UI external signer support (e.g. hardware wallet)

Sjors commented at 6:10 pm on June 18, 2020: member

Big picture overview in this gist.

This PR adds GUI support for external signers, based on the since merged bitcoin/bitcoin#16546 (RPC).

The UX isn’t amazing - especially the blocking calls - but it works.

First we adds a GUI setting for the signer script (e.g. path to HWI):

Then we add an external signer checkbox to the wallet creation dialog:

It’s checked by default if HWI detects a device. It also grabs the name. It then creates a fresh wallet and imports the keys.

You can verify an address on the device (blocking…):

Sending, including coin selection, Just Works(tm) as long the device is present.

~External signer support is enabled by default when the GUI is configured and Boost::Process is present.~

External signer support remains disabled by default, see https://github.com/bitcoin/bitcoin/pull/21935.

Sjors renamed this:
~~2019/08/hww qt~~
UI external signer support (e.g. hardware wallet)
on Jun 18, 2020

Sjors commented at 6:11 pm on June 18, 2020: member

The original https://github.com/bitcoin/bitcoin/pull/16549#issuecomment-626652045 has a Concept ACK from @fjahr.

I’ll split out the interface changes and PR them to bitcoin/bitcoin later.

Sjors force-pushed on Jun 18, 2020

Sjors force-pushed on Jun 19, 2020

Sjors force-pushed on Jun 25, 2020

Sjors force-pushed on Jul 2, 2020

Sjors force-pushed on Jul 6, 2020

Sjors force-pushed on Jul 14, 2020

laanwj referenced this in commit 31bdd86631 on Jul 15, 2020

Sjors force-pushed on Jul 18, 2020

luke-jr commented at 7:32 pm on July 31, 2020: member

Shouldn’t the external signer program be per-wallet?

Sjors force-pushed on Aug 7, 2020

Sjors commented at 11:33 am on August 7, 2020: member

@luke-jr in practice there’s only 1 program out there: HWI. It already knows what to do for different wallets based on their fingerprint. So, unless more such tools show up, I prefer to wait until we can store arbitrary settings in the wallet: https://github.com/bitcoin/bitcoin/issues/13044 and then keep -signer as the default.

Sjors force-pushed on Aug 28, 2020

Sjors force-pushed on Sep 15, 2020

Bosch-0 commented at 4:20 am on September 16, 2020: none

Hey Sjors,

I could not see the signer script UI in the wallets settings when I compiled.

Sjors force-pushed on Sep 16, 2020

Sjors commented at 10:29 am on September 16, 2020: member

@Bosch-0 oops, I accidentally lost a commit in my rebase fury. Try again.

Bosch-0 commented at 9:28 am on September 23, 2020: none

Awesome, that worked! Having some issues with HWI though. After installing and setting the path to the hwi.py file I keep getting an exception error when creating a wallet.

How would we overcome having to install HWI separately? Would it have to be something like shipping HWI alongside the GUI. I’m a not too familiar with this process but having the path set by default behind the scenes would be ideal from a UX perspective.

Sjors commented at 12:42 pm on October 1, 2020: member

What’s the error you’re seeing?

Also, can you try from the command-line: hwi.py enumerate to see if HWI works standalone? This PR will certainly need followups to make it more user friendly.

Sjors force-pushed on Oct 1, 2020

Bosch-0 commented at 7:32 am on October 6, 2020: none

Here is the error, though I think HWI is not installed properly.

Testing is being done on windows 10.

Installation appears to be successful when running pip3 install .

When running ./hwi.py enumerate I get the below error. Tried the other dependency installation methods as well as installing libusb-1.0.dll and including it in HWI directory but no luck yet.

Sjors commented at 9:44 am on October 8, 2020: member

Bitcoin QT shouldn’t crash like this, so that’s a bug in this PR. But for the problem with HWI itself, I suggest opening an issue in the HWI repository. We don’t do a lot of Windows testing, so that’s useful (cc @achow101).

Sjors force-pushed on Oct 8, 2020

Sjors force-pushed on Oct 15, 2020

laanwj referenced this in commit 924a4ff7eb on Oct 29, 2020

Sjors force-pushed on Nov 17, 2020

promag commented at 11:02 pm on November 22, 2020: contributor

Concept ACK. @Sjors you mention blocking calls, are you going to fix that here?

Bitcoin QT shouldn’t crash like this

Agree, I’m still on the base branch though.

