Closed sethforprivacy closed 11 months ago
Example QR code for testing:
Can you add bounty and bounty amount in sats to the issue title
Can you add bounty and bounty amount in sats to the issue title
Done!
When scanning from QR, do we not want it saved in the keychain ?
When scanning from QR, do we not want it saved in the keychain ?
We went back and forth on that type of functionality in the Amethyst issue linked, I think both storing and not storing have valid reasons behind them. I personally wouldn't want it stored in the Keychain, but I'll leave that final choice to you.
On Tue, Aug 01, 2023 at 05:30:18AM -0700, Seth For Privacy wrote:
When scanning from QR, do we not want it saved in the keychain ?
We went back and forth on that type of functionality in the Amethyst issue linked, I think both storing and not storing have valid reasons behind them. I personally wouldn't want it stored in the Keychain, but I'll leave that final choice to you.
I think QR-scan workflows should not store in keychain. I assume people who are using qrcode are doing it for a specific reason, like keeping it offline, even if damus does retain it in memory during the session.
The analogy that comes to mind is a yubikey. Key can be set up as requirement for authentication.
Here is what I've put together. It might need a little bit of design work, but it will:
The video recording doesn't show filled in secure fields (Apple's video recording implementation).
https://github.com/damus-io/damus/assets/77637794/bf807d9d-aa93-4ecd-a653-16f44844708d
On Sat, Sep 30, 2023 at 08:06:05AM -0700, jerihass wrote:
Here is what I've put together. It might need a little bit of design work, but it will:
- Allow scanning of QR codes, and if detects a nsec, will provide it to the login prompt.
- If nsec is provided, provides option to keep nsec in keychain; default is to not store
- User stays logged in until they logout, or app is force-quit.
The video recording doesn't show filled in secure fields (Apple's video recording implementation).
https://github.com/damus-io/damus/assets/77637794/bf807d9d-aa93-4ecd-a653-16f44844708d
looks great! maybe design wise we can make it a little QR icon instead of a button
Nice @jerihass !
Have you tested with other hardware signing devices (do other HSDs support nostr keys)?
Nice @jerihass https://github.com/jerihass !
Thanks! Have you tested with other hardware signing devices (do other HSDs support nostr keys)?
I haven’t tested on anything besides the photo of the qr code.
If we want to support other login methods, I can start to make this a protocol, or really it should end up being a library/framework for any iOS nostr client to use. I don’t have access to any HSDs (new job and rough economic situation prevent me from securing one at this at this time).
@kdmukai does seedsigner have a nsec qr display feature?
Updated screens.
On Sat, Sep 30, 2023 at 02:16:48PM -0700, jerihass wrote:
Updated screens.
I was thinking more next to the paste nsec button, gray. This doesn't need to be a primary action button.
I was thinking more next to the paste nsec button, gray. This doesn't need to be a primary action button.
Good. Makes more sense. Easy change to make!
On Sun, Oct 01, 2023 at 03:49:06AM -0700, jerihass wrote:
I like 3rd one
@kdmukai does seedsigner have a nsec qr display feature?
I forget what my experimental nostr branch supported, but I suspect the answer is no. The goal was to apply the SeedSigner philosophy in the nostr world, so it was more about signing delegations with an airgapped key that's never made hot.
@jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
@jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
@jerihass what's your npub/LNaddress ?
@jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
@jerihass what's your npub/LNaddress ?
npub1el277q4kesp8vhs7rq6qkwnhpxfp345u7tnuxykwr67d9wg0wvyslam5n0
Thanks! 🙏
@jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
@jerihass what's your npub/LNaddress ?
npub1el277q4kesp8vhs7rq6qkwnhpxfp345u7tnuxykwr67d9wg0wvyslam5n0
Thanks! 🙏
Sent!
Sent!
Received!
One of the core issues with Nostr today is that generating and storing a Nostr private key is cumbersome and insecure by default. A solution to one of the problems (namely secure storage and backups) is to generate and store private keys on a secure hardware device (like Foundation's Passport) and export it only when necessary to sign into an app like Damus.
This simplifies backups (keys are derived from a master seed via the same approach as BIP 85) and allows you to never store your key in a password manager, text file, etc.
This can be implemented by allowing users to scan in the nsec formatted key via QR code when logging into Damus.
Bounty (in sats) offered for the implementation I'm offering 100,000 sats for this once implemented and usable in Damus.
Total bounty (as of June 13th): 100,000 sats
Related Amethyst issue:
https://github.com/vitorpamplona/amethyst/issues/328
Note that this is working in Amethyst today, so can be used for UX comparisons etc.