Support remote signing over RPC

[guggero]

Fixes #5486 and #5779.
Also took some ideas from #3944, maybe we can close that as well.

Depends on #5708 and btcsuite/btcwallet#768.

This PR makes it possible to run an instance of lnd in purely watch-only mode (no private key material in the wallet whatsoever). All signing or ECDH requests are then forwarded to a secondary lnd instance (or, in theory, any software that implements the necessary RPC interfaces) for processing.

It is important that the secondary (the remote signing instance with the private) keys is NOT used as a wallet. The keys and addresses are kept in sync between the watch-only and the signing instance, so manually generating addresses or deriving keys on the signing instance will lead to unexpected errors on the watch-only instance!

[orijbot]

Visit https://dashboard.github.orijtech.com?back=0&pr=5689&remote=true&repo=guggero%2Flnd to see benchmark details.

[Roasbeef]

The final component falls into place! 🍾

Happy to see all the incremental steps we've taken over the past year or so resulted in this PR primary being some refactoring and additional layers of indirection.

Initial pass complete, main comment is the additional layer of indirection needed to allow the "primary" interfaces to be passed into the lnd.Main method rather than lnd initializing the concrete version of the interfaces within itself. Also see the msgs sent offline re some sample directions.

[Roasbeef]

Is there a strong requirement that this is on this level? In that, can it go one layer below within the WatchOnlyAccount struct?

[guggero]

Ah, you mean in case the accounts are not all derived from the same master key?

[guggero]

I've extracted all the refactoring commits into #5708, will address the rest of the comments later.

[Roasbeef]

So I think we want something like this:

diff --git a/keychain/btcwallet.go b/keychain/btcwallet.go
index 8d5dab3bd..3110fc960 100644
--- a/keychain/btcwallet.go
+++ b/keychain/btcwallet.go
@@ -64,7 +64,7 @@ type BtcWalletKeyRing struct {
 //
 // NOTE: The passed waddrmgr.Manager MUST be unlocked in order for the keychain
 // to function.
-func NewBtcWalletKeyRing(w *wallet.Wallet, coinType uint32) SecretKeyRing {
+func NewBtcWalletKeyRing(w *wallet.Wallet, coinType uint32) (SecretKeyRing, error) {
 	// Construct the key scope that will be used within the waddrmgr to
 	// create an HD chain for deriving all of our required keys. A different
 	// scope is used for each specific coin type.
@@ -73,10 +73,33 @@ func NewBtcWalletKeyRing(w *wallet.Wallet, coinType uint32) SecretKeyRing {
 		Coin:    coinType,
 	}
 
-	return &BtcWalletKeyRing{
+	// TODO(xxx): create all keyscopes here
+
+	wallet := &BtcWalletKeyRing{
 		wallet:        w,
 		chainKeyScope: chainKeyScope,
 	}
+
+	for _, keyFam := range VersionZeroKeyFamilies {
+		db := wallet.wallet.Database()
+		err := walletdb.Update(db, func(tx walletdb.ReadWriteTx) error {
+			addrmgrNs := tx.ReadWriteBucket(waddrmgrNamespaceKey)
+
+			scope, err := wallet.keyScope()
+			if err != nil {
+				return err
+			}
+
+			// If the account doesn't exist, then we may need to create it
+			// for the first time in order to derive the keys that we
+			// require.
+			return wallet.createAccountIfNotExists(addrmgrNs, keyFam, scope)
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
+	return wallet, nil
 }
 
 // keyScope attempts to return the key scope that we'll use to derive all of
diff --git a/keychain/derivation.go b/keychain/derivation.go
index b22d8f70f..15ac954e8 100644
--- a/keychain/derivation.go
+++ b/keychain/derivation.go
@@ -105,6 +105,21 @@ const (
 	KeyFamilyTowerID KeyFamily = 9
 )
 
+// VersionZeroKeyFamilies is a slice of all the known key families for first
+// version of the key derivation schema defined in this package.
+var VersionZeroKeyFamilies = []KeyFamily{
+	KeyFamilyMultiSig,
+	KeyFamilyRevocationBase,
+	KeyFamilyHtlcBase,
+	KeyFamilyPaymentBase,
+	KeyFamilyDelayBase,
+	KeyFamilyRevocationRoot,
+	KeyFamilyNodeKey,
+	KeyFamilyStaticBackup,
+	KeyFamilyTowerSession,
+	KeyFamilyTowerID,
+}
+
 // KeyLocator is a two-tuple that can be used to derive *any* key that has ever
 // been used under the key derivation mechanisms described in this file.
 // Version 0 of our key derivation schema uses the following BIP43-like

[Roasbeef]

The other half (lets lncli wallet accounts list) display all the pubkeys:

diff --git a/lnwallet/btcwallet/btcwallet.go b/lnwallet/btcwallet/btcwallet.go
index 1db9e0b18..496ec1723 100644
--- a/lnwallet/btcwallet/btcwallet.go
+++ b/lnwallet/btcwallet/btcwallet.go
@@ -552,6 +552,18 @@ func (b *BtcWallet) ListAccounts(name string,
 			account := account
 			res = append(res, &account.AccountProperties)
 		}
+
+		accounts, err = b.wallet.Accounts(waddrmgr.KeyScope{
+			Purpose: keychain.BIP0043Purpose,
+			Coin:    b.cfg.CoinType,
+		})
+		if err != nil {
+			return nil, err
+		}
+		for _, account := range accounts.Accounts {
+			account := account
+			res = append(res, &account.AccountProperties)
+		}
 	}
 
 	return res, nil

[guggero]

Rebased and updated with the above suggestions.
Now the only thing needed is a new command (perhaps lncli create-watchonly?) that takes the output of lncli wallet accounts list and converts it into the format that is needed for the InitWallet RPC.

[Roasbeef]

Build fails rn:

watchtowerrpc -- unsafe]: exit status 1: go: github.com/btcsuite/btcwallet@v0.12.1-0.20210916213031-d0868cb9dd94 (replaced by ../../btcsuite/btcwallet): reading ../../btcsuite/btcwallet/go.mod: open /home/travis/gopath/src/github.com/btcsuite/btcwallet/go.mod: no such file or directory
go: github.com/btcsuite/btcwallet@v0.12.1-0.20210916213031-d0868cb9dd94 (replaced by ../../btcsuite/btcwallet): reading ../../btcsuite/btcwallet/go.mod: open /home/travis/gopath/src/github.com/btcsuite/btcwallet/go.mod: no such file or directory

[Roasbeef]

Getting close! Excellent set of docs also, looking forward to having this land in 01.4!

[Roasbeef]

One thing we may want to add here (doesn't necessarily need to be done here, can be follow up work) is a consistency check on start up. We can use lncli wallet accounts to see if all the key indexes line up, and advance them forward as needed.

[guggero]

Yes, definitely! Though this sounds like a good thing to split off into its own PR. Going to try and do this during the RC phase, or worst case for 0.14.1.

[Roasbeef]

This should be a dry run instance right?

[yyforyongyu]

Why do we want to have this step? To check that it's indeed watch only?

[guggero]

No, we want the watch-only wallet to actually lock the UTXOs and assume they're spent. Because we currently don't sync the UTXO locks, we need to make sure the watch-only wallet is in charge of doing coin selection and UTXO locking.
Or did you mean something else?

[yyforyongyu]

Got it. Didn't know the locking UTXO are wrapped inside SendOutputs.

[Roasbeef]

Perhaps instead guide the user to use a signer macaroon or a custom one that includes just the perms we need to interact w/ the remote signer?

[guggero]

Great idea! I'm going to recommend the macaroon recipe for that in the docs.

[Roasbeef]

Not clear how the user is meant to do this?

[guggero]

The lncli create now has the option to import an xprv if you press x here:

Do you have an existing cipher seed mnemonic or extended master root key you want to use?
Enter 'y' to use an existing cipher seed mnemonic, 'x' to use an extended master root key 
or 'n' to create a new seed (Enter y/x/n):

But I can make that more explicit in the docs.

[Roasbeef]

So we've implemented this now in another btcwallet fork?

[guggero]

There is no additional btcwallet fork. Because we create the wallet for the first time and start/sync to chain after importing the accounts, we actually do get a full rescan of all addresses. I tested this locally and even address with index 9 is being detected as being used.
But this will only work in this case where we import an account before the initial chain sync (where we also set recovery_window). Importing an account later will not cause a rescan.
I think that's actually a nice thing to get an initial syncup when setting up the node pair.

[Roasbeef]

Same comment here re not hard coding (can get from the RPC?)

[guggero]

Sure, we could do that. But it's just an example script to show what content the call needs to have. Can also remove the example script if it's more confusing than helping.

[yyforyongyu]

Fantastic feature! And love to see the great documentation! I think it's looking gooood, a major question is do we plan to patch unit tests for those newly added functions? Plus few questions in the comments.

[yyforyongyu]

Leftover? Do we want to print to console?

[guggero]

Just mirroring the code style in the rest of the file. We should probably clean that up in another PR.

[yyforyongyu]

Why do we embed by pointer here?

[yyforyongyu]

I think they must be equal if using the same key locator?

[yyforyongyu]

nit: might add some docs explaining why this check.

[yyforyongyu]

Why do we want to have this step? To check that it's indeed watch only?

[yyforyongyu]

I think we use birthday to locate a birthdayBlock when we do syncWithChain inside btcwallet.

[Roasbeef]

LGTM 🍣

[Roasbeef]

Might move this to reside under lncli wallet in a follow up change.