain.
After a proposal executes, Cosign shows the signature and the decoded result, with a link to inspect the transaction on-chain. What you approved and what landed are the same thing, and you can prove it.
Only your device can sign.
trust modelCosign splits the work so the parts that matter stay with you. The relay helps you read the chain. It never holds keys and it cannot move funds. Signing happens only on your iPhone, and settlement happens only on Solana.
Match the app against the public record.
Every release is built in the open and signed, then published as a GitHub Release. The app shows its version, commit, and SHA-256 fingerprint, so you can match the build you are running against that published record, by eye or with a scan. Provenance you can check, not a black box you have to trust.
See the releases on GitHubKnow what you sign.
The safety is the same on either network: your keys stay on your device, every action is decoded before you sign, and each build is verifiable. Practice on devnet, operate on mainnet.