Sjors commented at 8:55 am on November 23, 2020: member

I’m not very good at multi-threading stuff, so I might leave that problem to others, either via followup PR or cherry-picking a solution.

ryanofsky commented at 4:09 pm on November 23, 2020: contributor

I’m not very good at multi-threading stuff, so I might leave that problem to others, either via followup PR or cherry-picking a solution.

A lot of current GUI multithreading code is stupidly complicated. I wrote a utility function AsyncUpdate(async_fn, update_fn) to run slow blocking code and then update the GUI in https://github.com/bitcoin/bitcoin/commit/39c5492fabab52a888e8bc5303877ff6e4cce6f8 (example usage https://github.com/bitcoin/bitcoin/commit/eacd34144c1ee989c9ab43eb439fecca76addc76 and description https://github.com/bitcoin/bitcoin/issues/16874#issuecomment-632424392). AsyncUpdate takes two lambdas. The first lambda runs asynchronously in a thread, and when it finishes, its return value is passed as an argument to the second lambda which runs synchronously. The first lambda can run slow and blocking code and take long as it wants without freezing the GUI, while the second lambda can take the result and update the GUI. Restrictions are straightforward: The first lambda can’t access widgets directly (it can only read initial values, return a final result, and send signals if it wants to show progress messages or update a progress bar). The second lambda needs to be fast and not block, but it can directly update and access Qt widgets with the final result.

promag commented at 4:58 pm on November 23, 2020: contributor

@ryanofsky your AsyncUpdate is fine when async function doesn’t require user input, doesn’t give feedback like progress, or both, possibly multiple times. Otherwise, in these cases it would have to call multiple AsyncUpdate and then it starts to be a mess chaining those.

AsyncUpdate is also fine when there’s just one outcome, otherwise the async function needs to return a variant with each possible outcome and then the update function would have to check the effective result.

There’s also the case where the user wants to interrupt the async function, like quit, and in this case it wouldn’t work.

Another interesting problem with asynchronous updates are bursts, and usually most async calls should be avoid/debounced. I think we have a couple of these cases.

This is not to say AsyncUpdate isn’t useful, but to say that things get stupid very easily.

Lastly, I’d love to improve those stupidly complicated cases so we can use a consistent approach everywhere, and therefore anyone could feel confident and unafraid of asynchronous tasks.

ryanofsky commented at 5:48 pm on November 23, 2020: contributor

re: #4 (comment) @promag a lot of that comment isn’t true, and none of it is a reason not to write blocking code instead of calling AsyncUpdate.

Writing an AsyncUpdate call is about as easy as writing blocking code, and it prevents the GUI from freezing while an operation is running. The only major thing it doesn’t support currently is cancel notification (but it could take an optional cancel_fn argument in the future). So if the parent widget is deleted right now, GUI freeze will happen at the point of deletion. This is still better than freezing during the entire operation.

Almost everything in #4 (comment) is misleading. I would not suggest chaining AsyncUpdate calls: the only type of usage that makes sense is to having one AsyncUpdate call per long running operation. If there is a sequence of serial operations, they should all be in the same lambda. Supporting progress messages and progress updates is supported and trivial with signals. Input is possible with atomics, message queues, signals, or any other way you could think of passing data to an asynchronous thread. I don’t know what you are suggesting regarding multiple outcomes. Any outcome that can be represented as an object can be handled in the async_fn/update_fn paradigm, and if you are lazy and don’t want to specify an outcome type you can even have the async_fn return a std::function capturing arbitrary state and have the update_fn call that.

There are cases where you might prefer a more complicated approach over calling AsyncUpdate, like if you want a thread pool. But there should be not many cases where freezing the UI thread is preferable to calling AsyncUpdate. And there is existing GUI code that could be simplified and made more responsive with AsyncUpdate.

Sjors force-pushed on Nov 24, 2020

jonasschnelli referenced this in commit c33662a0ea on Dec 2, 2020

Sjors force-pushed on Dec 4, 2020

RandyMcMillan commented at 4:27 pm on December 4, 2020: contributor

checking whether to build with external signer support… configure: error: “External signer support requested but requires Boost.Pocess”

Boost.Process?

Sjors commented at 5:01 pm on December 4, 2020: member

@RandyMcMillan what operating system are you on? On macOS and Linux Boost Process comes with Boost, but on Windows it’s a separate package.

Sjors force-pushed on Dec 10, 2020

Sjors force-pushed on Dec 17, 2020

laanwj referenced this in commit e520e091db on Jan 6, 2021

Sjors force-pushed on Jan 22, 2021

Sjors commented at 7:47 pm on January 22, 2021: member

I’m surprised the master branch passes given this error: @MarcoFalke does bitcoinbuilds.org not test a build with --with-boost-process? (Travis did when I added RunCommandParseJSON)

Sjors force-pushed on Jan 29, 2021

Sjors commented at 3:05 pm on January 29, 2021: member

@jonasschnelli I believe the bitcoinbuilds.org Win64 machine needs to add --without-boost-process --disable-external-signer to its BITCOIN_CONFIG. I don’t know if that causes problems when building stuff before this PR. Alternatively it should not ignore ci/test/00_setup_env_win64.sh. https://bitcoinbuilds.org/?build=7162

Sjors force-pushed on Jan 29, 2021

Sjors force-pushed on Feb 13, 2021

Sjors force-pushed on Feb 21, 2021

laanwj referenced this in commit a9335e4f12 on Feb 23, 2021

Sjors force-pushed on Feb 23, 2021

luke-jr commented at 6:15 pm on February 28, 2021: member

rpc_help test needs updating

Sjors force-pushed on Mar 3, 2021

Sjors commented at 12:49 pm on March 28, 2021: member

I’ll rebase again after https://github.com/bitcoin/bitcoin/pull/21467 (which should also fix the rpc_help failure)

Sjors force-pushed on Apr 2, 2021

hebasto added the label Feature on Apr 3, 2021

MarcoFalke referenced this in commit 590e49ccf2 on Apr 4, 2021

RonSherfey changes_requested

RonSherfey commented at 3:14 pm on April 11, 2021: none

specified changes added

bitcoin-core deleted a comment on Apr 11, 2021

Sjors force-pushed on Apr 13, 2021

bitcoin-core deleted a comment on Apr 14, 2021

Sjors force-pushed on Apr 14, 2021

Sjors commented at 7:20 am on April 14, 2021: member

Rebased after bitcoin/bitcoin#21666.

hebasto added the label Wallet on Apr 19, 2021

Sjors force-pushed on Apr 22, 2021

Sjors marked this as ready for review on Apr 22, 2021

DrahtBot added the label Needs rebase on Apr 25, 2021

Sjors force-pushed on Apr 26, 2021

DrahtBot removed the label Needs rebase on Apr 26, 2021

RonSherfey changes_requested

RonSherfey commented at 10:37 am on April 26, 2021: none

Requested changes 1.4

MarcoFalke referenced this in commit bce09da122 on Apr 28, 2021

fanquake referenced this in commit fa00bb2c5c on Apr 29, 2021

Sjors force-pushed on Apr 30, 2021

bitcoin-core deleted a comment on Apr 30, 2021

MarcoFalke referenced this in commit eb9a1fe037 on May 7, 2021

hebasto commented at 11:11 am on May 10, 2021: member

Concept ACK.

Tested 8fcf25301cdbf00e81d749bbfff128c48bfa4f20 on Linux Mint 20.1 (Qt 5.12.8).

The default create wallet procedure leads to an error:

Screenshot from 2021-05-10 13-45-14

Screenshot from 2021-05-10 13-43-59

To workaround it I was forced to uncheck “External signer”, check “Disable Private Keys”, then check “External signer” again.

Tested:

wallet creation
verifying receiving address on a hww screen
signing a tx with a hww

Going to leave some comments about the code as well.

in src/qt/forms/optionsdialog.ui:260 in 8fcf25301c outdated

268+              </widget>
269+             </item>
270+            </layout>
271+           </item>
272+         </layout>
273+        </widget>

hebasto commented at 11:20 am on May 10, 2021:

28cd645cfd1842720594e1a8998843ce8ca7a850

I think the groupBoxHww should be placed before the verticalSpacer_Wallet.

in src/qt/optionsdialog.cpp:202 in 8fcf25301c outdated

198@@ -199,6 +199,7 @@ void OptionsDialog::setModel(OptionsModel *_model)
199     connect(ui->prune, &QCheckBox::clicked, this, &OptionsDialog::togglePruneWarning);
200     connect(ui->pruneSize, static_cast<void (QSpinBox::*)(int)>(&QSpinBox::valueChanged), this, &OptionsDialog::showRestartWarning);
201     connect(ui->databaseCache, static_cast<void (QSpinBox::*)(int)>(&QSpinBox::valueChanged), this, &OptionsDialog::showRestartWarning);
202+    connect(ui->externalSignerPath, &QLineEdit::textChanged, [this]{ showRestartWarning(); });

hebasto commented at 11:26 am on May 10, 2021:

28cd645cfd1842720594e1a8998843ce8ca7a850

Note to other reviewers. The QLineEdit::textChanged signal has the QString parameter that actually is a new text. Using a lambda instead of a slot makes discarding of this parameter explicit. I think this is a good practice.

