March 2025 Update to ETH Vault Sovereign Recovery

Recent updates to the Safe application now require a forked version of the Metamask Chrome extension to connect Ledger and Trezor to the Safe web interface.

Recent updates to the Safe application necessitate the use of either the Wallet Connect or MetaMask browser extension for connecting hardware devices. However, it's important to note that both Wallet Connect and MetaMask impose restrictions on the derivation path, which unfortunately prevents the use of Casa's BIP-45 derivation path.

We are currently collaborating with the Safe team to address and resolve this limitation.

This guide provides instructions for utilizing a modified version of the MetaMask Chrome browser extension that supports Casa's derivation path.

Reference this guide on Sovereign Recovery for ETH Vaults for complete information. The following information replaces step 7b "To connect a hardware device".

Steps to Connect Hardware Device

Download the MetaMask browser extension from the Casa Github repository.
Optional: Verify the plugin download.
Extract the file into a directory on your computer.
Go to chrome://extensions/ in your browser.
Turn on Developer Mode with the toggle in the top right.
Select Load unpacked in the top left.
Navigate to the unzipped directory and select the Chrome extension.
NOTE - If you have MetaMask installed in you browser, you will have to select the custom extension for the Casa derivation path to work.
Connect the hardware to MetaMask, when selecting the accounts from the screen, choose BIP45 Hardened.
The first account in this list should the the contract owner the Casa Vault. This can be verified in the Safe app.
Select the owner address from the list and click Unlock.
This adds the address to MetaMask.
Return to the Safe interface and select the forked MetaMask extension to connect the owner account to Safe and sign the transaction.

Verifying the plugin download with GPG

Verifying the integrity of the downloaded plugin is a recommended, though optional, measure. By utilizing GPG signatures for verification, you can ensure that you are installing the exact plugin published by Casa's engineering team.

To verify signatures, you will need to have gpg or gpg2 installed on your system (see here for macOS or Windows).

Once you’ve installed gpg, you’ll need to use the command line. You can do this by opening Terminal.app in macOS, or Start > Run > cmd in Windows.

Import the keys that have signed this release by running the following command in Terminal.

curl https://cdn.prod.website-files.com/64931939e37b1297d83d6938/67d484b003b69d41f2951491_casa_security.txt | gpg --import

1. The key and fingerprint is also available on our website here.
Download the plugin from here and the signature file from here to your Downloads directory.
In Terminal, run cd Downloads to enter the Downloads directory.
Verify the downloaded plugin with the following command:

gpg --verify metamask-chrome-12.10.1.zip.asc metamask-chrome-12.10.1.zip

You should see an output similar to this:

gpg: Signature made Thu Mar 13 14:16:27 2025 MDT
gpg: using EDDSA key DA13DC1487496457C8C3D66CE648DD9D1D0F9818
gpg: Good signature from "Casa Security <security@team.casa>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DA13 DC14 8749 6457 C8C3 D66C E648 DD9D 1D0F 9818

The following warning is OK. This means that you have not marked the Casa Security team's GPG key as something that can be explicitly trusted. It is safe to ignore.

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

Congratulations! You have verified the plugin download. You can return to Step 3 above.