Skip to content

Conversation

Sjors
Copy link
Member

@Sjors Sjors commented May 12, 2021

Currently WALLET_FLAG_EXTERNAL_SIGNER is just a precaution. This PR makes the flag mutable so it can be toggled with setwalletflag. There's a warning that in the future it may no longer be possible to toggle. This might be the case if we need to store additional device specific data in the wallet payload.

Rationale for this PR is to make it a bit easier to switch between tooling, e.g. to "upgrade" a regular watch-only wallet created by Specter to work with Core hardware wallet support directly.

@Rspigler
Copy link
Contributor

What would the upgrade process be from Spectre to Core (for example) with/without this PR? I'm confused how the toggling would work to make this easier

@Sjors
Copy link
Member Author

Sjors commented May 13, 2021

Before this PR if you opened a Specter wallet in Bitcoin Core you can see the transaction history, create receive addresses and create a PSBT. But you can't use the send RPC (or GUI in bitcoin-core/gui#4) to have it sign on a device and you can't verify an address on the device.

The WALLET_FLAG_EXTERNAL_SIGNER must be set in order for Bitcoin Core to make calls to HWI. Without this PR you'd have to manually edit the wallet file to set that flag. Or export the descriptors and then re-import them in a fresh wallet that has the flag enabled.

With this PR you just call bitcoin-cli setwalletflag external_signer true.

@Rspigler
Copy link
Contributor

Great, thanks!

@laanwj
Copy link
Member

laanwj commented May 18, 2021

Rationale for this PR is to make it a bit easier to switch between tooling, e.g. to "upgrade" a regular watch-only wallet created by Specter to work with Core hardware wallet support directly.

I guess it should only be possible to do so for watch-only wallets, not for wallets that already have their own private keys?

@Sjors Sjors force-pushed the 2021/05/hww-toggle branch from f6b76c3 to 8671a2e Compare May 20, 2021 19:11
@Sjors
Copy link
Member Author

Sjors commented May 20, 2021

Rebased and added check that it's a watch-only descriptor wallet. I don't mention this in caveats, because those are only shown after you set a flag.

@jonatack
Copy link
Member

Concept ACK

1 similar comment
@Rspigler
Copy link
Contributor

Concept ACK

@Sjors Sjors force-pushed the 2021/05/hww-toggle branch from 8671a2e to 7f6947d Compare August 5, 2021 14:31
@@ -2440,6 +2440,9 @@ static RPCHelpMan getwalletinfo()
{RPCResult::Type::NUM, "progress", "scanning progress percentage [0.0, 1.0]"},
}},
{RPCResult::Type::BOOL, "descriptors", "whether this wallet uses descriptors for scriptPubKey management"},
#ifdef ENABLE_EXTERNAL_SIGNER
{RPCResult::Type::BOOL, "external_signer", "whether this wallet uses an external signer such as a hardware wallet"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about having this as a compile-time conditional. Maybe document it and mention that omission means the build doesn't support it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm dropping the #ifdef here and below. The WALLET_FLAG_EXTERNAL_SIGNER is always defined anyway.

@Sjors Sjors force-pushed the 2021/05/hww-toggle branch from 7f6947d to 8a4eaaf Compare September 1, 2021 13:45
luke-jr pushed a commit to bitcoinknots/bitcoin that referenced this pull request Oct 10, 2021
luke-jr pushed a commit to bitcoinknots/bitcoin that referenced this pull request Oct 10, 2021
@Sjors Sjors force-pushed the 2021/05/hww-toggle branch from 8a4eaaf to 9fcf302 Compare November 2, 2021 14:51
@Sjors Sjors force-pushed the 2021/05/hww-toggle branch from 9fcf302 to 1770fb4 Compare November 18, 2021 12:09
@DrahtBot
Copy link
Contributor

DrahtBot commented Nov 24, 2021

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK w0xlt, Rspigler
Concept ACK jonatack
Approach NACK achow101

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #24897 ([Draft / POC] Silent Payments by w0xlt)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@Sjors
Copy link
Member Author

Sjors commented Dec 8, 2021

Rebased after #23667 (manually re-applied changes from wallet/rpcwallet.cpp to wallet/rpc/wallet.cpp)

@Sjors Sjors force-pushed the 2021/05/hww-toggle branch from 2ed95d8 to 1af2083 Compare February 15, 2022 19:24
@Sjors
Copy link
Member Author

Sjors commented Feb 15, 2022

Rebased since #24307 covered the first commit.

@@ -55,6 +55,9 @@ const std::map<uint64_t,std::string> WALLET_FLAG_CAVEATS{
"destinations in the past. Until this is done, some destinations may "
"be considered unused, even if the opposite is the case."
},
{WALLET_FLAG_EXTERNAL_SIGNER,
"The ability to toggle this flag may be removed in a future update."
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you expect this to be removed in future?

