I think this is interesting.
I would like to play with the ux of the function that hashes the data for you, maybe by passing in a hasher instead of just being generic over one.
Anyhow, I think an API that hashes for you is a safer API.

I thought about the APIs in place here quite some time while implementing a PoC that uses the secp256k1 curve in ways other than just signing Bitcoin transactions and I found the Message API to be particularly constraining.

Here is a proposal for dealing with the whole ThirtyTwoByteHash and "how do we make rust-secp256k1 and bitcoin_hashes play nicely with each other" topic: #211

While your implementation looks technically sound and maybe even a bit more idiomatic too I'm not sure if we want to encourage to use arbitrary [u8;32]s to construct messages. Imo an API should make it easy to do the right thing and hard to do the wrong thing. Thinking about that this PR should also add a warning to from_slice that refers to the new API. See also this discussion.

If there is ever a common and sane need to sign anything other than a hash we can extend the API. E.g. a Random([u8;32]) struct that can only be constructed using a cryptographically secure RNG and implements ThirtyTwoByteHash would be nice. After thinking about it that's probably a bad idea.

Imo an API should make it easy to do the right thing and hard to do the wrong thing. Thinking about that this PR should also add a warning to from_slice that refers to the new API.

I tend to agree with that but it is kind of tricky depending on the abstraction level of your library (more low-level APIs tend to be unsafer in their usage). The fact that rust-bitcoin, rust-secp256k1 and bitcoin_hashes are three different crates put some artificial restrictions in place here.
We now have an optional feature to bitcoin_hashes in a crate that is only supposed to deal with an elliptic curve. That is kind of odd, no?
That is why I went with raw byte arrays as that is the lowest common denominator between those crates (assuming we want to keep the current split as is).

Currently, the from_slice function doesn't do any checks apart from the length. From that state, it seems pretty pointless to have as array length is something that can be enforced by the type system.

However, the trait documentation mentions things like all-zero messages and ones that overflow the group order. That sounds like we should actually be doing more checks in the from_slice constructor than what we are doing today?

Having a hashing crate as an optional dependency isn't odd at all since the only sane way to sign anything is to hash it first. This crate is also primarily a BTC crypto lib, so having a tighter integration with a bitcoin specific hash library isn't too bad imo. While secp256k1 the c library is quite low level this crate should have (and has afaik) the goal to be more use friendly and to have safe abstractions.

I see that yet another dependency to be updated isn't ideal, but it's a trade off I'm willing to make for a safe API. Alternatively there could be a separate crate secp256k1-safe that contains the ThirtyTwoByteHash trait and has both bitcoin_hashes and secp256k1 as dependencies and just pub uses the relevant structs from both. But that seems a bit over the top.

We now have an optional feature to bitcoin_hashes in a crate that is only supposed to deal with an elliptic curve. That is kind of odd, no?

Who said that it's supposed to deal with an elliptic curve? The README states "rust-secp256k1 is a wrapper around libsecp256k1, a C library by Pieter Wuille for producing ECDSA signatures using the SECG curve secp256k1".

So the main point of this library is to create (and verify) ECDSA signatures. And ECDSA relies on an elliptic curve and a hash function. People tend to forget about the hash function.

Having a hashing crate as an optional dependency isn't odd at all since the only sane way to sign anything is to hash it first.

Worse, it's actually not "signing" if you don't do the hash.

So the main point of this library is to create (and verify) ECDSA signatures. And ECDSA relies on an elliptic curve and a hash function. People tend to forget about the hash function.

That is a fair point. I guess something like this Digest trait could be useful as-well then the signing part wouldn't be limited to the hash functions defined in bitcoin_hashes.

In any case, this sounds to me like we should just directly remove from_slice? At least in its current state, its existence is inconsistent with the goal of providing safe abstractions.

That is a fair point. I guess something like this Digest trait could be useful as-well then the signing part wouldn't be limited to the hash functions defined in bitcoin_hashes.

I'm not a big fan of traits like Digest, because I then see people writing higher abstractions, while still making them generic over the trait and in the end it's the user who needs to decide the exact hash function, and there's a bunch of unsafe hash functions that implement this trait.
Worse than that, the user can accidentally "choose" a hash function because of the trait system.

I'm not sure what the best option here is.
IMHO libsecp should've been designed such that it hashes the data on signing/verifying instead of passing an already hashed data, although then some altcoins wouldn't like that because it would limit it to SHA2 only.

IMHO libsecp should've been designed such that it hashes the data on signing/verifying

The problem with that is (and why this crate shouldn't have an API like that either) that a naive implementation fn sign(sec_key: &SecretKey, msg: &[u8]) -> Signature would require the application to be able to keep the data that has to be signed completely in memory (hard for microcontrollers). If you use something like a signer that impls Write that signer had to keep the intermediate hashing state, an odd combination imo. So having different methods to acquire a hash and then giving it to a sign function while the type system enforces it's hash-ness seems to be at least a local API design optimum.

while the type system enforces it's hash-ness seems to be at least a local API design optimum.

We are not achieving this as long as from_slice is around.

I added documentation that makes it pretty clear to normally use the new API and only use from_slice if you know what you are doing.