Skip to content

gift unwrap: add missing seal verification and rumor pubkey/ID correction#111

Open
alltheseas wants to merge 2 commits into
fiatjaf:masterfrom
alltheseas:fix/gift-unwrap-safety-checks
Open

gift unwrap: add missing seal verification and rumor pubkey/ID correction#111
alltheseas wants to merge 2 commits into
fiatjaf:masterfrom
alltheseas:fix/gift-unwrap-safety-checks

Conversation

@alltheseas
Copy link
Copy Markdown

@alltheseas alltheseas commented Mar 8, 2026

Summary

  • Verify seal signature before trusting seal.PubKey for decryption key lookup
  • Override rumor pubkey from the verified seal and recompute rumor ID

These three checks exist in nip59.GiftUnwrap() but were missing from the CLI gift unwrap path, which reimplements unwrapping inline.

Why this matters

Without these checks:

  • A forged seal with an invalid signature is silently accepted
  • The rumor's self-declared pubkey is trusted, enabling sender impersonation (NIP-17: "Clients MUST verify if pubkey of the kind:13 is the same pubkey on the kind:14")
  • The output event ID is inconsistent with its content

Breaking change

Seals with invalid signatures that were previously silently accepted will now be rejected. This is correct per NIP-59 and matches the library behavior.

Test plan

  • go build compiles cleanly
  • Existing tests unaffected (no gift wrap test coverage exists)

Fixes #110

Origin: nostrability/nostrability#169 (comment) — item 4

🤖 Generated with Claude Code

alltheseas and others added 2 commits March 8, 2026 09:56
@alltheseas @claude
gift unwrap: verify seal signature before trusting pubkey
ba94f7f 
The CLI gift unwrap path skips seal signature verification that
nip59.GiftUnwrap() performs. Without this check, a forged seal
with an arbitrary pubkey would be trusted for decryption key
lookup and sender identity.

Fixes fiatjaf#110

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@alltheseas @claude
gift unwrap: override rumor pubkey from seal and recompute ID
8f88382 
NIP-17 requires clients verify that the kind:14 pubkey matches
the kind:13 pubkey to prevent sender impersonation. The CLI
gift unwrap path outputs the rumor as-is without setting the
pubkey from the verified seal or recomputing the event ID.

This mirrors nip59.GiftUnwrap() which does both operations.
The override is placed after the ZeroID sentinel check to
preserve decryption failure detection.

Fixes fiatjaf#110

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

gift unwrap: missing seal signature verification, pubkey override, and ID recomputation

1 participant

@alltheseas