sneak/secret
1
0
Fork 1
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

Bug: getLongTermPrivateKey hardcodes derivation index 0 for mnemonic path #3

New Issue
Open
opened 2026-02-08 21:01:39 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-08 21:01:39 +01:00
Copy Link

Bug

In internal/secret/keychainunlocker.go, the getLongTermPrivateKey() function hardcodes derivation index 0 when deriving the long-term key from a mnemonic:

ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)

This ignores the vault's actual DerivationIndex stored in vault-metadata.json. For any vault with a derivation index other than 0 (i.e., the second or subsequent vault created from the same mnemonic), this will derive the wrong long-term key, causing:

  • Keychain unlocker creation to encrypt the wrong key
  • Silent data corruption where the unlocker stores a key that doesn't match the vault

Expected Behavior

The function should read the vault's metadata to get the correct DerivationIndex and use it for key derivation.

Affected Code

internal/secret/keychainunlocker.go line ~330 in getLongTermPrivateKey()

## Bug In `internal/secret/keychainunlocker.go`, the `getLongTermPrivateKey()` function hardcodes derivation index `0` when deriving the long-term key from a mnemonic: ```go ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0) ``` This ignores the vault's actual `DerivationIndex` stored in `vault-metadata.json`. For any vault with a derivation index other than 0 (i.e., the second or subsequent vault created from the same mnemonic), this will derive the **wrong long-term key**, causing: - Keychain unlocker creation to encrypt the wrong key - Silent data corruption where the unlocker stores a key that doesn't match the vault ## Expected Behavior The function should read the vault's metadata to get the correct `DerivationIndex` and use it for key derivation. ## Affected Code `internal/secret/keychainunlocker.go` line ~330 in `getLongTermPrivateKey()`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/secret#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?