Encrypted descriptor#1846
Conversation
|
Should the encrypted descriptor option be listed here? 
|
I inserted it only in the "Wallet" section of the settings to distinguish between the concept of backup and import/exports material. So my idea is that it shouldn't be added here, but open to discuss. At the same time we have the plain text descriptor file among the exports, which seems to contradict this concept, but I don't think it should be in the wallet section since we should incentivize to use the encrypted version. |
the plaintext descriptor option must be kept for register descriptor on airgap devices |
jp1ac4
left a comment
jp1ac4
left a comment
There was a problem hiding this comment.
I've successfully tested importing an encrypted backup using a signing device, a manually pasted xpub and the corresponding mnemonic.
| modal: None, | ||
| } | ||
| } | ||
| pub fn update(&mut self, msg: Decrypt) -> Task<installer::Message> { |
There was a problem hiding this comment.
Would it be useful to return something more general that doesn't depend on installer here?
There was a problem hiding this comment.
for now only uses cases are with installer::Message, if needed we can later make it more generic
| pub const BACKUP_DESCRIPTOR_MESSAGE: &str = "A backup of your wallet configuration is necessary to recover your funds. Please make sure to store your Wallet backup file (or alternatively to copy and paste the descriptor string) in one or more secure and accessible locations. You still need to back up your seed phrases too, since they are not included in the file."; | ||
| pub const BACKUP_DESCRIPTOR_HELP: &str = "In Bitcoin, the coins are locked using a Script (related to the 'address'). In order to recover your funds you need to know both the Scripts you have participated in (your 'addresses'), and be able to sign a transaction that spends from those. For the ability to sign, you back up your private key, this is your mnemonic ('seed words'). For finding the coins that belong to you, you back up a template of your Script (your 'addresses'), this is your descriptor, included in your wallet backup file. However, note the descriptor need not be stored as securely as the private key. A thief who steals your descriptor but not your private key cannot steal your funds."; | ||
| pub const BACKUP_DESCRIPTOR_MESSAGE: &str = "This backup is required to recover your funds. | ||
| Click “Back Up Descriptor” to download an encrypted file of your wallet configuration and store it in safe, accessible places. |
There was a problem hiding this comment.
Should this be changed to "encrypted file of your wallet descriptor"?
pythcoiner
force-pushed
the
encrypted_descriptor
branch
6 times, most recently
from
6c49810 to
af661b5
Compare
|
bump |
pythcoiner
force-pushed
the
encrypted_descriptor
branch
2 times, most recently
from
44bee47 to
8ca0b13
Compare
|
added sanity checks before write encrypted descriptor to disk |
| if let DescriptorPublicKey::MultiXPub(multixkey) = k { | ||
| let key = DescriptorPublicKey::XPub(DescriptorXKey { | ||
| origin: multixkey.origin.clone(), | ||
| xkey: multixkey.xkey, |
There was a problem hiding this comment.
Rather than adding dummy values, which could misleadingly suggest these are the values present in the descriptor itself, wouldn't it be clearer to return the multikey.xkey and then let the caller add these dummy values as required?
There was a problem hiding this comment.
those are not dummies values, It's just about having a DescriptorPublicKey that contains Xpub + Origin, Xpub is not enough as it does not contains the origin and I expect we use the result of this function to list xpubs of the Bip388 Policy
this way I think we can directly call .to_string()
DescriptorPublicKey::Singleis not suitable as it will not output a xpubDescriptorPublicKey::MultiXpubis not suitable asDerivPathscannot be empty
There was a problem hiding this comment.
I am fine with it, maybe add a comment to say that is a vessel for the xkey.
There was a problem hiding this comment.
well it's not a vessel, it's litteraly how it's intended to be used:
this
let key_str = "[abcdef01/0/0/0]xpub6Eze7yAT3Y1wGrnzedCNVYDXUqa9NmHVWck5emBaTbXtURbe1NWZbK9bsz1TiVE7Cz341PMTfYgFw1KdLWdzcM1UMFTcdQfCYhhXZ2HJvTW";
let key = DescriptorPublicKey::from_str(key_str).unwrap();
will yield
XPub(
DescriptorXKey {
origin: Some(
(
0xabcdef01,
0/0/0,
),
),
xkey: Xpub {
network: Main,
depth: 4,
parent_fingerprint: 0xc6c45ae6,
child_number: Normal {
index: 0,
},
public_key: PublicKey(
4fcda97320d37e42ddd2c9adf5c5c5edf7ff9decb550c50ad2ace5ae3a16abb3b780ec63e8766dbaa3e323148cc0e6ee760e3a41b5a0b1229f5d69b59ce3a0a3,
),
chain_code: 0xf98f1f14305e50df1ff23883210e9020e212bc62a790eff034e9f5036af844a1,
},
derivation_path: ,
wildcard: None,
},
)
I'm fine to add a comment, but from my POV make it more confusing
There was a problem hiding this comment.
Sorry I understand better now. I think a name like definite_keys_without_deriv_path() would make it clearer what is being returned (rust-miniscript uses DefiniteDescriptorKey for a DescriptorPublicKey without wildcard).
There was a problem hiding this comment.
Also, since we require an origin for all user-provided keys when creating a LianaDescriptor (as enforced in the constructors), an alternative check would be to exclude any descriptor keys that don't have an origin. Or simply to return all keys and let the caller check if it has an origin.
There was a problem hiding this comment.
an alternative check would be to exclude any descriptor keys that don't have an origin
in which other case than the unspendable key we can have a key w/o origin?
There was a problem hiding this comment.
(rust-miniscript uses DefiniteDescriptorKey for a DescriptorPublicKey without wildcard)
No in our case it's not a DefiniteDescriptorKey, my understanding of "definite" in rust-miniscript context is that the key is not deriveable anymore, while the key we generating here is the "root" key for derivation
There was a problem hiding this comment.
in which other case than the unspendable key we can have a key w/o origin?
I meant it would be an equivalent check, since we expect a key not to have an origin if and only if it's unspendable, but I suppose it's more reliable to check for the NUMS directly.
There was a problem hiding this comment.
but I suppose it's more reliable to check for the NUMS directly.
yes especially if in the future we allow importing key w/o origin (watchonly?)
pythcoiner
force-pushed
the
encrypted_descriptor
branch
from
da49af8 to
3f11fe3
Compare
pythcoiner
force-pushed
the
encrypted_descriptor
branch
5 times, most recently
from
b733b01 to
3f005eb
Compare
import_descriptor.rs
pythcoiner
force-pushed
the
encrypted_descriptor
branch
from
3f005eb to
b278ef2
Compare
pythcoiner
force-pushed
the
encrypted_descriptor
branch
from
b3574fd to
5e27112
Compare
4 participants
This is a lightweight version of #1807, where we do not encrypt for a backup export.
(I just dropped the commit that enable encryption on backup export)