Changes for 3.0.6

Author: doc-hex

docs/limitations.md

@@ -63,6 +63,8 @@
 - we always store xpubs in BIP32 format, although we can read SLIP132 format (Ypub/Zpub/etc)
 - if XPUB values are in the PSBT, we assume it's going to be a multisig transaction signing, so
   there must be an unsigned input with M-of-N script
+- change outputs (indicated with paths, scripts in output section) must correspond to
+  the active multisig wallet, and cannot be used to describe an unrelated (multisig) wallet.
 
 # SIGHASH types
 

releases/ChangeLog.md

@@ -1,4 +1,18 @@
-- Bugfix: need blank line between addresses shown if sending to multiple destinations.
+## 3.0.6 - Dec 19, 2019
+
+- Security Bugfix: Fixed a multisig PSBT-tampering issue, that could allow a MitM to
+  steal funds. Please upgrade ASAP.
+- Enhancement: Sign a text file from MicroSD. Input file must have extension .TXT and
+  contain a single line of text. Signing key subpath can also provided on the second line.
+- Enhancement: Now shows the change outputs of the transaction during signing
+  process. This additional data can be ignored, but it is useful for those who
+  wish to verify all parts of the new transaction.
+- Enhancement: PSBT files on MicroSD can now be provided in base64 or hex encodings. Resulting
+  (signed) PSBT will be written in same encoding as the input PSBT.
+- Bugfix: crashed on entry into the Address Explorer (some users, sometimes).
+- Bugfix: add blank line between addresses shown if sending to multiple destinations.
+- Bugfix: multisig outputs were not checked to see if they are change (would have been
+  shown as regular outputs), if the PSBT did not have XPUB data in globals section.
 
 ## 3.0.5 - Nov 25, 2019
 

shared/actions.py

@@ -1076,7 +1076,14 @@ def is_psbt(filename):
             return False
 
         with open(filename, 'rb') as fd:
-            return fd.read(5) == b'psbt\xff'
+            taste = fd.read(10)
+            if taste[0:5] == b'psbt\xff':
+                return True
+            if taste[0:10] == b'70736274ff':        # hex-encoded
+                return True
+            if taste[0:6] == b'cHNidP':             # base64-encoded
+                return True
+            return False
 
     choices = await file_picker(None, suffix='psbt', min_size=50,
                             max_size=MAX_TXN_LEN, taster=is_psbt)
@@ -1109,6 +1116,29 @@ def is_psbt(filename):
     await sign_psbt_file(input_psbt)
 
 
+async def sign_message_on_sd(*a):
+    # Menu item: choose a file to be signed (as a short text message)
+    #
+    def is_signable(filename):
+        if '-signed' in filename.lower():
+            return False
+        with open(filename, 'rt') as fd:
+            lines = fd.readlines()
+            return (1 <= len(lines) <= 5)
+
+    fn = await file_picker('Choose text file to be signed.',
+                            suffix='txt', min_size=2,
+                            max_size=500, taster=is_signable,
+            none_msg='No suitable files found. Must be one line of text, in a .TXT file, optionally followed by a subkey derivation path on a second line.')
+
+    if not fn:
+        return
+
+    # start the process
+    from auth import sign_txt_file
+    await sign_txt_file(fn)
+
+
 async def pin_changer(_1, _2, item):
     # Help them to change pins with appropriate warnings.
     # - forcing them to drill-down to get warning about secondary is on purpose