A NIP-07 browser extension that uses the OS's keychain or YubiKey to protect your private keys.
A NIP-07 browser extension that uses the OS's keychain or YubiKey to protect your private keys.
@noble/secp256k1
and @scure/base
)There are already great extensions like nos2x or Alby for NIP-07. Unlike these existing extensions, nostr-keyx
uses the OS's native keychain application or YubiKey to store your private key instead of the web browser's local storage. Your private keys are encrypted by the operating system or by YubiKey. In addition, all of the NIP-07 functions (signEvent
, encrypt
, decrypt
, etc.) are executed outside of the web browser's memory. So it might be less risky than other extensions. I hope this extension helps you too.
nostr-keyx
.nostr-keyx-{version}.zip
will be extracted to nostr-keyx-{version}
folder.git
and build from sourceNote: For Windows, install Git for Windows, start
git-bash
and runnpm config set script-shell /usr/bin/bash
. Otherwise, you will get error atnpm run build
.
# install latest stable version of Node.js
node -v # I have tested on v18.16.0
git clone https://github.com/susumuota/nostr-keyx.git
cd nostr-keyx
npm ci
npm run build
nostr-keyx
.chrome://extensions
.Developer mode
on.Load unpacked
./path/to/dist/extension
.id
of the extension. e.g. jhpjgkhjimkbjiigognoefgnclgngklh
. We will use it later.nostr-keyx
uses Node.js to provide NIP-07 functions and access the OS's native keychain application.node
command is available in your terminal (type which node
to confirm).Note: I recommend that you should check the content of
install.sh
before you run it. I have tested it in my environment, but I cannot guarantee anything. Basically,install.sh
performs the steps on this page inbash
script.
install.sh
to install the native messaging host.cd /path/to/dist/macos # or linux
cat ./install.sh # confirm before you run it
bash ./install.sh # or bash ./install.sh <extension_id>
id
of the extension. e.g. jhpjgkhjimkbjiigognoefgnclgngklh
. You can find the id
of the extension in Chrome's extensions setting page chrome://extensions
.uninstall.sh
.cat ./uninstall.sh # confirm before you run it
bash ./uninstall.sh
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Unblock-File
to unblock PowerShell script files that were downloaded from the internet so you can run them. See details here.cd C:\path\to\dist\windows
Unblock-File .\install.ps1
Unblock-File .\uninstall.ps1
Unblock-File .\add_privatekey.ps1
Unblock-File .\get_privatekey.ps1
Note: I recommend that you should check the contents of PowerShell script files before you run them. I have tested them in my environment, but I cannot guarantee anything. Basically,
install.ps1
performs the steps on this page in PowerShell.
install.ps1
to install the native messaging host.cat .\install.ps1 # confirm before you run it
.\install.ps1
id
of the extension. e.g. jhpjgkhjimkbjiigognoefgnclgngklh
. You can find the id
of the extension in Chrome's extensions setting page chrome://extensions
.uninstall.ps1
.cat .\uninstall.ps1 # confirm before you run it
.\uninstall.ps1
default
. You can add other account names, but they must consist of alphanumeric characters, underscores, periods or hyphens.nostr-keyx
.Note: If you need private keys for test, you can generate them with
npm run genkey
(needs source, see option 2 above).
security
nsec1...
) to clipboard.security add-generic-password
command to create a new entry for your private key. Here, -a
specifies the account name e.g default
, -s
specifies the service name (service MUST be nostr-keyx
), and -w
means the password will be asked.security add-generic-password -a default -s nostr-keyx -w
# paste your private key (e.g. nsec1....)
# paste it again
find-generic-password
sub command will show the password.security find-generic-password -a default -s nostr-keyx -w
delete-generic-password
sub command.security delete-generic-password -a default -s nostr-keyx
default
, bot
, test
, etc. But service name MUST be nostr-keyx
.Note: Right now,
security
command can access the private key without password. But you can revoke that by Keychain Access application. See the next section.
Keychain Access
and open it.File
menu > New Password Item...
nostr-keyx
to Keychain Item Name
(the first text field).default
to Account Name
(the second text field).nsec1...
) to clipboard.Password
(the third text field).Add
.nostr-keyx
.security
command to confirm that the private key can be accessed via security
command.security find-generic-password -a default -s nostr-keyx -w
Note: When you try to access private key, you will be asked to enter your password. You can click
Always Allow
to allow the access without password. When you want to revoke that, you can change the access control of the entry. Right click the entry and selectGet Info
. Then, clickAccess Control
tab and clicksecurity
onAlways allow access by these applications:
area then click-
button to remove it. Now you will be asked to enter your password when you try to access the private key viasecurity
command.
add_privatekey.ps1
add_privatekey.ps1
whether it is safe to run. See details here and here.nsec1...
) to clipboard.add_privatekey.ps1
to create a new entry for your private key. You MUST pass nostr-keyx
as an argument.cat .\add_privatekey.ps1 # confirm before you run it
.\add_privatekey.ps1 "nostr-keyx"
default
to User name
field, paste your private key to Password
field, then click OK
.get_privatekey.ps1
whether it is safe to run. See details here and here.get_privatekey.ps1
to get your private key.cat .\get_privatekey.ps1 # confirm before you run it
.\get_privatekey.ps1 "default" "nostr-keyx"
credential manager
in the search box on the taskbar and select Credential Manager Control panel.Web Credentials
and you will see the entry for your private key.pass
pass
. See this page.nsec1...
) to clipboard.pass insert
command to create a new entry for your private key.pass insert nostr-keyx/default
# paste your private key (e.g. nsec1....)
# paste it again
gpg
pinentry-mac
(for macOS) or GUI-based pinentry
(for Linux).brew install pinentry-mac
cd /path/to/dist/macos # or linux
gpg -sea --default-recipient-self > nostr_privatekey.asc
# paste the private key, enter, and Ctrl+D
gpg -d nostr_privatekey.asc
gpg -d nostr_privatekey.asc
yubikey.sh
script./bin/sh -c ./yubikey.sh 2> /dev/null
yubikey
on extension popup settings. See Usage
section below.chrome://extensions/
.NIP-07
section on the settings.Service Worker
to open dev console of the extension.await chrome.storage.local.clear();
await chrome.storage.sync.clear();
await chrome.storage.session.clear();
Verbose
to show debug logs.Nostr extension login
for Iris or Login with Extension (NIP-07)
for Snort. It should use window.nostr.getPublicKey
to get public key.window.nostr.signEvent
to sign events with private key.window.nostr.nip04.encrypt/decrypt
to encrypt/decrypt messages.default
, yubikey
, bot
, etc.yubikey
.+
button and enter your account name, then press ADD
.+
button and enter a new URL, then press ADD
.signEvent
, encrypt
and decrypt
). You should keep your eyes on the growth of this number in order to monitor the behavior of web-based Nostr clients. The number is reset to zero when it reaches 10 due to space limitations in the popup icon.relays
.window.nostr
capability for web browsers.MIT License, see LICENSE file.
S. Ota
npub1susumuq8u7v0sp2f5jl3wjuh8hpc3cqe2tc2j5h4gu7ze7z20asq2w0yu8