zsub's avatar
zsub
zsub@zsubmesh.net
npub1dvep...9wdv
Not your keys, not your network.
zsub's avatar
zsub 1 month ago
Announcing StarfortDB: key database and core protocols of Zsub. - single seed, multi-curve ECC, HD keys - self-sovereign consentful trust model - Ristretto over 25519, Ed25519, x25519 and secp256k1 - secure memory and key exposure minimization - almost no dependencies (vendored libusb for macOS) - secure self-custody with Shamir threshold shares - offline-first operation with inbox/outbox - cold/cool/warm/hot access tiers - YubiKey support - password-protected key exchange - per-relationship dedicated keys - peer-to-peer and n-way group message channels - cascading key rotation with re-peering - multi-device sync, subtree sync - rule-based privacy-preserving hidden web of trust - selective-disclosure authorization proofs - remote signing - multisig (MuSig2 and FROST) - threshold VRF (distributed randomness) - single and double ratchets - password and TOTP storage - Bitcoin wallets and Nostr support coming soon We're building Zsub: Self-Sovereign Cryptographic Mesh. This is component 2 of 3, and the largest one. Please read the essay for a deeper view into our work. Essay: Code: Builds:
zsub's avatar
zsub 5 months ago
Rebased v0.4.0 RELEASED! - Rewrite of all remaining Python in pure Zig - Full isolation of keys in secure agent You should even be able to run this under a split in QubesOS now. ----- Unify dev cryptography with your npub "git based" subcommand makes git, ssh and minisign Nostr-native and npub-based. Unify your workflow — all driven by your Nostr identity(ies). **Npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Full dev life-cycle cryptography powered by your nsec **Secure agent isolates your keys**: - Key access requires an nsec encryption PIN — PIN cached in agent - More sensitive ops re-prompt (get nsec or delete key) - Keys stored encrypted on disk in ~/.based; easy switching - All sensitive key material and operations isolated in the agent process - Agent can be run split on Qubes, for further isolation - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Sensitive user io (pin/nsec) are direct to user tty from your agent - Secure, carefully crafted Zig 0.14 with zero deps, std lib only - Tiny 1.8M binary means small attack surface **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from based-repo.json - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 5 months ago
Rebased v0.4.0 RELEASED! - Rewrite of all remaining Python in pure Zig - Full isolation of keys in secure agent You should even be able to run this under a split in QubesOS now. ----- Unify dev cryptography with your npub "git based" subcommand makes git, ssh and minisign Nostr-native and npub-based. Unify your workflow — all driven by your Nostr identity(ies). **Npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Full dev life-cycle cryptography powered by your nsec **Secure agent isolates your keys**: - Key access requires an nsec encryption PIN — PIN cached in agent - More sensitive ops re-prompt (get nsec or delete key) - Keys stored encrypted on disk in ~/.based; easy switching - All sensitive key material and operations isolated in the agent process - Agent can be run split on Qubes, for further isolation - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Sensitive user io (pin/nsec) are direct to user tty from your agent - Secure, carefully crafted Zig 0.14 with zero deps, std lib only - Tiny 1.8M binary means small attack surface **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from based-repo.json - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 5 months ago
Rebased v0.4.0 RELEASED! - Rewrite of all remaining Python in pure Zig - Full isolation of keys in secure agent You should even be able to run this under a split in QubesOS now. ----- Unify dev cryptography with your npub "git based" subcommand makes git, ssh and minisign Nostr-native and npub-based. Unify your workflow — all driven by your Nostr identity(ies). **Npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Full dev life-cycle cryptography powered by your nsec **Secure agent isolates your keys**: - Key access requires an nsec encryption PIN — PIN cached in agent - More sensitive ops re-prompt (get nsec or delete key) - Keys stored encrypted on disk in ; easy switching - All sensitive key material and operations isolated in the agent process - Agent can be run split on Qubes, for further isolation - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Sensitive user io (pin/nsec) are direct to user tty from your agent - Secure, carefully crafted Zig 0.14 with zero deps, std lib only - Tiny 1.8M binary means small attack surface **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 5 months ago
