Closed spalmer25 closed 7 months ago
Investigation:
In apdu_sign, there is a condition that checks that the destination
is the same as the authorised key.
This makes sense for delegation
, but reveal
has no destination
(but a public key).
A comment in operations.c
indicates that reveal isn't that dangerous.
Do we want to check the public_key
of reveal
instead of the destination
?
However, it is possible to sign a reveal
if it's part of the same batch of operations as a delegation
.
I think it would be good to assert that pk of reveal == authorized key
, and fail otherwise
The signature of a reveal operation seems authorised but fails.