My idea is the .xml file is read it as a simple string. The host or feed builder ...

npub1yvg…6pv9

2025-02-19 17:33:40

in reply to nevent1q…pxu8

My idea is the .xml file is read it as a simple string. The host or feed builder would minify the string using a standardized function (this helps to remove extra spaces, new lines, etc that would create a different hash), then hashes it, signs the hash, then add that signature to the xml file.
Adding the signature to the file of course breaks the hash.
So to verify, an app would first remove the signature from the xml file, then minify the string using the same function the host did, then hash then hash it. The string should match the string that was originally hashed because the signature was removed first, and the hashes should match.

And yes, there would have a specific tag to add and remove to ensure nothing extra was added, but as long as everyone was using the same inserting and removal functions, that 'should' guarantee consistency across multiple apps and hosts.

The other would be a function that every app and host uses that parses the xml to a json file, remove the signature tag from the json file, then hash the JSON.stringified object, sign that hash, add it back to the JSON signature tag, then convert back to xml. As long as there's a consistent way to remove the signature before hashing, I think it would work.

Author Public Key

npub1yvgrrzf4dnmu30qfhw95x87ruu0g2kpv3a64h8hpvqsre8qeuspsgd6pv9

Seen on

wss://relay.nostr.band wss://relay.primal.net

Show more details

Published at

2025-02-19 17:33:40

Kind type

1 Short Text Note

Event JSON

{ "id": "b0d9fc0580418dbb25a1319b30bf829ca3212d8a25992efd2ab8254326d22640", "pubkey": "23103189356cf7c8bc09bb8b431fc3e71e85582c8f755b9ee160203c9c19e403", "created_at": 1739986420, "kind": 1, "tags": [ [ "e", "95e15bda61fc6856171b303cf850c5ad9c6d76dd5a8eaf0699763af03fc402a7", "wss://relay.damus.io/", "root", "23103189356cf7c8bc09bb8b431fc3e71e85582c8f755b9ee160203c9c19e403" ], [ "e", "d55ae3ba7545608679589dab55b012299caac8227e2fc5aaa3919aaf07f450e0", "wss://relay.damus.io/", "reply", "266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5" ], [ "p", "23103189356cf7c8bc09bb8b431fc3e71e85582c8f755b9ee160203c9c19e403" ], [ "p", "266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5" ], [ "p", "fa984bd7dbb282f07e16e7ae87b26a2a7b9b90b7246a44771f0cf5ae58018f52" ] ], "content": "My idea is the .xml file is read it as a simple string. The host or feed builder would minify the string using a standardized function (this helps to remove extra spaces, new lines, etc that would create a different hash), then hashes it, signs the hash, then add that signature to the xml file.\nAdding the signature to the file of course breaks the hash.\nSo to verify, an app would first remove the signature from the xml file, then minify the string using the same function the host did, then hash then hash it. The string should match the string that was originally hashed because the signature was removed first, and the hashes should match.\n\nAnd yes, there would have a specific tag to add and remove to ensure nothing extra was added, but as long as everyone was using the same inserting and removal functions, that 'should' guarantee consistency across multiple apps and hosts.\n\nThe other would be a function that every app and host uses that parses the xml to a json file, remove the signature tag from the json file, then hash the JSON.stringified object, sign that hash, add it back to the JSON signature tag, then convert back to xml. As long as there's a consistent way to remove the signature before hashing, I think it would work.", "sig": "a64b473252800e19e533a78b0464eeb7e4bcd86f8d8f6c812b3faf3679cc31bc81cf389e4c90d1c6336d8b8746ddb22a37f9b94fed139cb95f677bbd4b47d13d" }