Rebased v0.4.0 RELEASED! - Rewrite of all remaining Python in pure Zig - Full isolation of keys in secure agent You should even be able to run this under a split in QubesOS now. ----- Unify dev cryptography with your npub git based — Unify dev cryptography with your npub Usage: git based <command> [options] git based agent [args...] Run the based-agent daemon git based -Y <args...> SSH signing (called by git) Commands: Key Management: gen <name> <email> Generate new keypair add <name> <email> Import existing nsec del [name] Delete key switch [name] Switch to different key or list keys lock [name] Lock down all open keys keyname Print active key name email Print active email npub Print active npub nsec Print active nsec sshpub Print active SSH pubkey whoami [--with-nsec] Full active key info Configuration: config-shell Output shell integration code nip05 -d <domain> [-u <user>] Generate NIP-05 setup Repository: init [--clones] [--git] Initialize based-repo.json publish Broadcast repo card (kind 30617) Broadcasting: announce <msg> [-t tag]... Post announcement (kind 1) alert <msg> Send urgent alert rfc <title> [body] Post RFC/proposal release <base> <branch> <ver> Linear release workflow Profile & Files: profile [--username] [opts]... Update profile (kind 0) blossom <file> Upload to Blossom minisign-pubkey Show minisign pubkey minisign-sign <file> Sign with minisign minisign-verify <file> <key> Verify minisign signature Utilities: broadcast <event.json> Rebroadcast saved event gittr Open profile on Gittr config-shell Output the shell setup plist Output the plist for MacOS agent [--foreground] Run the agent Options: -h, --help Show this help -v, --version Show version Environment: BASED_ACTIVE Active key name BASED_AGENT_PID Agent PID BASED_AGENT_SOCK Agent domain socket SSH_AUTH_SOCK For SSH interop BASED_SHELL_SETUP Shell setup status Files: ~/.based/allowed For git signing and ssh auth ~/.based/config.toml Configure rebased ~/.based/agent.sock Agent domain socket ~/.based/agent.pid Agent PID ~/.based/agent.env Agent env vars ~/.based/agent.log Default log location ~/.based/net.zsubmesh.rebased.agent Plist file ~/.based/{name}.dat Key file location Setup: eval "$(git based config-shell)" Wraps ssh commands bebased Enable based environment gowoke Disable based environment subcommand makes git, ssh and minisign Nostr-native and npub-based. Unify your workflow — all driven by your Nostr identity(ies). **Npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Full dev life-cycle cryptography powered by your nsec **Secure agent isolates your keys**: - Key access requires an nsec encryption PIN — PIN cached in agent - More sensitive ops re-prompt (get nsec or delete key) - Keys stored encrypted on disk in ; easy switching - All sensitive key material and operations isolated in the agent process - Agent can be run split on Qubes, for further isolation - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Sensitive user io (pin/nsec) are direct to user tty from your agent - Secure, carefully crafted Zig 0.14 with zero deps, std lib only - Tiny 1.8M binary means small attack surface **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 5 months ago
Rebased v0.4.0 RELEASED! - Rewrite of all remaining Python in pure Zig - Full isolation of keys in secure agent You should even be able to run this under a split in QubesOS now. ----- Unify dev cryptography with your npub git based — Unify dev cryptography with your npub Usage: git based <command> [options] git based agent [args...] Run the based-agent daemon git based -Y <args...> SSH signing (called by git) Commands: Key Management: gen <name> <email> Generate new keypair add <name> <email> Import existing nsec del [name] Delete key switch [name] Switch to different key or list keys lock [name] Lock down all open keys keyname Print active key name email Print active email npub Print active npub nsec Print active nsec sshpub Print active SSH pubkey whoami [--with-nsec] Full active key info Configuration: config-shell Output shell integration code nip05 -d <domain> [-u <user>] Generate NIP-05 setup Repository: init [--clones] [--git] Initialize based-repo.json publish Broadcast repo card (kind 30617) Broadcasting: announce <msg> [-t tag]... Post announcement (kind 1) alert <msg> Send urgent alert rfc <title> [body] Post RFC/proposal release <base> <branch> <ver> Linear release workflow Profile & Files: profile [--username] [opts]... Update profile (kind 0) blossom <file> Upload to Blossom minisign-pubkey Show minisign pubkey minisign-sign <file> Sign with minisign minisign-verify <file> <key> Verify minisign signature Utilities: broadcast <event.json> Rebroadcast saved event gittr Open profile on Gittr config-shell Output the shell setup plist Output the plist for MacOS agent [--foreground] Run the agent Options: -h, --help Show this help -v, --version Show version Environment: BASED_ACTIVE Active key name BASED_AGENT_PID Agent PID BASED_AGENT_SOCK Agent domain socket SSH_AUTH_SOCK For SSH interop BASED_SHELL_SETUP Shell setup status Files: ~/.based/allowed For git signing and ssh auth ~/.based/config.toml Configure rebased ~/.based/agent.sock Agent domain socket ~/.based/agent.pid Agent PID ~/.based/agent.env Agent env vars ~/.based/agent.log Default log location ~/.based/net.zsubmesh.rebased.agent Plist file ~/.based/{name}.dat Key file location Setup: eval "$(git based config-shell)" Wraps ssh commands bebased Enable based environment gowoke Disable based environment subcommand makes git, ssh and minisign Nostr-native and npub-based. Unify your workflow — all driven by your Nostr identity(ies). **Npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Full dev life-cycle cryptography powered by your nsec **Secure agent isolates your keys**: - Key access requires an nsec encryption PIN — PIN cached in agent - More sensitive ops re-prompt (get nsec or delete key) - Keys stored encrypted on disk in ; easy switching - All sensitive key material and operations isolated in the agent process - Agent can be run split on Qubes, for further isolation - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Sensitive user io (pin/nsec) are direct to user tty from your agent - Secure, carefully crafted Zig 0.14 with zero deps, std lib only - Tiny 1.8M binary means small attack surface **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 5 months ago
This is another a test
zsub's avatar
zsub 5 months ago
This is another a test
zsub's avatar
zsub 5 months ago
This is another a test
zsub's avatar
zsub 5 months ago
This is another a test
zsub's avatar
zsub 5 months ago
This is another a test
zsub's avatar
zsub 6 months ago
Rebased v0.3.0 RELEASED! MacOS support and handy getter commands for things like SSH pubkey - #4: Fix MacOS build issues - #6: Split whoami into more useful individual commands ----- Unify dev cryptography with your npub **Make Building (Nostr) Based Again** subcommand makes git, ssh and minisign Nostr-native and npub-based. **Secure npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Every key access requires an nsec encryption PIN — no exceptions - Keys stored encrypted on disk in ~/.based; easy switching - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Secure backend in Zig 0.14 with zero deps, Python cli never touches secrets - Full dev life-cycle cryptography powered by your nsec **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 6 months ago
Rebased v0.2.0 RELEASED! Small bugfixes and simplified "switch" command. - Issue #5: Simplify switch without args to just list keys - Fix #3: Correct initial ~/.based dir state, more robust perms setting - Fix #1: NIP05 needed hex format keys, not npubs - Fix #2: check in missing src/helpers.zig ----- Unify dev cryptography with your npub **Make Building (Nostr) Based Again** subcommand makes git, ssh and minisign Nostr-native and npub-based. **Secure npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Every key access requires an nsec encryption PIN — no exceptions - Keys stored encrypted on disk in ~/.based; easy switching - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Secure backend in Zig 0.14 with zero deps, Python cli never touches secrets - Full dev life-cycle cryptography powered by your nsec **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 6 months ago
Rebased v0.1.0 RELEASED! Unify dev cryptography with your npub **Make Building (Nostr) Based Again** subcommand makes git, ssh and minisign Nostr-native and npub-based. **Secure npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Every key access requires an nsec encryption PIN — no exceptions - Keys stored encrypted on disk in ; easy switching - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Secure backend in Zig 0.14 with zero deps, Python cli never touches secrets - Full dev life-cycle cryptography powered by your nsec **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) image
zsub's avatar
zsub 6 months ago
Rebased v0.1.0 RELEASED! Unify dev cryptography with your npub **Make Building (Nostr) Based Again** subcommand makes git, ssh and minisign Nostr-native and npub-based. **Secure npub-based cryptographic unity**: - Generate npub/nsec pairs (e.g. project keys) + claim your presence on Nostr - Sign git commits and tags with your active npub - SSH auth (clone, push, pull, ssh) via a drop-in ssh-agent replacement - Minisign-compatible build signing, verification back to your npub - Every key access requires an nsec encryption PIN — no exceptions - Keys stored encrypted on disk in ; easy switching - Secrets decrypted only into mlock()’ed memory and zeroed immediately after use - Secure backend in Zig 0.14 with zero deps, Python cli never touches secrets - Full dev life-cycle cryptography powered by your nsec **Based Release** - Linear release support—NO MERGE—will refuse if branch not ff on master. **Nostr Broadcasts** - Profile (kind 0) - Repo card (kind 30617) — from - Release (kind 30618) — from signed git tags - Announcement / alert / RFC (kind 1) https://zsubmesh.net/rebased/downloads image