promag commented at 11:44 pm on June 5, 2021:

6cdbc83e9341d1552faee4ccd8c190babc63e8d1

Should disable externalSignerPath if not defined ENABLE_EXTERNAL_SIGNER?

in src/qt/optionsmodel.cpp:126 in 8fcf25301c outdated

120+    if (!settings.contains("strExternalSignerPath"))
121+        settings.setValue("strExternalSignerPath", "");
122+
123+    if (!gArgs.SoftSetArg("-signer", settings.value("strExternalSignerPath").toString().toStdString())) {
124+        addOverriddenOption("-signer");
125+    }

hebasto commented at 11:31 am on May 10, 2021:

28cd645cfd1842720594e1a8998843ce8ca7a850

There is #295 that tries to unify new setting names. If you are agree with suggested convention, maybe rename strExternalSignerPath? If not, mind leaving a comment in #295?

Sjors commented at 1:34 pm on May 10, 2021:

I don’t have a strong preference either way. I renamed it to external_signer_path.

in src/qt/createwalletdialog.cpp:103 in 8fcf25301c outdated

93         ui->descriptor_checkbox->setEnabled(false);
94         ui->descriptor_checkbox->setChecked(true);
95 #endif
96+
97+#ifndef ENABLE_EXTERNAL_SIGNER
98+        ui->external_signer_checkbox->setToolTip(tr("Compiled without external signing support (required for external signing)"));

hebasto commented at 11:42 am on May 10, 2021:

0aa4d2d931cafbad70dc3f814ec6d8318f198cb3

Do you mind making a favor to translators by adding a translator comment, smth like this:

0        //: "External signing" means using devices such as hardware wallets.
1        ui->external_signer_checkbox->setToolTip(tr("Compiled without external signing support (required for external signing)"));

Sjors commented at 11:42 am on May 10, 2021: member

Odd, maybe a rebase issue; it should have checked the “disable private keys” box.

Update: I was able to reproduce. It was because calling setChecked triggers the corresponding connect().

in src/qt/receiverequestdialog.h:32 in 8fcf25301c outdated

28@@ -29,6 +29,7 @@ class ReceiveRequestDialog : public QDialog
29 private Q_SLOTS:
30     void on_btnCopyURI_clicked();
31     void on_btnCopyAddress_clicked();
32+    void on_btnVerify_clicked();

hebasto commented at 11:55 am on May 10, 2021:

9a8ef73a82d1268cbe7f679ae2a29cc3a9ef1d9e

I’d prefer to avoid the auto-connection feature in new code:

in src/qt/sendcoinsdialog.cpp:203 in 8fcf25301c outdated

198@@ -199,7 +199,16 @@ void SendCoinsDialog::setModel(WalletModel *_model)
199         // set default rbf checkbox state
200         ui->optInRBF->setCheckState(Qt::Checked);
201 
202-        if (model->wallet().privateKeysDisabled()) {
203+        if (model->wallet().hasExternalSigner()) {
204+            ui->sendButton->setText(tr("Sign on device"));

hebasto commented at 11:59 am on May 10, 2021:

2a6d94ce504f0edc14c151107721feec372874b1

This is the send button :) Maybe add “… and send”?

Sjors commented at 1:47 pm on May 10, 2021:

That would make the button very large.

Instead, I changed “Send” to “Sign and send” in the confirmation window.

hebasto commented at 12:01 pm on May 10, 2021: member

Approach ACK 8fcf25301cdbf00e81d749bbfff128c48bfa4f20.

I think we should try to have it in v22.0. Maybe add more banners that this feature is experimental?

hebasto added this to the milestone 22.0 on May 10, 2021

hebasto commented at 12:16 pm on May 10, 2021: member

~Having compile errors:~

EDIT: Sorry for noise, forgot make clean

Sjors force-pushed on May 10, 2021

Sjors commented at 1:49 pm on May 10, 2021: member

Rebased and addressed comments.

Sjors force-pushed on May 10, 2021

Sjors commented at 3:48 pm on May 10, 2021: member

I modified 214346f6a1d021a0c986512f17b419ae26bb1af4 to use WalletModelTransaction.sendCoins rather than directly broadcasting it. This takes care of adding labels. In order to do this, I had to add setWtx(const CTransactionRef&); to WalletModelTransaction which is a bit ugly. I believe @achow101 is working on a PR to use PSBT internally everywhere, which would probably be a good place to clean this up.

