cosign

Know what
you sign.

Squads multisig proposals arrive encoded, and most signers approve what they cannot read. Cosign is a native iOS signer that decodes every instruction into plain language, so you review the real action before you add your signature. One app, two networks: test on devnet, operate on mainnet, where you are signing real funds.

Public beta · Native iOS · SwiftUI · Squads v4 · keys held on device
9:41
Proposal 14 · Operations
Encoded instruction
program: Vote111111111111
data: 02 00 00 00 7c 9a f3 1b
a4 05 e2 00 3a d1 90 4f 8c
6b 21 ff 0e 55 c3 88 12 ad
accounts: 7cNd… · SqDs… · 11111…
Unreadable without decoding
SOL transfer
Review
Amount250 SOL
To7cNd…xK29
FromOperations · Vault 01
ConfidenceDecoded
Hold to approve
The problem

A signature on bytes you cannot read.

A Squads proposal is a serialized transaction. The Squads web app can decode it, but the moment you confirm on a hardware wallet you are back to approving a hash the device cannot explain. Cosign keeps the decoded action in front of you through to the signature, so approving stays a decision rather than a leap of faith.

Toggle the panel to see the difference.
Raw proposal
program: Vote1111111111111111111111
data: 02 00 00 00 7c 9a f3 1b a4 05 e2 00
3a d1 90 4f 8c 6b 21 ff 0e 55 c3 88 12 ad
7f b2 44 91 0c 6e 33 a0 d5 1e 8b
accounts: 7cNd…xK29 · SqDs…op3X · 1111…
You are asked to approve this.
SOL transfer
Review
Amount250 SOL
Recipient7cNd…xK29
From vaultOperations · Vault 01
ConfidenceDecoded from the on-chain program
On-device decode

The decode happens on your phone.

Cosign reads the instruction bytes and works out the action locally, on the device. The relay only transports data and can run an optional simulation. It never decides what you are signing, so the plain-language action you approve is computed where your keys live.

RELAY
Transports data · optional simulation
no keys
instruction bytes
YOUR DEVICE
02 00 7c 9a f3…Send 250 SOL
Decoded locally, then signed with Face ID
One app, two networks

Test on devnet.
Operate on mainnet.

Rehearse the whole flow on devnet, create squads, build proposals, sign, with nothing real at stake. Switch to mainnet in Settings when you are ready to operate. The switch is deliberate: mainnet asks you to confirm, and every mainnet signature is marked, so you always know which network you are on.

ACTIVE NETWORK
Devnet
Test network · practice freely
Mainnet
Real funds
REAL FUNDS
Switching to mainnet asks you to confirm
Every mainnet signature is marked at signing

From encoded proposal to verifiable receipt.

how it works
Cosign decoded proposal detail Cosign sign sheet threshold ring Cosign import wallet behind Face ID Cosign verifiable receipt
01Decoded and inspectable

Read the action, not the bytes.

Every instruction is decoded into plain language with a severity and a confidence read on the data. Open the raw fields whenever you want them. Nothing is hidden behind a blind signature.

02Co-sign to the threshold

Add your signature, watch the threshold close.

See who has approved and how many signatures remain. The threshold ring fills as co-signers sign, and Face ID confirms before anything is broadcast. Hold to approve keeps an accidental tap from spending anything.

03Self-custody

Your keys stay on the device.

Keys are generated and held on your iPhone, in the iOS Keychain. Import an existing wallet from its recovery phrase or a raw Solana secret key, all behind Face ID. Cosign cannot move your funds.

Hardware signer support is on the roadmap.

04Verifiable receipt

A receipt you can check on-chain.

After a proposal executes, Cosign shows the signature and the decoded result, with a link to inspect the transaction on-chain. What you approved and what landed are the same thing, and you can prove it.

Only your device can sign.

trust model

Cosign splits the work so the parts that matter stay with you. The relay helps you read the chain. It never holds keys and it cannot move funds. Signing happens only on your iPhone, and settlement happens only on Solana.

Your iPhone
holds keys · decodes · signs
Keys generated and held in the Keychain
Signs transactions behind Face ID
Decodes the proposal locally, then signs
The relay
transports · simulates
Transports data and offers optional simulation
Holds no keys, takes no custody
Cannot sign or move your funds
Solana
settles · public
Executes the signed transaction
The multisig program enforces the threshold
Public record anyone can verify
signing path, on your device only·the relay sits outside it
Verifiable builds

Match the app against the public record.

Every release is built in the open and signed, then published as a GitHub Release. The app shows its version, commit, and SHA-256 fingerprint, so you can match the build you are running against that published record, by eye or with a scan. Provenance you can check, not a black box you have to trust.

See the releases on GitHub
Verified build
View release
v0.1.0
Releasev0.1.0+1751312345
Commitaca62f4c
Fingerprint · SHA-256
aca62f4c9d3b71e04f2a8c61bd09e710f5a23c4e8b90d172a6f3c5

Know what you sign.

The safety is the same on either network: your keys stay on your device, every action is decoded before you sign, and each build is verifiable. Practice on devnet, operate on mainnet.

cosign
Public beta · devnet + mainnet