Copy link
Member Author

@Sjors Sjors Feb 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we ever need to make a backwards incompatible change to these types of wallets.

I don't have anything specific in mind. Right now it's perfectly safe to treat such a wallet as a regular watch-only wallet, create a PSBT and call HWI yourself. All unknown future fields and flags are simply ignored (and not deleted).

But perhaps there's some future fancy multisig setup with radioactive nonces and hash pre-images, that would make any naive use of the wallet keys dangerous.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likely possibility: In the future, setting it may require providing a specific path to the signer program

Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK 1af2083

Comment on lines +279 to +287
if (flag == WALLET_FLAG_EXTERNAL_SIGNER) {
#ifdef ENABLE_EXTERNAL_SIGNER
if (!pwallet->IsWalletFlagSet(WALLET_FLAG_DISABLE_PRIVATE_KEYS) || !pwallet->IsWalletFlagSet(WALLET_FLAG_DESCRIPTORS)) {
throw JSONRPCError(RPC_WALLET_ERROR, "This flag can only be set on a watch-only descriptor wallet");
}
#else
throw JSONRPCError(RPC_WALLET_ERROR, "Compiled without external signing support (required for external signing)");
#endif
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: extra leading space for all this

@@ -129,7 +129,8 @@ static constexpr uint64_t KNOWN_WALLET_FLAGS =
| WALLET_FLAG_EXTERNAL_SIGNER;

static constexpr uint64_t MUTABLE_WALLET_FLAGS =
WALLET_FLAG_AVOID_REUSE;
WALLET_FLAG_EXTERNAL_SIGNER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alphabetical order?

@Sjors
Copy link
Member Author

Sjors commented Apr 25, 2022

@luke-jr I'll implement your nits if the PR needs a rebase or bigger changes.

OTOH not sure how to weigh an anonymous ACK, and I forgot who it was from:
Schermafbeelding 2022-04-25 om 19 45 45

Copy link
Contributor

@w0xlt w0xlt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review ACK 1af2083

luke-jr pushed a commit to luke-jr/bitcoin that referenced this pull request May 21, 2022
@Rspigler
Copy link
Contributor

tACK commit 1af2083

All tests pass

I did not test with HWI, but I was able to toggle external_signer with setwalletflag (console says that this can only be set on a watch only descriptor wallet).

This can only be done on a wallet that has private keys disabled, not on a blank wallet - I don't know if that should be made more clear?
setwalletflag external_signer

{
"flag_name": "external_signer",
"flag_state": true,
"warnings": "The ability to toggle this flag may be removed in a future update."
}

I did get this error in the terminal when starting bitcoin-qt:

QVariant::load: unknown user type with name BitcoinUnits::Unit.

@Sjors
Copy link
Member Author

Sjors commented Jul 13, 2022

This can only be done on a wallet that has private keys disabled, not on a blank wallet

It should be same constraint as with createwallet.

I did get this error in the terminal

Only for this PR or also on the commit it builds on (git checkout HEAD~1)?

@Rspigler
Copy link
Contributor

If I do it on a blank wallet without private keys disabled, I get this error:

This flag can only be set on a watch-only descriptor wallet (code -4)

Hm I apologize, I didn't get the error this time - not sure what the issue was

@achow101
Copy link
Member

Approach NACK

This is incomplete. A wallet that has the flag set when it was loaded will behave differently from one that has the flag set after it's been loaded.The new expected behavior (either enable or disable external signer) will only come into effect after the wallet has been reloaded. This is unintuitive and potentially dangerous.

The flag is only checked during wallet creation and loading. It isn't checked during normal operations. We instead use ExternalSignerScriptPubKeyMan to do all of the external signer things. When this flag is toggled, it does not replace the ExternalSignerSPKMs with normal DescriptorSPKMs or vice versa. So the previous behavior will still be in effect post toggling.

@Sjors
Copy link
Member Author

Sjors commented Dec 15, 2022

@achow101 in that case perhaps it's safer to implement this in bitcoin-wallet?

@achow101
Copy link
Member

achow101 commented Jan 4, 2023

@achow101 in that case perhaps it's safer to implement this in bitcoin-wallet?

That would be better.

@Sjors
Copy link
Member Author

Sjors commented Jan 10, 2023

Leaving it up for grabs to implement this in bitcoin-wallet.

@Sjors Sjors closed this Jan 10, 2023
luke-jr pushed a commit to luke-jr/bitcoin that referenced this pull request Aug 16, 2023
@bitcoin bitcoin locked and limited conversation to collaborators Jan 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants