Skip to content

ChannelKeyManager: add optional list of spent outputs to sign() methods #3047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sstone merged 6 commits into from
Apr 1, 2025
Merged

ChannelKeyManager: add optional list of spent outputs to sign() methods #3047

sstone merged 6 commits into from
Apr 1, 2025

Conversation

@sstone
Copy link
Member

@sstone sstone commented Mar 26, 2025

This is needed to sign inputs that spend taproot outputs.

@sstone sstone requested a review from t-bast March 26, 2025 13:29
t-bast
t-bast requested changes Mar 26, 2025
View reviewed changes
Copy link
Member

@t-bast t-bast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand: you're not actually using this new field anywhere, but you should? In particular in ReplaceableTxFunder, there are a few places where we use keyManager.sign and actually have added wallet inputs: not providing them in the new field is a bug! We shouldn't care about whether we're using taproot or not at that point, this is unnecessarily risky: we should just always provide the additional wallet inputs we're adding.

I don't think this new field should be optional with a default None value, that makes us miss places where we must fill it if we add wallet inputs. It's also unclear in Transactions.scala whether this should contain all inputs or all inputs that are not already our InputInfo.

Overall, I think that this new field should:

  • not have a default value of None in methods
  • should be for wallet inputs that we've added (ie not include the InputInfo for TransactionWithInputInfo, otherwise it creates unnecessary duplication)

You should also update the "generate valid commitment and htlc transactions (taproot)" test in TransactionsSpec.scala to show that when we add wallet inputs, not providing this field results in silently producing a signature that is invalid.

@sstone
Copy link
Member Author

sstone commented Mar 26, 2025

I don't understand: you're not actually using this new field anywhere, but you should? In particular in ReplaceableTxFunder, there are a few places where we use keyManager.sign and actually have added wallet inputs: not providing them in the new field is a bug! We shouldn't care about whether we're using taproot or not at that point, this is unnecessarily risky: we should just always provide the additional wallet inputs we're adding.

I could not find a way to demonstrate that signing in ReplaceableTxFunder will fail if these inputs are missing but you're right: I could simple verify that wallet inputs are indeed passed to the signing method even of they are not needed.

I don't think this new field should be optional with a default None value, that makes us miss places where we must fill it if we add wallet inputs. It's also unclear in Transactions.scala whether this should contain all inputs or all inputs that are not already our InputInfo.

It would be cleaner to only pass additional wallet inputs, but it means that we expect our InputInfo's output to always be the first input that is spent.

@sstone
Copy link
Member Author

sstone commented Mar 27, 2025

I went with your proposal in cd74ecc. It's cleaner, and the implicit requirement to always add additional inputs after the one we want to bump is acceptable (it's what we do now). I also added a test to ReplaceableTxPublisherSpec to verify that wallet inputs are all passed as extra inputs to the sign() method.

t-bast
t-bast reviewed Mar 27, 2025
View reviewed changes
@sstone sstone force-pushed the sign-all-spent-utxos branch from 2a5f89f to 6435245 Compare March 27, 2025 16:22
@sstone sstone force-pushed the sign-all-spent-utxos branch from 6435245 to 81782f3 Compare March 31, 2025 16:17
@sstone
Copy link
Member Author

sstone commented Mar 31, 2025

Rebased on master at 3d415bc

@t-bast t-bast mentioned this pull request Apr 1, 2025
Merged
t-bast
t-bast reviewed Apr 1, 2025
View reviewed changes
@sstone sstone force-pushed the sign-all-spent-utxos branch from dc36ada to 5dcf2b2 Compare April 1, 2025 14:10
@t-bast
Stricter requirements on input details for signing (#3052)
c9341fc 
We verify that details about all inputs are provided to the `sign`
function. While this isn't mandatory for segwit v0, it ensures that
all of our existing tests exercise this codepath and reduces the risk
that we forget to provide some wallet inputs, which would result in an
invalid signature which would be hard to investigate.

With this change, some of the unit tests started failing, which showed
that we weren't correctly setting wallet inputs in the fee-bumping case
in `ReplaceableTxFunder`, which we've fixed.

We also add a test in `TransactionsSpec.scala` to verify that signing
fails when details about some inputs are missing.
@sstone sstone merged commit 650681f into master Apr 1, 2025
1 check passed
@sstone sstone deleted the sign-all-spent-utxos branch April 1, 2025 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@t-bast t-bast t-bast approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sstone @t-bast