external signer: verify PSBT is reliable after signing it #35358

pull brunoerg wants to merge 1 commits into bitcoin:master from brunoerg:2026-04-external-signer changing 4 files +264 −16

brunoerg commented at 12:31 PM on May 22, 2026: contributor

Seeking Concept ACK

A compromised or "rogue" external signer could return a PSBT with silently altered outputs or use unsafe sighash types that do not commit to all outputs. This PR adds a post-signing validation step in External::SignTransaction that compares the signed PSBT returned by the external signer against the original one before accepting it. Without these checks, it is not super friendly (e.g. using RPC) to manually verify the same.

Note: the added tests were partially vibe-coded.
DrahtBot commented at 12:31 PM on May 22, 2026: contributor


The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.



Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/35358.



Reviews

See the guideline for information on the review process. A summary of reviews will appear here.



LLM Linter (✨ experimental)

Possible places where named args for integral literals may be used (e.g. func(x, /*named_arg=*/0) in C++, and func(x, named_arg=0) in Python):
- walletcreatefundedpsbt([], {dest: 0.5}, 0, {...}, True) in test/functional/wallet_signer.py
<sup>2026-05-22 13:11:37</sup>
external-signer: verify PSBT is reliable after signing it e5ca77ed50
brunoerg force-pushed on May 22, 2026
DrahtBot added the label CI failed on May 22, 2026
DrahtBot removed the label CI failed on May 22, 2026

Contributors

brunoerg

DrahtBot

external signer: verify PSBT is reliable after signing it #35358

Code Coverage & Benchmarks

Reviews

LLM Linter (✨ experimental)