Skip to content

Instantly share code, notes, and snippets.

@kdmukai

kdmukai/README.md

Last active February 2, 2023 00:45
Show Gist options
  • Save kdmukai/089ff308506058973974479ae4b64b42 to your computer and use it in GitHub Desktop.
Save kdmukai/089ff308506058973974479ae4b64b42 to your computer and use it in GitHub Desktop.
Download ZIP
Airgapped NIP-26 Nostr key delegation via SeedSigner
Raw
README.md

Airgapped NIP-26 Nostr key delegation via SeedSigner

Keep your main identity key safely offline while authorizing a different key to sign on your behalf.

Demo of Keith's experimental Nostr integration.

Other posts:

As in previous posts, your bitcoin BIP-39 mnemonic is used to derive your main Nostr key. Pull it out of cold storage and load it into SeedSigner. Jump into the experimental Nostr section and start your delegation.

When Nostr clients fully support airgapped NIP-26 delegation we'll be able to just scan a token from the client app. But for now we have to construct a delegation token ourselves.

Select which event kinds the delegatee will be authorized to sign on our behalf. Keep permissions as minimal as possible.

Set the valid_from and valid_until date ranges for the delegation; shorter ranges are safer, but balanced against having to pull your main key out of cold storage more often to reauthorize delegations.

Which key are you going to delegate to? Remember, in a full NIP-26 world, the Nostr client app does all this for us. Until then, we have these additional hoops to jump through.

Just as you carefully review a bitcoin transaction (PSBT), we present all the vital details of the delegation for you to verify.

Last hoop: since there's no client support yet, I have to pass the unsigned delegation token back to my python code.

The resulting QR code is already pretty dense and hard for a webcam to read.

NOW we can finally sign the NIP-26 delegation token with our airgapped main identity key.

And pass that signature to the Nostr client via QR.

At this point our delegatee key can now use the signed delegation token to sign events on our behalf.

Recap

We used our completely offline, airgapped Nostr main identity key to delegate signing authority to a different key that we could keep "hot" in a Nostr client app.

CAVEATS: This is all just an experimental SeedSigner dev branch. I built this branch just to show what's possible. Maybe it will make sense to release it as an officially-supported SeedSigner feature. Maybe not.

If you'd like to see me present this work at Nostrica, please consider helping to fund my travel expenses by DMing my fundraiser bot: @npub1yv3yqhzql8n9sj3zndulzdtx7axlcs6y2k2aun6qau7qmyvr8umsljm9zn, hitting my btcpay server, or via lnurl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment