No, their client only connects to their own server by default and the server crawls relays and caches notes. I assume they verify signatures there.

The problem is that Primal controls the server so _they_ could fake notes from anyone.

That seems bad. In my ignorance, does this mean someone could post a note claiming to be x npub without having the private keys to x npub?

Scoresby

crypto

Not Sealed: Practical Attacks on Nostr

> We also show how a lack of signature checks in many clients—whether due to outright skipped verification

Afaik, Primal is guilty of this. Their client does not verify signatures.