Replying to Avatar jb55

Damus’s build process currently bakes the current git hash into the version number in settings. You can look at this hash and compare against the source code with that version. You can clearly see in the code that the nsec never leaves the device or is ever sent to damus servers (I dont even have custom servers that damus talks to)

Not to mention there are no trackers or integrations that have the ability to send information outside of the app. This is why we open source 👌 nostr:note185tvu0nld67ler6lg0hhhuqqua7u5r2svtc5e22zknffd4uuw40s5l4ty6
Avatar
jared 2y ago

Today, let’s learn about what an nsec really is, everyone.

“It’s my private key!” you are yelling at me as you read this.

Yes, and no. The nsec does contain the private key and should be protected as such. However it uses bech32, a type-length-value (TLV) encoding scheme (with checksum) which is also used to encode the Bitcoin wallet addresses that start with “bc1”.

If, like me, you like to look closely at nips, you will find that the bech32 encoded values (nsec, npub, etc) are for displaying to humans. Nostr apps use the raw bytes of the private key (decoded from the nsec) for cryptographic operations.

So, if you audit Will’s code, make sure you follow the handling of both nsec (encoded) and the private key raw bytes (decoded).

Reply to this note

Please Login to reply.

Discussion

No replies yet.