Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid PSBT? (bip143 sighash vulnerability; coldcard psbt root fingerprint and derivation prefix missing) #6270

Open
jlopp opened this issue Jun 25, 2020 · 5 comments
Open

Invalid PSBT? (bip143 sighash vulnerability; coldcard psbt root fingerprint and derivation prefix missing) #6270

jlopp opened this issue Jun 25, 2020 · 5 comments
Labels
hw-coldcard topic-transactions 📑 related to logic in transaction.py

Comments

@jlopp
Copy link

jlopp commented Jun 25, 2020

Running Electrum master branch commit a95738f on Debian 10

Create a 2-of-3 p2sh-segwit wallet on testnet
First device: Trezor One at path m/49/1/3
Second device: pasted in Upub of Coldcard Mk3
Third device: pasted in Upub of Ledger Nano S

I created a transaction to sweep the wallet funds and send back to a new receive address. Plugged in the Trezor One and successfully signed. For second signature I want to sign airgapped via coldcard. So I choose "Export, for hardware device, include xpubs" and save the file to my MicroSD card which I then put in my coldcard.

Worth noting that my coldcard is set to testnet mode and has "Trust PSBT" enabled. When I try to sign, I see a generic error:

Failure
Invalid PSBT
psbt.py:1018

So I go back to Electrum and "Export, for hardware device, include xpubs" and copy to clipboard to get the following:

cHNidP8BAM4CAAAABKL4z24LxtkblKz1xz1awMl1KnmONA9aWfB54ZQedpC1AAAAAAD9////ovjPbgvG2RuUrPXHPVrAyXUqeY40D1pZ8HnhlB52kLUBAAAAAP3///+i+M9uC8bZG5Ss9cc9WsDJdSp5jjQPWlnweeGUHnaQtQIAAAAA/f///6L4z24LxtkblKz1xz1awMl1KnmONA9aWfB54ZQedpC1AwAAAAD9////AUQb5gUAAAAAF6kU+6rKXckeFXyXscQbOcYBiSYJnROHeBAbAE8BAkKJ7wAAAAAAAAAAALefp7Th7e8GjzqSJxTSeuY+/C8eN6FrV4jstLnaGTdbAhFFW5IPmVE4+BVmHuseCZsovMCPQOqYDjoD/4rQlUp8BHOrJK5PAQJCie8AAAAAAAAAAACV5vFb9dRX4abGXHGDUdlNBpNZ4vFg1b5jvrxst/gjxANsXb+Z66UBtNKKqjK+hRdxUNe9dWm8B6CkBRO/a94wTQR2vkcpTwECQonvA7YAdygAAAAD7mfYWVYLj8FOghaAtydmUCfn03CdWyMa8G/xFYHIA48D5LxGfNlJCsMZhp61BAwx3p0NnXROUcnv5VdTcTEPVwwQ3/0HNDEAAAABAAAAAwAAAAABAP2wBQEAAAAAAQR0HCoGZ6bEUgGavA3T6SoHtoFxjCv7TUfDzIfwOW+4pAAAAAAjIgAgILEpnxYvTG5D6zh6ccaFplZr+iE4cRICKtg9lDXMmVT/////dBwqBmemxFIBmrwN0+kqB7aBcYwr+01Hw8yH8DlvuKQDAAAAIyIAIFexhtsQg3sCvqNqGpSlS7lmDU2hdMXbK40nBN/lscYR/////3QcKgZnpsRSAZq8DdPpKge2gXGMK/tNR8PMh/A5b7ikAQAAACMiACCKtOCom7zigg8aUJ6p+2CzhGDetM0k/tK3alaHdLApKf////90HCoGZ6bEUgGavA3T6SoHtoFxjCv7TUfDzIfwOW+4pAIAAAAjIgAg1b/Z3el5r4opq8/vGnfUfnxITnqQnC3n9xMZGuklZyD/////BMZwWgIAAAAAF6kUtUKxSLjWOkXBCM9i5HZrbDnyS9eHgJaYAAAAAAAXqRTTkB118XLMaHciFIUZXUn9PzVnXYeAlpgAAAAAABepFLDlD/RXYGNOE3okberamHt8za0thwSBWgIAAAAAF6kUpQY54Gdm0sKmD4jmq6dEVpuD9CKHBABHMEQCIEhZutpKtc/tLD9exXPEU3JloZeTWHIXSpZFty+jgSKkAiBr3wI2NCMVkbeh74MK6lku6OBjRNEQcKTE+Ihi9JeK2wFHMEQCICdJcoQ65DXOxh2+nmR9OwjIwu1nSsEnC4B9RQ7JOd2vAiBQNEenZQ3ah2q05p7KIccCJrT76806/i5M/zNf8+zrmwFpUiECW7p/aVTkVcm7tLFgPAMq1C8DZrMGXrngVQI92SXROlEhAvh5/PQnQi6Jwzx5xn8tkz0HvNlX0eGoQM3ryepCnovOIQPiUnx4uxOWkkUKSozB0bF2uRj0O+VQIH1G4MX8N3SkXFOuBABHMEQCIDWiQ8Qoj9Y8frQC2IDEo1q4Md0JBpXHe3dVnZnEPqkuAiAcmr4iLkmdP5fbwe5Y7UctU2iDLNjtW0axfTTmNmG8PgFIMEUCIQDwGiFFn2gvWUaLCdTMe9yJMBTPJK/lrIMZsC6M1Nvk6AIgJsO4cL3urdELqpW+TeheaUwYRhq/gvQc2IoLlRavp4cBaVIhAm11MwFgeS/C17ysHn/C7VcHBUWYUNggO+k76EfAU/XUIQKDkISgaKuXHnRS536x8+