Sjors commented at 6:24 pm on May 10, 2021: member

When installing with make deploy I get an error message using hwi.py from the cloned repo. However when I use the binary HWI release it works fine. My guess this is a problem with my local Python environmental disaster.

DrahtBot added the label Needs rebase on May 10, 2021

hebasto approved

hebasto commented at 8:34 am on May 11, 2021: member

ACK c18d97ca978c74a3e5989508894febbd7ee9e36b, needs rebase.

The 214346f6a1d021a0c986512f17b419ae26bb1af4 commit breaks a bit changes from #220, but we could leave string optimizations and translation improvements for follow ups.

Sjors force-pushed on May 11, 2021

Sjors commented at 8:50 am on May 11, 2021: member

Rebased and add QLatin1String(" (*.psbt)").

DrahtBot removed the label Needs rebase on May 11, 2021

hebasto approved

hebasto commented at 9:39 am on May 11, 2021: member

re-ACK 8e6b5468323e0c0cddda028c3dc2b0eef883cf4a, only rebased and comment addressed since my previous review.

hebasto requested review from achow101 on May 11, 2021

hebasto requested review from promag on May 11, 2021

hebasto requested review from meshcollider on May 11, 2021

in configure.ac:336 in 8e6b546832 outdated

332@@ -333,9 +333,9 @@ AC_ARG_ENABLE([werror],
333     [enable_werror=no])
334 
335 AC_ARG_ENABLE([external-signer],
336-    [AS_HELP_STRING([--enable-external-signer],[compile external signer support (default is no, requires Boost::Process)])],
337+    [AS_HELP_STRING([--enable-external-signer],[compile external signer support (default is yes, requires Boost::Process)])],

fanquake commented at 1:14 am on May 12, 2021:

When did we decide to turn this on by default? This is not a change that should be slipped in via the GUI repo.

Sjors commented at 8:01 am on May 12, 2021:

This commit has been part of this PR since before the GUI repo existed (https://github.com/bitcoin/bitcoin/pull/16549). I could split it out to the main repo though.

Rspigler commented at 7:37 pm on May 12, 2021:

In https://github.com/bitcoin/bitcoin/pull/16546 it defaulted to off, and I see no discussion of the change in this original PR (https://github.com/bitcoin/bitcoin/pull/16549). It should probably be an explicit conversation in the main repo?

laanwj referenced this in commit ee9befe8b4 on May 12, 2021

Sjors force-pushed on May 12, 2021

Sjors commented at 7:53 pm on May 12, 2021: member

I moved the commit to turn this feature on for GUI builds to https://github.com/bitcoin/bitcoin/pull/21935

meshcollider commented at 9:12 am on May 13, 2021: contributor

Concept ACK, will review

Sjors commented at 10:52 am on May 13, 2021: member

Repeating comment from @ryanofsky here:

Would be nice to drop #ifdef ENABLE_EXTERNAL_SIGNER in the interface here and just return an empty vector in the implementation or throw a not-implemented exception. Cross-process interfaces are trying not to be conditional to avoid build complexity and fragile incompatibilities between builds.

Also maybe in general in this PR, preprocessor is a little more widely used that it needs to be. Preprocessor is great when you need to write platform specific fragments or cut out a significant external or internal dependency like boost or the wallet. But if you just want to act conditionally, normal code is a good way to go. I’d try to avoid conditional compilation except for the parts of the code directly depending on boost.

Sjors commented at 11:40 am on May 13, 2021: member

It’s difficult to get rid of #ifdef ENABLE_EXTERNAL_SIGNER, because most of the time the code refers to ExternalSigner which is not defined (since https://github.com/bitcoin/bitcoin/pull/21666/commits/54569cc6d6f54788169061004026e62e1c08440e). That also applies to node.h.

Sjors commented at 1:23 pm on May 13, 2021: member

I added a commit to reduce #ifdef ENABLE_EXTERNAL_SIGNER usage to bitcoin/bitcoin#21935.

CI failure is unrelated, see #327

in src/qt/createwalletdialog.cpp:88 in 71f30c0ed4 outdated

83@@ -63,11 +84,22 @@ CreateWalletDialog::CreateWalletDialog(QWidget* parent) :
84         ui->descriptor_checkbox->setToolTip(tr("Compiled without sqlite support (required for descriptor wallets)"));
85         ui->descriptor_checkbox->setEnabled(false);
86         ui->descriptor_checkbox->setChecked(false);
87+        ui->external_signer_checkbox->setEnabled(false);
88+        ui->external_signer_checkbox->setChecked(false

meshcollider commented at 2:12 am on May 15, 2021:

missing );

in src/qt/createwalletdialog.cpp:49 in 6080b0dcce outdated

45+        }
46+
47+    });
48+
49+    connect(ui->external_signer_checkbox, &QCheckBox::toggled, [this](bool checked) {
50+        if (checked) {

meshcollider commented at 2:50 am on May 15, 2021:

By the below comment The order matters, because connect() is called when toggling a checkbox, it would seem that the checkboxes should be disabled first before toggling?

