Coldcard signing device integration #580
Comments
darosior
added
RFC
|
We should be able to interface with the CC using https://github.com/alfred-hodler/rust-coldcard. |
|
COLDCARD (CC) air-gaped (better than USB) integration is done:
CC USB:
|
|
Thank you for the details. At the moment our signing device UX is centered around a USB connection using
Yes. |
|
We would probably need Coldcard/firmware#244 to be included in https://github.com/alfred-hodler/rust-coldcard. |
|
FYI: that change is now in master and released on pypi https://github.com/Coldcard/ckcc-protocol/releases/tag/v1.4.0 |
|
enroll miniscript via USB in released |
|
For information, Firmware v6.2.1:
|
I thought that it is enough for you guys to allow same origin but different accounts (a.k.a origin derivation) what is the reason to have exact same key in multiple logic legs?
there is not filename sent over USB, just a stream of data - that is why you see checksum fallback. With SD card you get filename. Yet this should be easy enough to implement that maybe I'm down...
unfortunately yes - this is current limitation - we need a new command... I'll look into this and give you more info soon - thanks for integrating us!! |
|
I thought that it is enough for you guys to allow same origin but different accounts (a.k.a origin derivation) what is the reason to have exact same key in multiple logic legs?
For instance you may want (in fact you often do) the same signer in multiple recovery paths, or both in the primary path and in a recovery path. In this case a single xpub is either queried from the signing device or fetched from a cosigner and a different unhardened derivation is used per spending path.
…-------- Original Message --------
On Nov 18, 2023, 9:16 PM, scgbckbone wrote:
> does not permit to generate descriptor with the same xpub multiple time in it.
I thought that it is enough for you guys to allow same origin but different accounts (a.k.a origin derivation) what is the reason to have exact same key in multiple logic legs?
> Miniscript enroll through usb does not attach a file name to the policy but only the checksum
there is not filename sent over USB, just a stream of data - that is why you see checksum fallback. With SD card you get filename. Yet this should be easy enough to implement that maybe I'm down...
> User can only check the policy derived address through the device by looking himself in the Address explorer
unfortunately yes - this is current limitation - we need a new command...
I'll look into this and give you more info soon - thanks for integrating us!!
—
Reply to this email directly, [view it on GitHub](#580 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AFLK3F5JAB5TTICLPZXL6QTYFEJRLAVCNFSM6AAAAAA2SS3PB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJXGYZDKNBUGY).
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
To expand on why we use a different derivation of the xpub instead of different accounts. Using a different account requires a hardened derivation. It is unnecessary and requires a back and forth between either the signing device or the other participants for each key. It's a much better UX for the device / participants to share a single xpub to be used at different unhardened derivations across spending paths. In addition, it makes descriptor verification on the signing device screen much more bearable for the user: there is only a single xpub to verify per participant instead of N. @scgbckbone do you think you can release an updated edge firmware which relaxes this check? I expect it would be a small change: the unique constraint should be on pairs of (xpub, der_path) instead of xpub singletons. There is no reason for checking xpub duplicates as long as they have different derivation indexes. Miniscript enforces that there is no duplicate public key so a signature for one path cannot be used for another. It doesn't apply here.
My bad for not checking limitations / reaching out earlier. |
|
if I understand correctly: you use BIP44 change index to differentiate signers ? or you instead have |
|
In order to respect wallet policies, and avoid an otherwise somewhat expensive additional derivation step, we instead increase the indexes in the multipath derivation step: For instance with Alice and Bob each having an xpub in each spending path of a descriptor with 2 recovery paths:
Makes sense? |
|
yes - but seems non-standard (wrt BIP44) and/or hacky - does reference client allows these descriptors? I assume yes... |
|
Multipath descriptors are not yet merged into Bitcoin Core, but the current implementation does support them (see bitcoin/bitcoin#22838). This is absolutely standard (see BIP389). Why do you bring up BIP44? It's an ancient standard irrelevant here: it doesn't consider how multiple keys from the same signer may be used in a single script. In any case it's mostly outdated by descriptors. |
|
I know about 22838, my q was about having something else in b44 change index besides <0;1> in core - but core does not care I see now.
I always thought it was the concept of account that is going to be used - hardened origin derivation - but your explanation above make sense with regards to performance and UX - seems there is also no change in security assumptions using unhardened - as it all still comes from one seed. Is this the best way forward? One can still loose his descriptor info and be left out with seeds only - those are the moments when one appreciates standard derivation paths
Many wallets implement it, many wallets may have issues with descriptor where change is not <0;1> (us as an example). |
My bad, i overlooked BIP44 prescribes using 0 and 1 for external / internal key chains.
Well if you do good luck remembering all the information needed to reconstruct the Scripts you used. I don't think relying on implicit information should ever be considered in the context of funds backup, and especially not for wallets using (somewhat) advanced scripts. |
|
one idea - but still non-standard --> move account from hardened to unhardened and preserve change. from: to (non-hardened account): still meh - maybe I even like yours better |
|
Yeah i don't think we should do that:
|
|
I'm out of better ideas here... Am I right if I look at this like: external chain is always EVEN and internal ODD? |
|
Yes |
|
maybe worth trying to extend the BIP44>Change section with odd/even would be backwards compatible |
|
Can't you implement compatibility with what we are doing currently (which is perfectly standard)? No other signing device which implemented miniscript descriptors support (Ledger, Bitbox, Jade, Specter) have this limitation. |
was just off-topic comment - I will implement compat. Just not as optimistic as you are about the scope of this in firmware. |
|
Yes i hadn't understood you would only provide signatures for BIP44 paths. We can't help you with this unfortunately but feel free to reach out anytime if you need feedback or testing. |
|
Thank you for your help. So far so good, I have an implementation of the liana wallet gui with coldcard support here #847 One UX improvement on the firmware side would be to hold the miniscript enroll return while the user is verifying the descriptor on the screen like the sign transaction command and return an error if user refused. Once the poc.dfu is approved, I will open the PR to alfred-hodler/rust-coldcard with the new commands. |
|
does CC have a kind simulator? i would like to test #847, but don't have a CC |
https://github.com/Coldcard/firmware/blob/master/README.md#linux EDIT: you need to wait until I publish the new edge branch |
|
it is already merged in |
#847 use wizardsardine/async-hwi#57 that use a special branch of https://github.com/alfred-hodler/rust-coldcard/ that supports only hid interface. I am not sure you can test it with a simulator. |
Ok, I'll try to find a CC in my new place in january |
what do you mean from your view? I am using the API right now, it doesn't work how you are describing it (though it would be nice) you have to send it a psbt to sign, if that goes well, then you can ask it for the finalized transaction. I am not sure which feature flag you are referring to which allows an API to sign and return the transaction in one go, if its there please let me know since I could trim away some code. Thank you. |
|
@scgbckbone, does both mk3/mk4 support miniscript or only mk4? what about limitations? |
only Mk4 and only in miniscript limitations: https://github.com/Coldcard/firmware/blob/edge/docs/miniscript.md#limitations |
this is misunderstanding and you're right you need 2 steps - what I was describing was cli signing workflow https://github.com/Coldcard/ckcc-protocol/blob/11c711e929a090ec29ccd2a05d094aa3d2cbc113/ckcc/cli.py#L481-L548 |
is mk3 on roadmap or not planned to support miniscript on it? |
|
@edouardparis mentioned to me this is close to being done. #847 should be testable by anyone with a coldcard soon! |
|
@scgbckbone currently doing a round of test on #847, while verifying address on CC, if i want to
I had to restart the CC to go back normal |
|
great find @pythcoiner! thank you. Patch here Coldcard/firmware#317 |
|
@scgbckbone is it normal that CC follow the normal miniscript flow even if the wallet 'allias' used for registration and the one use on psbt sign does not match, by example using async-hwi cli tool:
and CC let me sign, is it about CC just check if the descriptor is registered but not if wallet_name/aliases match? |
|
There is currently no way to specify target wallet Looking at
I'm planning to add this in the next iteration. Can be really useful if you have two policies where only order of keys is different (keys are the same just policy is different). But we do not have (yet) policy or descriptor in PSBT - meaning that our tx to registered wallet matching can fail in those situation. |
|
ok, so it means, we (now) just send psbt and CC just iterate trough the 'wallet' list to check if one matching? |
|
yes |
|
@scgbckbone, does the CC HSM mode functionning w/ miniscript wallets? |
yes |
|
#847 is merged, it relies on https://github.com/wizardsardine/async-hwi/ master which relies on this current branch of rust-coldcard alfred-hodler/rust-coldcard#11 We will update later with proper crates versions when crates are published. Thank you all for contributing ! |
|
Congratulations everyone :) |
|
thanks guys! We're "almost ready", just need to do the pre-release dance, I |
|
I tested liana |
|
Hello @scgbckbone and @edouardparis , finally received a Coldcard Q, i upgraded to 0.0.6Q. Might be that the Q doesn't have Miniscript support yet? Or do we need to change something in our async-hwi? |
Is this the Edge firmware? |
|
All versions are Beta for Q, no Edge releases. |
|
We currently do not have edge Q - so no miniscript/tr support in there - soon TM |
Coldcard recently announced experimental Miniscript signing support. This issue is for discussing and tracking the integration of Coldcard with Liana.
The text was updated successfully, but these errors were encountered: