Home

Awesome

nostr-keyx: Nostr Key Management Extension

GitHub release GitHub License GitHub Workflow Status GitHub last commit ā€ƒ EN | JA | ES | ZH

A NIP-07 browser extension that uses the OS's keychain or YubiKey to protect your private keys.

keychain

There are already great extensions like nos2x or Alby for NIP-07. Unlike these existing extensions, nostr-keyx uses the OS's native keychain application or YubiKey to store your private key instead of the web browser's local storage. Your private keys are encrypted by the operating system or by YubiKey. In addition, all of the NIP-07 functions (signEvent, encrypt, decrypt, etc.) are executed outside of the web browser's memory. So it might be less risky than other extensions. I hope this extension helps you too.

Download

Option 1: Download zip file

Option 2: Download with git and build from source

Note: For Windows, install Git for Windows, start git-bash and run npm config set script-shell /usr/bin/bash. Otherwise, you will get error at npm run build.

# install latest stable version of Node.js
node -v  # I have tested on v18.16.0
git clone https://github.com/susumuota/nostr-keyx.git
cd nostr-keyx
npm ci
npm run build

Install

Install Chrome extension

Install Node.js

Install Chrome native messaging host

For macOS and Linux

Note: I recommend that you should check the content of install.sh before you run it. I have tested it in my environment, but I cannot guarantee anything. Basically, install.sh performs the steps on this page in bash script.

cd /path/to/dist/macos  # or linux
cat ./install.sh        # confirm before you run it
bash ./install.sh       # or bash ./install.sh <extension_id>
cat ./uninstall.sh      # confirm before you run it
bash ./uninstall.sh

For Windows

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
cd C:\path\to\dist\windows
Unblock-File .\install.ps1
Unblock-File .\uninstall.ps1
Unblock-File .\add_privatekey.ps1
Unblock-File .\get_privatekey.ps1

Note: I recommend that you should check the contents of PowerShell script files before you run them. I have tested them in my environment, but I cannot guarantee anything. Basically, install.ps1 performs the steps on this page in PowerShell.

cat .\install.ps1    # confirm before you run it
.\install.ps1
cat .\uninstall.ps1  # confirm before you run it
.\uninstall.ps1

Setup

Note: If you need private keys for test, you can generate them with npm run genkey (needs source, see option 2 above).

For macOS: Option 1: Using command security

security add-generic-password -a default -s nostr-keyx -w
# paste your private key (e.g. nsec1....)
# paste it again
security find-generic-password -a default -s nostr-keyx -w
security delete-generic-password -a default -s nostr-keyx

Note: Right now, security command can access the private key without password. But you can revoke that by Keychain Access application. See the next section.

For macOS: Option 2: Using Keychain Access

new_password_item

security find-generic-password -a default -s nostr-keyx -w

Note: When you try to access private key, you will be asked to enter your password. You can click Always Allow to allow the access without password. When you want to revoke that, you can change the access control of the entry. Right click the entry and select Get Info. Then, click Access Control tab and click security on Always allow access by these applications: area then click - button to remove it. Now you will be asked to enter your password when you try to access the private key via security command.

revoke_application

For Windows: Using command add_privatekey.ps1

cat .\add_privatekey.ps1           # confirm before you run it
.\add_privatekey.ps1 "nostr-keyx"

get_credential

cat .\get_privatekey.ps1           # confirm before you run it
.\get_privatekey.ps1 "default" "nostr-keyx"

credential_manager

For Linux: Using command pass

pass insert nostr-keyx/default
# paste your private key (e.g. nsec1....)
# paste it again

For YubiKey: Using command gpg

brew install pinentry-mac
cd /path/to/dist/macos  # or linux
gpg -sea --default-recipient-self > nostr_privatekey.asc
# paste the private key, enter, and Ctrl+D
gpg -d nostr_privatekey.asc
gpg -d nostr_privatekey.asc
/bin/sh -c ./yubikey.sh 2> /dev/null

Test it on Iris or Snort

await chrome.storage.local.clear();
await chrome.storage.sync.clear();
await chrome.storage.session.clear();

Usage

popup

Experimental features

image

Potential risks

TODO

Source code

Related Links

License

MIT License, see LICENSE file.

Author

S. Ota