Related: I notice currently that enabling external signer actually leaves blank_wallet_checkbox ticked. I think that’s because in setting disable_privkeys_checkbox as checked, it re-checks blank automatically. (on Mac)

Sjors commented at 4:43 pm on May 25, 2021:

I’m not sure if programatically toggling a disabled checkbox prevents it from calling toggled, but I’ve moved the disabling code up.

I also changed the behavior a bit: it now restores all other options to their default when unselecting external signer. I also documented that behavior.

in src/qt/sendcoinsdialog.cpp:325 in 6080b0dcce outdated

321@@ -313,14 +322,14 @@ bool SendCoinsDialog::PrepareSendText(QString& question_string, QString& informa
322         formatted.append(recipientElement);
323     }
324 
325-    if (model->wallet().privateKeysDisabled()) {
326+    if (model->wallet().privateKeysDisabled() && !model->wallet().hasExternalSigner()) {

meshcollider commented at 3:03 am on May 15, 2021:

As this condition is pretty logical and common now, maybe it should be given its own name e.g. noPrivateKeys()

Sjors commented at 4:43 pm on May 25, 2021:

noPrivateKeys() is a big ambiguous. It would have to be something like noPrivateKeysAndNoExternalSigner() which is pretty ugly…

meshcollider commented at 1:51 am on June 9, 2021:

What about noPrivateKeyAccess() or something - the condition is that there are keys either in the wallet itself or that the wallet can ‘use’ via the external signer. Not a big deal though.

meshcollider commented at 3:06 am on May 15, 2021: contributor

Code review and light manual testing ACK 6080b0dccea11f21f54a073c97c9a45d19b401b5 modulo comments below

MarcoFalke referenced this in commit c857148636 on May 15, 2021

hebasto added the label Waiting for author on May 20, 2021

jonatack commented at 7:10 pm on May 20, 2021: contributor

Big concept ACK.

Sjors commented at 8:01 pm on May 20, 2021: member

(I’m going to accumulate a few more reviews before updating)

hebasto removed the label Waiting for author on May 20, 2021

Sjors force-pushed on May 25, 2021

Sjors commented at 4:44 pm on May 25, 2021: member

Rebased an addressed (most of) @meshcollider’s comments.

Sjors force-pushed on May 26, 2021

DrahtBot added the label Needs rebase on May 27, 2021

gui: add external signer path to options dialog 6cdbc83e93

gui: create wallet with external signer eef8d64529

wallet: add displayAddress to interface 450cb40a34

gui: display address on external signer 62ac119f91

node: add externalSigners to interface 3f845ea299

gui: wallet creation detects external signer 24815c6309

gui: send using external signer 1c4b456e1a

Sjors force-pushed on May 27, 2021

Sjors commented at 12:43 pm on May 27, 2021: member

Rebased and slightly clarified the last commit.

DrahtBot removed the label Needs rebase on May 27, 2021

hebasto commented at 4:30 pm on June 1, 2021: member

Tested 1c4b456e1a0ccf0397d652f8c18201c3224c5c21 with HWW 2.0.2-rc.1 on Linux Mint 20.1 (Qt 5.12.8).

UPDATE: it was my fault – hww connection issues. Ignore this.

~The “External signer” checkbox is disabled when trying Menu -> File -> Create Wallet…~

~It could be enabled by checking the “Encrypt Wallet” checkbox, then unchecking it.~

hebasto approved

hebasto commented at 6:05 pm on June 1, 2021: member

ACK 1c4b456e1a0ccf0397d652f8c18201c3224c5c21, tested on Linux Mint 20.1 (Qt 5.12.8) with HWW 2.0.2-rc.1.

Tested:

build with --without-bdb configure option
build with --without-sqlite configure option
creating a wallet
verifying an address on the hww screen
signing a tx

The following comments could be addressed in follow ups.

