Soatok Dreamseeker on Nostr: nprofile1q…h7ucx If the recipient had the Ed25519 public key for the sender, OOB, ...
nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq7xkgpdpy5aperha7elprzgej0vpzhc0ma80fn96re3zqjpv286rqkh7ucx (nprofile…7ucx) If the recipient had the Ed25519 public key for the sender, OOB, they wouldn't need to embed it in plaintextWithMetadata.
In fact, it never does anything further to validate senderEd25519PublicKey.
You can check yourself: https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageDecrypter.kt#L44-L56
Instead, it returns a Pair<plaintext, x25519publickey>.
This is then returned to the UI: https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageReceiver.kt#L81-L88
Then this public key is parsed out as `sender in https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageDecrypter.kt#L44-L56
And the only check in isValid() is that it's non-empty: https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/messages/visible/VisibleMessage.kt#L32-L34
In fact, it never does anything further to validate senderEd25519PublicKey.
You can check yourself: https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageDecrypter.kt#L44-L56
Instead, it returns a Pair<plaintext, x25519publickey>.
This is then returned to the UI: https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageReceiver.kt#L81-L88
Then this public key is parsed out as `sender in https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageDecrypter.kt#L44-L56
And the only check in isValid() is that it's non-empty: https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/messages/visible/VisibleMessage.kt#L32-L34