Sf9LoRswuQt61MSf8XPDE2WSED9NyDket8gT2JsVlRLtzPgdfyERlc0mr1rEoIyKSePbpTrgQASDBFAiEAuBd9VNsSFbLrCLYWHKifjH/jYLPUPSMI1a1TlOgmaQ4CIANfCR/ivW2vuwubekJQBoBSHJ+ELEGa3TgalDHM/jgdAUgwRQIhALqJV4cZ2NDV650qYT0buSBH+MkVPiUoIeYMKOsNOFVJAiA3puJD1PIX+7U/k6xMhaSiX2F2ueu83u+6nNQNSa4QcwFpUiECdxo3BUb2ueQWMBE0tH7B3xM44cuRgmaTjMCwFuUeCkAhAwsknADuaJvscGc5/rR8Zwu8XRlct8h2sIcIDRQaTjsfIQPUuDsw1dpyNzYdMM9UQOXFDmdRKq/BvRDkAmP1jWw5j1OuBABHMEQCIERaUJYBxtAIpNTWt+cwPYAJ4Y5Jp+MIKDIFrKYCIDukAiBmDeDIIfox/MrX31I8pMNd0SZF3cpBWCJ7+NQw6vMS3AFIMEUCIQCHTflvC1LItizCuOB20/j23Tt9WzdYhxISyaPaaasOYwIgM+87PuQ/MGPxjD5NphEAz5BdIPcEhsBMgy3M5P8AcWgBaVIhAmjnDFFcYPoY7BnFaiyHbWlaKdLvl7OYSOu65L8A2BRGIQKZd5YzaZpD3x9Um9NWqf9OmHXe8eiJZYr7/OjEwu02EyEC2Pgx70m02s7Kvfz9G+pf3ZsNnc4GbUL3xWoXXwYD+udTrgAAAAAiAgIW9ayHqxXDTFmsX+dYacUSoRtEEz0CpXcHeyIypyUpd0gwRQIhAM2yJVlk7G0YPD2kebDPUZKOfp6Yl8fvm2q70B4gz22OAiBxv5iCzY8NE/WGziVpj4zt8MY8P2xQUZv59srvQB++JQEBBCIAIFZLhNFZsDCDICvQlNtTQ5PzZQgNg47Zjs1EFgxbXAXMAQVpUiECBo057oJ/H2p3cYPvB6I8fQwdEGxIWCzDCvJI41aLNtYhAhb1rIerFcNMWaxf51hpxRKhG0QTPQKldwd7IjKnJSl3IQJW4uWlA6GKVd1XgdtY6lioSc8Jp2ta9fJ6OAwpO9lwflOuIgYCBo057oJ/H2p3cYPvB6I8fQwdEGxIWCzDCvJI41aLNtYMc6skrgAAAAAAAAAAIgYCFvWsh6sVw0xZrF/nWGnFEqEbRBM9AqV3B3siMqclKXcY3/0HNDEAAAABAAAAAwAAAAAAAAAAAAAAIgYCVuLlpQOhilXdV4HbWOpYqEnPCadrWvXyejgMKTvZcH4Mdr5HKQAAAAAAAAAAAAEA/bAFAQAAAAABBHQcKgZnpsRSAZq8DdPpKge2gXGMK/tNR8PMh/A5b7ikAAAAACMiACAgsSmfFi9MbkPrOHpxxoWmVmv6IThxEgIq2D2UNcyZVP////90HCoGZ6bEUgGavA3T6SoHtoFxjCv7TUfDzIfwOW+4pAMAAAAjIgAgV7GG2xCDewK+o2oalKVLuWYNTaF0xdsrjScE3+WxxhH/////dBwqBmemxFIBmrwN0+kqB7aBcYwr+01Hw8yH8DlvuKQBAAAAIyIAIIq04KibvOKCDxpQnqn7YLOEYN60zST+0rdqVod0sCkp/////3QcKgZnpsRSAZq8DdPpKge2gXGMK/tNR8PMh/A5b7ikAgAAACMiACDVv9nd6Xmviimrz+8ad9R+fEhOepCcLef3Exka6SVnIP////8ExnBaAgAAAAAXqRS1QrFIuNY6RcEIz2LkdmtsOfJL14eAlpgAAAAAABepFNOQHXXxcsxodyIUhRldSf0/NWddh4CWmAAAAAAAF6kUsOUP9FdgY04TeiRt6tqYe3zNrS2HBIFaAgAAAAAXqRSlBjngZ2bSwqYPiOarp0RWm4P0IocEAEcwRAIgSFm62kq1z+0sP17Fc8RTcmWhl5NYchdKlkW3L6OBIqQCIGvfAjY0IxWRt6HvgwrqWS7o4GNE0RBwpMT4iGL0l4rbAUcwRAIgJ0lyhDrkNc7GHb6eZH07CMjC7WdKwScLgH1FDsk53a8CIFA0R6dlDdqHarTmnsohxwImtPvrzTr+Lkz/M1/z7OubAWlSIQJbun9pVORVybu0sWA8AyrULwNmswZeueBVAj3ZJdE6USEC+Hn89CdCLonDPHnGfy2TPQe82VfR4ahAzevJ6kKei84hA+JSfHi7E5aSRQpKjMHRsXa5GPQ75VAgfUbgxfw3dKRcU64EAEcwRAIgNaJDxCiP1jx+tALYgMSjWrgx3QkGlcd7d1WdmcQ+qS4CIByaviIuSZ0/l9vB7ljtRy1TaIMs2O1bRrF9NOY2Ybw+AUgwRQIhAPAaIUWfaC9ZRosJ1Mx73IkwFM8kr+WsgxmwLozU2+ToAiAmw7hwve6t0Quqlb5N6F5pTBhGGr+C9BzYiguVFq+nhwFpUiECbXUzAWB5L8LXvKwef8LtVwcFRZhQ2CA76TvoR8BT9dQhAoOQhKBoq5cedFLnfrHz5J/0uhGzC5C3rUxJ/xc8MTZZIQP03IOR63yBPYmxWVEu3M+B1/IRGVzSavWsSgjIpJ49ulOuBABIMEUCIQC4F31U2xIVsusIthYcqJ+Mf+Ngs9Q9IwjVrVOU6CZpDgIgA18JH+K9ba+7C5t6QlAGgFIcn4QsQZrdOBqUMcz+OB0BSDBFAiEAuolXhxnY0NXrnSphPRu5IEf4yRU+JSgh5gwo6w04VUkCIDem4kPU8hf7tT+TrEyFpKJfYXa567ze77qc1A1JrhBzAWlSIQJ3GjcFRva55BYwETS0fsHfEzjhy5GCZpOMwLAW5R4KQCEDCyScAO5om+xwZzn+tHxnC7xdGVy3yHawhwgNFBpOOx8hA9S4OzDV2nI3Nh0wz1RA5cUOZ1Eqr8G9EOQCY/WNbDmPU64EAEcwRAIgRFpQlgHG0Aik1Na35zA9gAnhjkmn4wgoMgWspgIgO6QCIGYN4Mgh+jH8ytffUjykw13RJkXdykFYInv41DDq8xLcAUgwRQIhAIdN+W8LUsi2LMK44HbT+PbdO31bN1iHEhLJo9ppqw5jAiAz7zs+5D8wY/GMPk2mEQDPkF0g9wSGwEyDLczk/wBxaAFpUiECaOcMUVxg+hjsGcVqLIdtaVop0u+Xs5hI67rkvwDYFEYhApl3ljNpmkPfH1Sb01ap/06Ydd7x6Illivv86MTC7TYTIQLY+DHvSbTazsq9/P0b6l/dmw2dzgZtQvfFahdfBgP651OuAAAAACICAtUeByAz3tXE1S6n0QyIikyWZmgcfSsIwTktlhBny4gZRzBEAiAuY1VdZ/2Z1Qd5K7Ew+FHuhZ6kn9nlgMo16U+H6pbUHAIgQXCN0dyOT0qe3u2Wr8cUlIEnvdbICuJrDHVZawiyntoBAQQiACBryxy7BZ335g8usHo9YHps1K16y2Tb2d6/1QHh/dfPhwEFaVIhAtUeByAz3tXE1S6n0QyIikyWZmgcfSsIwTktlhBny4gZIQNCjxpPV7lmzppZoE/qGch29BSO19CpZxGwbFa1fD7c2SEDbVMr9a1aiwH0teD7IQ2OFcaDJgvrIdi9X+YWAuZ9TU5TriIGAtUeByAz3tXE1S6n0QyIikyWZmgcfSsIwTktlhBny4gZGN/9BzQxAAAAAQAAAAMAAAAAAAAAAQAAACIGA0KPGk9XuWbOmlmgT+oZyHb0FI7X0KlnEbBsVrV8PtzZDHOrJK4AAAAAAQAAACIGA21TK/WtWosB9LXg+yENjhXGgyYL6yHYvV/mFgLmfU1ODHa+RykAAAAAAQAAAAABAP2wBQEAAAAAAQR0HCoGZ6bEUgGavA3T6SoHtoFxjCv7TUfDzIfwOW+4pAAAAAAjIgAgILEpnxYvTG5D6zh6ccaFplZr+iE4cRICKtg9lDXMmVT/////dBwqBmemxFIBmrwN0+kqB7aBcYwr+01Hw8yH8DlvuKQDAAAAIyIAIFexhtsQg3sCvqNqGpSlS7lmDU2hdMXbK40nBN/lscYR/////3QcKgZnpsRSAZq8DdPpKge2gXGMK/tNR8PMh/A5b7ikAQAAACMiACCKtOCom7zigg8aUJ6p+2CzhGDetM0k/tK3alaHdLApKf////90HCoGZ6bEUgGavA3T6SoHtoFxjCv7TUfDzIfwOW+4pAIAAAAjIgAg1b/Z3el5r4opq8/vGnfUfnxITnqQnC3n9xMZGuklZyD/////BMZwWgIAAAAAF6kUtUKxSLjWOkXBCM9i5HZrbDnyS9eHgJaYAAAAAAAXqRTTkB118XLMaHciFIUZXUn9PzVnXYeAlpgAAAAAABepFLDlD/RXYGNOE3okberamHt8za0thwSBWgIAAAAAF6kUpQY54Gdm0sKmD4jmq6dEVpuD9CKHBABHMEQCIEhZutpKtc/tLD9exXPEU3JloZeTWHIXSpZFty+jgSKkAiBr3wI2NCMVkbeh74MK6lku6OBjRNEQcKTE+Ihi9JeK2wFHMEQCICdJcoQ65DXOxh2+nmR9OwjIwu1nSsEnC4B9RQ7JOd2vAiBQNEenZQ3ah2q05p7KIccCJrT76806/i5M/zNf8+zrmwFpUiECW7p/aVTkVcm7tLFgPAMq1C8DZrMGXrngVQI92SXROlEhAvh5/PQnQi6Jwzx5xn8tkz0HvNlX0eGoQM3ryepCnovOIQPiUnx4uxOWkkUKSozB0bF2uRj0O+VQIH1G4MX8N3SkXFOuBABHMEQCIDWiQ8Qoj9Y8frQC2IDEo1q4Md0JBpXHe3dVnZnEPqkuAiAcmr4iLkmdP5fbwe5Y7UctU2iDLNjtW0axfTTmNmG8PgFIMEUCIQDwGiFFn2gvWUaLCdTMe9yJMBTPJK/lrIMZsC6M1Nvk6AIgJsO4cL3urdELqpW+TeheaUwYRhq/gvQc2IoLlRavp4cBaVIhAm11MwFgeS/C17ysHn/C7VcHBUWYUNggO+k76EfAU/XUIQKDkISgaKuXHnRS536x8+Sf9LoRswuQt61MSf8XPDE2WSED9NyDket8gT2JsVlRLtzPgdfyERlc0mr1rEoIyKSePbpTrgQASDBFAiEAuBd9VNsSFbLrCLYWHKifjH/jYLPUPSMI1a1TlOgmaQ4CIANfCR/ivW2vuwubekJQBoBSHJ+ELEGa3TgalDHM/jgdAUgwRQIhALqJV4cZ2NDV650qYT0buSBH+MkVPiUoIeYMKOsNOFVJAiA3puJD1PIX+7U/k6xMhaSiX2F2ueu83u+6nNQNSa4QcwFpUiECdxo3BUb2ueQWMBE0tH7B3xM44cuRgmaTjMCwFuUeCkAhAwsknADuaJvscGc5/rR8Zwu8XRlct8h2sIcIDRQaTjsfIQPUuDsw1dpyNzYdMM9UQOXFDmdRKq/BvRDkAmP1jWw5j1OuBABHMEQCIERaUJYBxtAIpNTWt+cwPYAJ4Y5Jp+MIKDIFrKYCIDukAiBmDeDIIfox/MrX31I8pMNd0SZF3cpBWCJ7+NQw6vMS3AFIMEUCIQCHTflvC1LItizCuOB20/j23Tt9WzdYhxISyaPaaasOYwIgM+87PuQ/MGPxjD5NphEAz5BdIPcEhsBMgy3M5P8AcWgBaVIhAmjnDFFcYPoY7BnFaiyHbWlaKdLvl7OYSOu65L8A2BRGIQKZd5YzaZpD3x9Um9NWqf9OmHXe8eiJZYr7/OjEwu02EyEC2Pgx70m02s7Kvfz9G+pf3ZsNnc4GbUL3xWoXXwYD+udTrgAAAAAiAgIlSnPZOilOO+Rv0fv0sDXmY+02zNEtutyqx0iI/MhSf0gwRQIhAIaQXfIomyUPCp8dgFnQ8lul4LhnTgRCYHNNvndjTV1gAiAqQce/cwPSv2452ZeCDLo7GBsZ6Yc91BOqmvSsqX5yCwEBBCIAILTCBUAGG1dBF6yiDVVYR16/dKSzExVudpQ8j7PajkfaAQVpUiECJUpz2TopTjvkb9H79LA15mPtNszRLbrcqsdIiPzIUn8hAs3+mCQ4Kg4sGIwAJPRC3DmoY4NJHwANF24IGsVn7gM3IQOoXboR9TGWfyzJXIvIrVPBBcXC490lZI+KRnaO+F9WK1OuIgYCJUpz2TopTjvkb9H79LA15mPtNszRLbrcqsdIiPzIUn8Y3/0HNDEAAAABAAAAAwAAAAAAAAACAAAAIgYCzf6YJDgqDiwYjAAk9ELcOahjg0kfAA0XbggaxWfuAzcMdr5HKQAAAAACAAAAIgYDqF26EfUxln8syVyLyK1TwQXFwuPdJWSPikZ2jvhfVisMc6skrgAAAAACAAAAAAEA/bAFAQAAAAABBHQcKgZnpsRSAZq8DdPpKge2gXGMK/tNR8PMh/A5b7ikAAAAACMiACAgsSmfFi9MbkPrOHpxxoWmVmv6IThxEgIq2D2UNcyZVP////90HCoGZ6bEUgGavA3T6SoHtoFxjCv7TUfDzIfwOW+4pAMAAAAjIgAgV7GG2xCDewK+o2oalKVLuWYNTaF0xdsrjScE3+WxxhH/////dBwqBmemxFIBmrwN0+kqB7aBcYwr+01Hw8yH8DlvuKQBAAAAIyIAIIq04KibvOKCDxpQnqn7YLOEYN60zST+0rdqVod0sCkp/////3QcKgZnpsRSAZq8DdPpKge2gXGMK/tNR8PMh/A5b7ikAgAAACMiACDVv9nd6Xmviimrz+8ad9R+fEhOepCcLef3Exka6SVnIP////8ExnBaAgAAAAAXqRS1QrFIuNY6RcEIz2LkdmtsOfJL14eAlpgAAAAAABepFNOQHXXxcsxodyIUhRldSf0/NWddh4CWmAAAAAAAF6kUsOUP9FdgY04TeiRt6tqYe3zNrS2HBIFaAgAAAAAXqRSlBjngZ2bSwqYPiOarp0RWm4P0IocEAEcwRAIgSFm62kq1z+0sP17Fc8RTcmWhl5NYchdKlkW3L6OBIqQCIGvfAjY0IxWRt6HvgwrqWS7o4GNE0RBwpMT4iGL0l4rbAUcwRAIgJ0lyhDrkNc7GHb6eZH07CMjC7WdKwScLgH1FDsk53a8CIFA0R6dlDdqHarTmnsohxwImtPvrzTr+Lkz/M1/z7OubAWlSIQJbun9pVORVybu0sWA8AyrULwNmswZeueBVAj3ZJdE6USEC+Hn89CdCLonDPHnGfy2TPQe82VfR4ahAzevJ6kKei84hA+JSfHi7E5aSRQpKjMHRsXa5GPQ75VAgfUbgxfw3dKRcU64EAEcwRAIgNaJDxCiP1jx+tALYgMSjWrgx3QkGlcd7d1WdmcQ+qS4CIByaviIuSZ0/l9vB7ljtRy1TaIMs2O1bRrF9NOY2Ybw+AUgwRQIhAPAaIUWfaC9ZRosJ1Mx73IkwFM8kr+WsgxmwLozU2+ToAiAmw7hwve6t0Quqlb5N6F5pTBhGGr+C9BzYiguVFq+nhwFpUiECbXUzAWB5L8LXvKwef8LtVwcFRZhQ2CA76TvoR8BT9dQhAoOQhKBoq5cedFLnfrHz5J/0uhGzC5C3rUxJ/xc8MTZZIQP03IOR63yBPYmxWVEu3M+B1/IRGVzSavWsSgjIpJ49ulOuBABIMEUCIQC4F31U2xIVsusIthYcqJ+Mf+Ngs9Q9IwjVrVOU6CZpDgIgA18JH+K9ba+7C5t6QlAGgFIcn4QsQZrdOBqUMcz+OB0BSDBFAiEAuolXhxnY0NXrnSphPRu5IEf4yRU+JSgh5gwo6w04VUkCIDem4kPU8hf7tT+TrEyFpKJfYXa567ze77qc1A1JrhBzAWlSIQJ3GjcFRva55BYwETS0fsHfEzjhy5GCZpOMwLAW5R4KQCEDCyScAO5om+xwZzn+tHxnC7xdGVy3yHawhwgNFBpOOx8hA9S4OzDV2nI3Nh0wz1RA5cUOZ1Eqr8G9EOQCY/WNbDmPU64EAEcwRAIgRFpQlgHG0Aik1Na35zA9gAnhjkmn4wgoMgWspgIgO6QCIGYN4Mgh+jH8ytffUjykw13RJkXdykFYInv41DDq8xLcAUgwRQIhAIdN+W8LUsi2LMK44HbT+PbdO31bN1iHEhLJo9ppqw5jAiAz7zs+5D8wY/GMPk2mEQDPkF0g9wSGwEyDLczk/wBxaAFpUiECaOcMUVxg+hjsGcVqLIdtaVop0u+Xs5hI67rkvwDYFEYhApl3ljNpmkPfH1Sb01ap/06Ydd7x6Illivv86MTC7TYTIQLY+DHvSbTazsq9/P0b6l/dmw2dzgZtQvfFahdfBgP651OuAAAAACICArt4J/F1HsxcnngETbGE9hV+OiNJVcCehBuhwmFniLiTSDBFAiEAqN1csbzR0fG4U88BEZSAnY7VMVd3yVd2sEGP577vZ2UCIBvSg+CEZBXHKqVZYVMI/z51oDDk3WKgKp4FPaIQ3magAQEEIgAgtNw7e2OqOBNxKJBLzH0OfSfzhh5YIC2U6efwW2/c9ZgBBWlSIQIXLs/LmPtDhWCf27XOw3A9+XUhp7WcKZPCuZp5YbNKrSECu3gn8XUezFyeeARNsYT2FX46I0lVwJ6EG6HCYWeIuJMhA8uPpUlqAR25IWBeoSdBN5LuzdtaESb9IBySYdk/OsivU64iBgIXLs/LmPtDhWCf27XOw3A9+XUhp7WcKZPCuZp5YbNKrQx2vkcpAAAAAAMAAAAiBgK7eCfxdR7MXJ54BE2xhPYVfjojSVXAnoQbocJhZ4i4kxjf/Qc0MQAAAAEAAAADAAAAAAAAAAMAAAAiBgPLj6VJagEduSFgXqEnQTeS7s3bWhEm/SAckmHZPzrIrwxzqySuAAAAAAMAAAAAAQAiACCaB60qnRtaJa9CYDGMmu4x561FPpeV6C/8ZYIF2hbx0gEBaVIhArToUGbe3FFTvLd3DoTTrfSbcUnyds6y0ilMXXupd+OiIQLV94gO2FYJgXBy3vtG6N6+VXPIe00O1uSaChxRARxJOCEDLL38h63QKDtCHsWVQFYgtAtK2/LTdqMVoqemmcaeAdpTriICArToUGbe3FFTvLd3DoTTrfSbcUnyds6y0ilMXXupd+OiDHOrJK4AAAAABAAAACICAtX3iA7YVgmBcHLe+0bo3r5Vc8h7TQ7W5JoKHFEBHEk4DHa+RykAAAAABAAAACICAyy9/Iet0Cg7Qh7FlUBWILQLStvy03ajFaKnppnGngHaGN/9BzQxAAAAAQAAAAMAAAAAAAAABAAAAAA=

