From: Chris Duncan <chris@zoso.dev>
Date: Tue, 14 Apr 2026 19:26:52 +0000 (-0700)
Subject: Ensure private key copy is zeroed out if signing from block fails.
X-Git-Tag: v0.12.0~4^2~12
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=cdcc50da084c6410970c8571ae700ba3bcfae03a;p=libnemo.git

Ensure private key copy is zeroed out if signing from block fails.
---

diff --git a/src/lib/block.ts b/src/lib/block.ts
index 34964c8..e74d04c 100644
--- a/src/lib/block.ts
+++ b/src/lib/block.ts
@@ -413,9 +413,13 @@ export class Block {
 			try {
 				if (typeof input === 'string' && /^[A-F0-9]{64}$/i.test(input)) {
 					const prv = hex.toBytes(input)
-					const pub = nano25519_derive(prv)
-					const signature = nano25519_sign(hex.toBytes(this.hash), new Uint8Array([...prv, ...pub]))
-					this.signature = bytes.toHex(signature)
+					try {
+						const pub = nano25519_derive(prv)
+						const signature = nano25519_sign(hex.toBytes(this.hash), new Uint8Array([...prv, ...pub]))
+						this.signature = bytes.toHex(signature)
+					} finally {
+						prv.fill(0)
+					}
 				} else if (input instanceof Wallet && typeof index === 'number'
 					&& (frontier === undefined || frontier instanceof (this.constructor as typeof Block))
 				) {