Fix BIP-340 signature bug by overriding bip340 to 0.2.0

[Catrya]

fix #491 #276

dart_nostr 9.1.1 depends on bip340 0.1.0, which has a bug in bigToBytes() that doesn't pad values to 32 bytes. This causes about 1-2% of Schnorr signatures to be invalid, and 100% failure for keys whose public key starts with 0x00.

The bug was fixed upstream in bip340 0.2.0. We can't go higher than 0.2.0 because version 0.3.0+ changed verify() from String? to String, which breaks dart_nostr's nullable parameter and won't compile.

bip340 0.2.0 has the same API as 0.1.0, just with the padding fix applied. All 218 tests pass.

The override can be removed when dart_nostr updates its bip340 dependency or when we migrate to a different nostr library.

Summary by CodeRabbit

• Chores
  • Updated package dependency configuration to ensure compatibility and proper dependency resolution.

[coderabbitai]

Walkthrough

Added a dependency override for the bip340 package (version ^0.2.0) in pubspec.yaml. This explicit override modifies dependency resolution for the project, addressing signature validation issues in the Mostrod integration.

Changes

Cohort / File(s)	Summary
Dependency Override pubspec.yaml	Added bip340: ^0.2.0 under dependency_overrides section to enforce a specific version of the bip340 package for signature validation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A signature was broken, lost in time,
Till bip340 made the numbers align,
With just three lines, the magic's done,
Mostrod's errors now become none! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: overriding bip340 to version 0.2.0 to fix a BIP-340 signature bug.
Linked Issues check	✅ Passed	The code change directly addresses issue #491 by overriding bip340 to 0.2.0, which fixes the bigToBytes() padding bug causing invalid signatures.
Out of Scope Changes check	✅ Passed	The change is narrowly focused on adding the bip340 dependency override to resolve the signature validation issue, with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/bip340-dependency-override

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pubspec.yaml (1)

108-109: Consider pinning the exact version and documenting the override reason.

The pubspec.lock correctly resolves bip340 to 0.2.0 as expected. However, the caret constraint ^0.2.0 allows for potentially wider version ranges in pre-1.0 packages. For a targeted override addressing a specific issue, pinning the exact version and adding a brief inline comment will improve clarity and prevent accidental drift.

♻️ Suggested improvement

 dependency_overrides:
-  bip340: ^0.2.0
+  # Override due to Schnorr signature padding bug in bip340 0.1.x
+  bip340: 0.2.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pubspec.yaml` around lines 108 - 109, Change the caret constraint in
dependency_overrides to pin bip340 to the exact version used (replace "^0.2.0"
with "0.2.0") and add a short inline comment explaining why the override is
needed; update the dependency_overrides entry for bip340 accordingly so the
lockfile cannot drift and future maintainers see the rationale.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pubspec.yaml`:
- Around line 108-109: Change the caret constraint in dependency_overrides to
pin bip340 to the exact version used (replace "^0.2.0" with "0.2.0") and add a
short inline comment explaining why the override is needed; update the
dependency_overrides entry for bip340 accordingly so the lockfile cannot drift
and future maintainers see the rationale.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 149010c and 795d4de.

⛔ Files ignored due to path filters (1)

• pubspec.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pubspec.yaml

[AndreaDiazCorreia]

tACK

[mostronatorcoder]

Clean fix for a nasty bug (1-2% invalid Schnorr signatures due to missing padding in bigToBytes()).

Reviewed:

• ✅ dependency_overrides is the correct Dart mechanism for this — forces bip340 0.2.0 without waiting for dart_nostr to update
• ✅ 0.2.0 has the same API as 0.1.0 (just the padding fix), so no breaking changes
• ✅ Can't use 0.3.0+ because verify() changed from String? to String — would break dart_nostr's nullable parameter
• ✅ CI passes (218 tests), no conflicts, mergeable
• ✅ pubspec.lock correctly reflects the override
• ✅ PR body clearly documents the reasoning and when the override can be removed

Only note: add a # TODO: comment in pubspec.yaml above the override explaining when it can be removed, so it doesn't become permanent tech debt that everyone is afraid to touch:

# TODO: Remove override when dart_nostr updates bip340 dependency to >=0.2.0
# See: https://github.com/MostroP2P/mobile/issues/491
dependency_overrides:
  bip340: ^0.2.0

Not blocking — approved.