I then try to decode it via $ bitcoin-cli decodepsbt and get the following output:

error code: -22
error message:
TX decode failed PSBT is not sane.: iostream error
@jlopp
Copy link
Author

jlopp commented Jun 25, 2020

If it's failing at https://github.com/Coldcard/firmware/blob/master/shared/psbt.py#L1018

It seems the Coldcard isn't one of the xpubs involved in the PSBT, but it indicates the PSBT could be decoded
I think there might be two problems here:

  1. The Electrum export of the PSBT is not formatted properly
  2. The Electrum PSBT could be missing signer information the coldcard expects, thoug I have "trust PSBT" enabled to hopefully mitigate such problems

@SomberNight
Copy link
Member

I think there might be two problems here:

yes indeed.

  1. The Electrum export of the PSBT is not formatted properly

Unfortunately Electrum PSBTs are currently not compatbile with Bitcoin Core, due to us already having a mitigation for the bip143 sighash issue (CVE-2020-14199), see #6257
This will get resolved with bitcoin/bitcoin#19215

  1. The Electrum PSBT could be missing signer information the coldcard expects, thoug I have "trust PSBT" enabled to hopefully mitigate such problems

Yes, we are missing info because we only have the xpub for the coldcard cosigner, see
#5969 (comment)

@SomberNight SomberNight changed the title Invalid PSBT? Invalid PSBT? (bip143 sighash vulnerability; coldcard psbt root fingerprint and derivation prefix missing) Jun 25, 2020
@SomberNight SomberNight added hw-coldcard topic-transactions 📑 related to logic in transaction.py labels Jun 25, 2020
@SomberNight
Copy link
Member

SomberNight commented Jun 25, 2020
edited
Loading

we are missing info because we only have the xpub for the coldcard cosigner

I think in practice, atm, coldcard as part of a multisig might only work if the wallet file was created while the coldcard was usb connected (i.e. not just added as an xpub) - although I can never remember exactly what those on-device settings do (e.g. "trust psbt").

To allow fully airgapped use, we need a way to communicate the missing info packed with or into the xpub.
e.g. #5715 (comment)
I think we might end up doing what's in that comment unless some standard emerges.

For now, if the user is technically inclined, they can feed the missing info using the Qt Console:
e.g.

wallet.get_keystores()[2].add_key_origin(derivation_prefix="m/48h/1h/0h/2h", root_fingerprint="deadbeef")

EDIT: apparently there might be a way to generate an electrum wallet file even for the multisig case on the coldcard device itself - in which case that might work as well.

@aaronisme
Copy link
Contributor

probably not quite related to this issue, but I think there should be some kind of "standard" for the xpub which including more info. currently, we are implementing the psbt multi-sign on Cobo Vault. but currently, the only way to do multo-sign with ColdCard is to generate the wallet file from ColdCard(ColdCard do need the xpub info to do verification)

@lucasmoten
Copy link

I'm able to successfully cal bitcoin-cli decodepsbt on the base64 with Bitcoin v0.20.1

The original error for Invalid PSBT reported by the coldcard firmware, seems to imply that of the xpubs data in the export, none of it matches the coldcard. https://github.com/Coldcard/firmware/blob/2020-06-13T1928-v3.1.5/shared/psbt.py#L1018

@lucasmoten lucasmoten mentioned this issue Aug 9, 2020
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hw-coldcard topic-transactions 📑 related to logic in transaction.py
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jlopp @aaronisme @lucasmoten @SomberNight