Skip to content

Fix BIP-340 signature bug by overriding bip340 to 0.2.0#496

Open
Catrya wants to merge 1 commit intomainfrom
fix/bip340-dependency-override
Open

Fix BIP-340 signature bug by overriding bip340 to 0.2.0#496
Catrya wants to merge 1 commit intomainfrom
fix/bip340-dependency-override

Conversation

@Catrya
Copy link
Member

@Catrya Catrya commented Feb 23, 2026

fix #491 #276

dart_nostr 9.1.1 depends on bip340 0.1.0, which has a bug in bigToBytes() that doesn't pad values to 32 bytes. This causes about 1-2% of Schnorr signatures to be invalid, and 100% failure for keys whose public key starts with 0x00.

The bug was fixed upstream in bip340 0.2.0. We can't go higher than 0.2.0 because version 0.3.0+ changed verify() from String? to String, which breaks dart_nostr's nullable parameter and won't compile.

bip340 0.2.0 has the same API as 0.1.0, just with the padding fix applied. All 218 tests pass.

The override can be removed when dart_nostr updates its bip340 dependency or when we migrate to a different nostr library.

Summary by CodeRabbit

  • Chores
    • Updated package dependency configuration to ensure compatibility and proper dependency resolution.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 23, 2026

Walkthrough

Added a dependency override for the bip340 package (version ^0.2.0) in pubspec.yaml. This explicit override modifies dependency resolution for the project, addressing signature validation issues in the Mostrod integration.

Changes

Cohort / File(s) Summary
Dependency Override
pubspec.yaml
Added bip340: ^0.2.0 under dependency_overrides section to enforce a specific version of the bip340 package for signature validation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A signature was broken, lost in time,
Till bip340 made the numbers align,
With just three lines, the magic's done,
Mostrod's errors now become none!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: overriding bip340 to version 0.2.0 to fix a BIP-340 signature bug.
Linked Issues check ✅ Passed The code change directly addresses issue #491 by overriding bip340 to 0.2.0, which fixes the bigToBytes() padding bug causing invalid signatures.
Out of Scope Changes check ✅ Passed The change is narrowly focused on adding the bip340 dependency override to resolve the signature validation issue, with no extraneous modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/bip340-dependency-override

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pubspec.yaml (1)

108-109: Consider pinning the exact version and documenting the override reason.

The pubspec.lock correctly resolves bip340 to 0.2.0 as expected. However, the caret constraint ^0.2.0 allows for potentially wider version ranges in pre-1.0 packages. For a targeted override addressing a specific issue, pinning the exact version and adding a brief inline comment will improve clarity and prevent accidental drift.

♻️ Suggested improvement
 dependency_overrides:
-  bip340: ^0.2.0
+  # Override due to Schnorr signature padding bug in bip340 0.1.x
+  bip340: 0.2.0
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pubspec.yaml` around lines 108 - 109, Change the caret constraint in
dependency_overrides to pin bip340 to the exact version used (replace "^0.2.0"
with "0.2.0") and add a short inline comment explaining why the override is
needed; update the dependency_overrides entry for bip340 accordingly so the
lockfile cannot drift and future maintainers see the rationale.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pubspec.yaml`:
- Around line 108-109: Change the caret constraint in dependency_overrides to
pin bip340 to the exact version used (replace "^0.2.0" with "0.2.0") and add a
short inline comment explaining why the override is needed; update the
dependency_overrides entry for bip340 accordingly so the lockfile cannot drift
and future maintainers see the rationale.

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 149010c and 795d4de.

⛔ Files ignored due to path filters (1)
  • pubspec.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • pubspec.yaml

Copy link
Member

@AndreaDiazCorreia AndreaDiazCorreia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tACK

@grunch grunch requested a review from BraCR10 February 24, 2026 20:54
Copy link
Contributor

@mostronatorcoder mostronatorcoder bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean fix for a nasty bug (1-2% invalid Schnorr signatures due to missing padding in bigToBytes()).

Reviewed:

  • dependency_overrides is the correct Dart mechanism for this — forces bip340 0.2.0 without waiting for dart_nostr to update
  • ✅ 0.2.0 has the same API as 0.1.0 (just the padding fix), so no breaking changes
  • ✅ Can't use 0.3.0+ because verify() changed from String? to String — would break dart_nostr's nullable parameter
  • ✅ CI passes (218 tests), no conflicts, mergeable
  • pubspec.lock correctly reflects the override
  • ✅ PR body clearly documents the reasoning and when the override can be removed

Only note: add a # TODO: comment in pubspec.yaml above the override explaining when it can be removed, so it doesn't become permanent tech debt that everyone is afraid to touch:

# TODO: Remove override when dart_nostr updates bip340 dependency to >=0.2.0
# See: https://github.com/MostroP2P/mobile/issues/491
dependency_overrides:
  bip340: ^0.2.0

Not blocking — approved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Invalid signature error from mostrod when creating orders or restoring user

2 participants