From bd618a5e33e0993432ac29b87d79948e3604dbd3 Mon Sep 17 00:00:00 2001
From: kevin Heifner <kevin@wire.network>
Date: Fri, 26 Dec 2025 13:41:03 -0600
Subject: [PATCH] Do not log signature-provider private keys

---
 plugins/producer_plugin/src/producer_plugin.cpp |  2 +-
 programs/nodeop/main.cpp                        | 17 +++++++++++------
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/plugins/producer_plugin/src/producer_plugin.cpp b/plugins/producer_plugin/src/producer_plugin.cpp
index 871e115d5b..b377f84dcd 100644
--- a/plugins/producer_plugin/src/producer_plugin.cpp
+++ b/plugins/producer_plugin/src/producer_plugin.cpp
@@ -1369,7 +1369,7 @@ void producer_plugin_impl::plugin_initialize(const boost::program_options::varia
 
       for (auto& candidate : finalizer_candidate_sig_providers) {
          SYS_ASSERT(candidate->private_key.has_value(), plugin_config_exception, "ALL BLS keys must be provided via command line arguments or config file.");
-         wlog("setting fin key ${c}:${p}", ("c", candidate->public_key.to_native_string({}))("p", candidate->private_key->to_native_string({})));
+         ilog("Configured finalizer key: ${c}", ("c", candidate->public_key.to_native_string({})));
          _finalizer_keys.insert({candidate->public_key.to_native_string({}), candidate});
       }
       chain.set_node_finalizer_keys(_finalizer_keys);
diff --git a/programs/nodeop/main.cpp b/programs/nodeop/main.cpp
index 7e566a5ee6..66a84e2bb0 100644
--- a/programs/nodeop/main.cpp
+++ b/programs/nodeop/main.cpp
@@ -13,6 +13,7 @@
 #include <fc/log/appender.hpp>
 #include <fc/exception/exception.hpp>
 #include <fc/scoped_exit.hpp>
+#include <fc/string.hpp>
 
 #include <boost/dll/runtime_symbol_info.hpp>
 #include <boost/exception/diagnostic_information.hpp>
@@ -21,6 +22,7 @@
 #include <string>
 #include <vector>
 #include <iterator>
+#include <numeric>
 
 #include "config.hpp"
 
@@ -28,14 +30,17 @@ using namespace appbase;
 using namespace sysio;
 
 namespace detail {
+using namespace std;
 
 void log_non_default_options(const std::vector<bpo::basic_option<char>>& options) {
    using namespace std::string_literals;
-   // TODO: @jglanz reimplement
-   // auto mask_private = [](const string& v) {
-   //    auto [pub_key_str, spec_type_str, spec_data] = signature_provider_manager_plugin::parse_signature_provider_spec(v);
-   //    return pub_key_str + "=" + spec_type_str + ":***";
-   // };
+   auto mask_private = [](const string& v) -> std::string {
+      if (auto parts = fc::split(v, ','); parts.size() > 1) {
+         return std::accumulate(std::next(parts.begin()), std::prev(parts.end()), parts[0],
+                                [](const string& acc, const string& part) { return acc + "," + part; }) + ",***";
+      }
+      return "***"s;
+   };
 
    string result;
    for (const auto& op : options) {
@@ -49,7 +54,7 @@ void log_non_default_options(const std::vector<bpo::basic_option<char>>& options
          if (i != b)
             v += ", ";
          if (op.string_key == "signature-provider"s)
-            v += *i;// TODO @jglanz mask_private(*i);
+            v += mask_private(*i);
          else if (mask)
             v += "***";
          else