If no external signer is connected, it is possible to activate the “External signer” checkbox by checking the “Encrypt Wallet” checkbox, then unchecking it. Of course, the further attempt to create a wallet with an external signer will ends with the crash. This illness pattern works even if the client is compiled without SQLite support:
The “Confirm send coins” could still be opened while verifying transaction details on a signing device.
All new translatable strings could be annotated with translator comments.

in src/qt/createwalletdialog.cpp:33 in eef8d64529 outdated

26@@ -27,14 +27,39 @@ CreateWalletDialog::CreateWalletDialog(QWidget* parent) :
27     });
28 
29     connect(ui->encrypt_wallet_checkbox, &QCheckBox::toggled, [this](bool checked) {
30-        // Disable the disable_privkeys_checkbox when isEncryptWalletChecked is
31+        // Disable the disable_privkeys_checkbox and external_signer_checkbox when isEncryptWalletChecked is
32         // set to true, enable it when isEncryptWalletChecked is false.
33         ui->disable_privkeys_checkbox->setEnabled(!checked);
34+        ui->external_signer_checkbox->setEnabled(!checked);

promag commented at 11:28 pm on June 5, 2021:

eef8d6452962cd4a8956d9ad268164715365b9ab

This should take into account ENABLE_EXTERNAL_SIGNER.

May I suggest adding a private slot update or updateState and move all logic there?

Sjors commented at 5:23 pm on June 15, 2021:

Adding a fix in bitcoin/bitcoin#21935. I agree this whole toggling code needs a refactor.

in src/qt/receiverequestdialog.cpp:93 in 62ac119f91 outdated

88@@ -89,6 +89,12 @@ void ReceiveRequestDialog::setInfo(const SendCoinsRecipient &_info)
89         ui->wallet_tag->hide();
90         ui->wallet_content->hide();
91     }
92+
93+    ui->btnVerify->setVisible(this->model->wallet().hasExternalSigner());

promag commented at 11:57 pm on June 5, 2021:

62ac119f919ae1160ed67af796f24b78025fa8e3

nit, drop this->.

in src/node/interfaces.cpp:176 in 3f845ea299 outdated

169@@ -170,6 +170,16 @@ class NodeImpl : public Node
170         }
171         return false;
172     }
173+#ifdef ENABLE_EXTERNAL_SIGNER
174+    std::vector<ExternalSigner> externalSigners() override
175+    {
176+        std::vector<ExternalSigner> signers = {};

promag commented at 0:20 am on June 6, 2021:

3f845ea2994f53e29abeb3fa158c35f1ee56e7e8

nit, drop = {}?

in src/qt/createwalletdialog.cpp:128 in 24815c6309 outdated

123+        // The order matters, because connect() is called when toggling a checkbox:
124+        ui->blank_wallet_checkbox->setEnabled(false);
125+        ui->blank_wallet_checkbox->setChecked(false);
126+        ui->disable_privkeys_checkbox->setEnabled(false);
127+        ui->disable_privkeys_checkbox->setChecked(true);
128+        const std::string label = signers[0].m_name;

promag commented at 0:27 am on June 6, 2021:

24815c6309431cb0797defaf7add1150bcf4b567

Could add comment “TODO show available signers in combobox, for now use 1st signer name”?

meshcollider commented at 1:48 am on June 9, 2021:

@promag it is just the name of the wallet so I don’t think it would be worth adding a combobox tbh. That might be confusing because it wouldn’t actually change between signers, it would just change the name.

in src/qt/createwalletdialog.h:31 in 24815c6309 outdated

26@@ -23,6 +27,10 @@ class CreateWalletDialog : public QDialog
27     explicit CreateWalletDialog(QWidget* parent);
28     virtual ~CreateWalletDialog();
29 
30+#ifdef ENABLE_EXTERNAL_SIGNER
31+    void setSigners(std::vector<ExternalSigner>& signers);

promag commented at 0:28 am on June 6, 2021:

24815c6309431cb0797defaf7add1150bcf4b567

nit const &.

Sjors commented at 5:09 pm on June 15, 2021:

I’m adding that to: https://github.com/bitcoin/bitcoin/pull/21935

in src/node/interfaces.cpp:174 in 3f845ea299 outdated

169@@ -170,6 +170,16 @@ class NodeImpl : public Node
170         }
171         return false;
172     }
173+#ifdef ENABLE_EXTERNAL_SIGNER
174+    std::vector<ExternalSigner> externalSigners() override

promag commented at 0:30 am on June 6, 2021:

3f845ea2994f53e29abeb3fa158c35f1ee56e7e8

Should we let this throw runtime_error? cc @ryanofsky

Sjors commented at 5:06 pm on June 15, 2021:

Most of these ifdefs are gone in https://github.com/bitcoin/bitcoin/pull/21935

promag commented at 0:49 am on June 6, 2021: contributor

Tested ACK 1c4b456e1a0ccf0397d652f8c18201c3224c5c21 but rebased with e033ca1379, with HWI 2.0.2, with Nano S and Nano X.

Testing included creating wallets, mess with settings, generate and verifying addresses, sign and sending.

I’ll test more but wanted to leave the partial review feedback.

achow101 commented at 5:31 pm on June 8, 2021: member

Code Review ACK 1c4b456e1a0ccf0397d652f8c18201c3224c5c21

Mostly reviewed the code, did a little bit of testing. I noticed that when HWI is doing something, there is no indication to the user that it is. It would be nice if there was some dialog box that said something was happening, otherwise there can be a minute or two where Core doesn’t indicate anything is happening, and nothing appears on the device.

in src/qt/createwalletdialog.cpp:125 in 24815c6309 outdated

120+        ui->external_signer_checkbox->setChecked(true);
121+        ui->encrypt_wallet_checkbox->setEnabled(false);
122+        ui->encrypt_wallet_checkbox->setChecked(false);
123+        // The order matters, because connect() is called when toggling a checkbox:
124+        ui->blank_wallet_checkbox->setEnabled(false);
125+        ui->blank_wallet_checkbox->setChecked(false);

meshcollider commented at 1:46 am on June 9, 2021:

nit: to be consistent with gui: create wallet with external signer, this should be true (modulo comment about it being ambiguous anyway).

meshcollider commented at 1:54 am on June 9, 2021: contributor

re-code-review ACK 1c4b456e1a0ccf0397d652f8c18201c3224c5c21

Agree with achow101’s comment about a ‘working’ message.

meshcollider merged this on Jun 9, 2021

meshcollider closed this on Jun 9, 2021

Sjors deleted the branch on Jun 9, 2021

sidhujag referenced this in commit fb0bf712b4 on Jun 9, 2021

fanquake referenced this in commit 7c561bea52 on Jun 17, 2021

jarolrod commented at 4:34 am on June 18, 2021: member

post-merge ACK, wanted to document that I tested this out with a coldcard and the process was smooth.

jb55 commented at 6:54 pm on June 23, 2021: contributor

@Sjors I tried this with my trezor1, I unlocked it on the command line on a wallet with a bip39 password, this is what pops up when I click create wallet: Jun23-115101

hwi --stdinpass --device-type=trezor --device-path webusb:001:14 enumerate

0[
1  {
2    "type": "trezor",
3    "path": "webusb:001:14",
4    "model": "trezor_1",
5    "needs_pin_sent": false,
6    "needs_passphrase_sent": false,
7    "fingerprint": "67e2434a"
8  }
9]

dunno if I’m doing something wrong

Sjors commented at 5:50 pm on June 24, 2021: member

Mmm, I’m not sure how the passphrase flow works. @achow101?

I might be that we need to add support for that, e.g. if needs_pin_sent or needs_passphrase_sent returns true, we prompt for that.

However in your case those are false. Or did you actually enter a password in the command line example? (given --stdinpass)

achow101 commented at 5:53 pm on June 24, 2021: member

The passphrase should be cached by the device, so if you try again after running HWI manually, it should work. But we do need to implement a passphrase workflow for needs_passphrase_sent: true.

jb55 commented at 6:38 pm on June 24, 2021: contributor

@achow101 I’ve never been able to get the trezor_1 passphrase cached with hwi, I’ve always had to do --stdinpass on every command. hmm maybe I need to update firmware or something…

achow101 commented at 6:53 pm on June 24, 2021: member

Oh right, Trezor 1 doesn’t have that, only Trezor T.

jb55 commented at 7:23 pm on June 24, 2021: contributor

@achow101 fwiw it caches fine when using trezorctl, dunno what they are doing.

hebasto added the label Needs release notes on Jun 28, 2021

hebasto commented at 4:30 am on June 28, 2021: member

@Sjors

Could you add release notes into https://github.com/bitcoin-core/bitcoin-devwiki/wiki/22.0-Release-Notes-draft#gui-changes?

Sjors commented at 9:15 am on June 28, 2021: member

@hebasto done, also for the RPC.

hebasto removed the label Needs release notes on Jun 28, 2021

fanquake referenced this in commit fad381b2f8 on Jan 7, 2022

MarcoFalke referenced this in commit 444b6b342d on Feb 15, 2022

fanquake referenced this in commit f9b522e50d on Feb 23, 2022

gwillen referenced this in commit 1756fb7e5a on Jun 1, 2022

bitcoin-core locked this on Aug 16, 2022

UI external signer support (e.g. hardware wallet) #4