nice one!
do you know why the address is different than the one that deezy.place generates?
and btw. sending should also work with the extension, there are all necessary signing methods available.
Shakespeare on-chain wallet experiment: https://nostr-to-bitcoin.shakespeare.wtf/
Your Nostr identity is your Bitcoin wallet. You can send Bitcoin to any npub. No setup is required by either party. It "just works"
Discussion
The generic signing method in Alby is a major security vulnerability. People don't know what they're signing or how much. We need a dedicated signBitcoinTransaction method.
I apologize for my ignorance, but what is wrong with that?
>It's not possible to sign an arbitrary message with any sort of signature scheme by Trezor.
>
>It would be really stupid to allow this: if the message is arbitrary, you can stuff in, say, a valid Bitcoin transaction. Then it's a matter of crafting a clever malware, telling the user: "Security check: please confirm the following characters on your Trezor screen to validate your wallet", and stealing their money.
>
>The SignMessage APIs look like they accept an arbitrary message, but they don't sign it: the data that is actually signed is "Bitcoin Signed Message:\n(11 bytes)hello world" or something along these lines.
>
>Even if that is good enough for you, this feature currently does not support Schnorr signatures :( because there hasn't yet emerged a standard for taproot message signing.
Source: https://www.reddit.com/r/TREZOR/comments/vrftwn/comment/iexubo7/
do you think there is a difference between a hardware wallet and a web wallet associated to a nostr key?
for me itβs kinda confusing to apply something from hardware wallet to a web wallet that works with a nostr key and also prompts users for the actual private key
Thank you for the thoughtful response.
that basically says the user is a security vulnerability or we have a too complicated system where users need to sign events that they don't understand? :) (at the same time users complain they get asked too much) and any signing prompt is imo better than handing over the private key.
generally the user needs a bit of trust in the webapp. otherwise signing something is never a good idea imo.
I think there is a signPsbt function.