wallet: allow toggling external_signer flag #21928
Conversation
|
What would the upgrade process be from Spectre to Core (for example) with/without this PR? I'm confused how the toggling would work to make this easier |
|
Before this PR if you opened a Specter wallet in Bitcoin Core you can see the transaction history, create receive addresses and create a PSBT. But you can't use the The With this PR you just call |
|
Great, thanks! |
I guess it should only be possible to do so for watch-only wallets, not for wallets that already have their own private keys? |
|
Rebased and added check that it's a watch-only descriptor wallet. I don't mention this in caveats, because those are only shown after you set a flag. |
|
Concept ACK |
1 similar comment
|
Concept ACK |
8671a2e to
7f6947d
Compare
src/wallet/rpcwallet.cpp
Outdated
| @@ -2440,6 +2440,9 @@ static RPCHelpMan getwalletinfo() | |||
| {RPCResult::Type::NUM, "progress", "scanning progress percentage [0.0, 1.0]"}, | |||
| }}, | |||
| {RPCResult::Type::BOOL, "descriptors", "whether this wallet uses descriptors for scriptPubKey management"}, | |||
| #ifdef ENABLE_EXTERNAL_SIGNER | |||
| {RPCResult::Type::BOOL, "external_signer", "whether this wallet uses an external signer such as a hardware wallet"}, | |||
There was a problem hiding this comment.
Not sure about having this as a compile-time conditional. Maybe document it and mention that omission means the build doesn't support it?
There was a problem hiding this comment.
I'm dropping the #ifdef here and below. The WALLET_FLAG_EXTERNAL_SIGNER is always defined anyway.
7f6947d to
8a4eaaf
Compare
Github-Pull: bitcoin#21928 Rebased-From: 737373f
Github-Pull: bitcoin#21928 Rebased-From: 8a4eaaf
8a4eaaf to
9fcf302
Compare
9fcf302 to
1770fb4
Compare
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
1770fb4 to
bd932e8
Compare
|
Rebased after #23667 (manually re-applied changes from |
bd932e8 to
6cff15b
Compare
6cff15b to
2ed95d8
Compare
2ed95d8 to
1af2083
Compare
|
Rebased since #24307 covered the first commit. |
| @@ -55,6 +55,9 @@ const std::map<uint64_t,std::string> WALLET_FLAG_CAVEATS{ | |||
| "destinations in the past. Until this is done, some destinations may " | |||
| "be considered unused, even if the opposite is the case." | |||
| }, | |||
| {WALLET_FLAG_EXTERNAL_SIGNER, | |||
| "The ability to toggle this flag may be removed in a future update." | |||
There was a problem hiding this comment.
Why do you expect this to be removed in future?
There was a problem hiding this comment.
If we ever need to make a backwards incompatible change to these types of wallets.
I don't have anything specific in mind. Right now it's perfectly safe to treat such a wallet as a regular watch-only wallet, create a PSBT and call HWI yourself. All unknown future fields and flags are simply ignored (and not deleted).
But perhaps there's some future fancy multisig setup with radioactive nonces and hash pre-images, that would make any naive use of the wallet keys dangerous.
There was a problem hiding this comment.
Likely possibility: In the future, setting it may require providing a specific path to the signer program
| if (flag == WALLET_FLAG_EXTERNAL_SIGNER) { | ||
| #ifdef ENABLE_EXTERNAL_SIGNER | ||
| if (!pwallet->IsWalletFlagSet(WALLET_FLAG_DISABLE_PRIVATE_KEYS) || !pwallet->IsWalletFlagSet(WALLET_FLAG_DESCRIPTORS)) { | ||
| throw JSONRPCError(RPC_WALLET_ERROR, "This flag can only be set on a watch-only descriptor wallet"); | ||
| } | ||
| #else | ||
| throw JSONRPCError(RPC_WALLET_ERROR, "Compiled without external signing support (required for external signing)"); | ||
| #endif | ||
| } |
There was a problem hiding this comment.
nit: extra leading space for all this
| @@ -129,7 +129,8 @@ static constexpr uint64_t KNOWN_WALLET_FLAGS = | |||
| | WALLET_FLAG_EXTERNAL_SIGNER; | |||
|
|
|||
| static constexpr uint64_t MUTABLE_WALLET_FLAGS = | |||
| WALLET_FLAG_AVOID_REUSE; | |||
| WALLET_FLAG_EXTERNAL_SIGNER | |||
|
@luke-jr I'll implement your nits if the PR needs a rebase or bigger changes. OTOH not sure how to weigh an anonymous ACK, and I forgot who it was from: |
Github-Pull: bitcoin#21928 Rebased-From: 1af2083
|
tACK commit 1af2083 All tests pass I did not test with HWI, but I was able to toggle This can only be done on a wallet that has private keys disabled, not on a blank wallet - I don't know if that should be made more clear?
I did get this error in the terminal when starting
|
It should be same constraint as with
Only for this PR or also on the commit it builds on ( |
|
If I do it on a blank wallet without private keys disabled, I get this error:
Hm I apologize, I didn't get the error this time - not sure what the issue was |
|
Approach NACK This is incomplete. A wallet that has the flag set when it was loaded will behave differently from one that has the flag set after it's been loaded.The new expected behavior (either enable or disable external signer) will only come into effect after the wallet has been reloaded. This is unintuitive and potentially dangerous. The flag is only checked during wallet creation and loading. It isn't checked during normal operations. We instead use |
|
@achow101 in that case perhaps it's safer to implement this in |
That would be better. |
|
Leaving it up for grabs to implement this in |
Github-Pull: bitcoin#21928 Rebased-From: 1af2083
Currently
WALLET_FLAG_EXTERNAL_SIGNERis just a precaution. This PR makes the flag mutable so it can be toggled withsetwalletflag. There's a warning that in the future it may no longer be possible to toggle. This might be the case if we need to store additional device specific data in the wallet payload.Rationale for this PR is to make it a bit easier to switch between tooling, e.g. to "upgrade" a regular watch-only wallet created by Specter to work with Core hardware wallet support directly.