v1.6.0 — Security Hardening

What's New

Auto-Lock Improvements

• New timeout options: 1 hour, 90 minutes, and 3 hours
• Auto-lock timer now resets when you switch to a Nostr-enabled tab — no more surprise lockouts while actively browsing

Security Fixes (Red Team Audit)

• Auto-lock bypass blocked — malicious pages can no longer poll getPublicKey() to prevent the timer from firing
• Session key derivation — master password is no longer held in memory; replaced with an opaque CryptoKey via PBKDF2
• Sender validation — sensitive operations (password changes, data reset, backup, settings) now reject messages from content script contexts
• Lock clears keys — nostrAccessWhileLocked defaults to false; locking actually clears decrypted keys from memory
• Mutex serialization — lock/unlock can no longer race and leave inconsistent state
• Auto-lock timeout validated — rejects invalid values (NaN, negative, arbitrary numbers)
• No more key prefix logging — plaintext key prefixes removed from debug output

Chrome MV3 Reliability

• Auto-lock timer now uses chrome.alarms API which survives service worker eviction

Sideload

Download the zip for your browser below and follow sideloading instructions.

v1.5.8

NostrKey v1.5.8

What's New

• Encrypted vault backup & restore
• Safari version display fix (browser API detection)
• Now live on Firefox Add-ons
• Updated landing page

Install from Store

• Chrome Web Store
• Firefox Add-ons

Sideload (Chrome/Brave/Edge)

1. Download nostrkey-chrome-v1.5.8.zip below
2. Unzip it
3. Go to chrome://extensions → enable Developer mode
4. Click Load unpacked → select the unzipped folder
5. Pin NostrKey from the extensions menu