Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Safer boarding input signature validation #798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2025
Merged

Safer boarding input signature validation #798

merged 1 commit into from
Nov 10, 2025

Conversation

@louisinger
Copy link
Collaborator

@louisinger louisinger commented Nov 7, 2025
edited by coderabbitai bot
Loading

This PR ensures that VerifyAndCombinePartialTx is using the commitment tx built by the server to compute the signature hashes. Thus, a malicious user modifying witnessUtxo fields cannot provide fake valid signatures.

Also improve logging and error message of boarding input signature flow.

@altafan please review

Summary by CodeRabbit

  • Bug Fixes & Improvements
    • Improved Taproot signature verification logic for enhanced reliability.
    • Enhanced error messages for transaction signing failures for clearer diagnostics.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 7, 2025
edited
Loading

Walkthrough

Changes improve commitment transaction signing and verification: adds debug logging for boarding input signing with updated error messages, refactors Taproot signature verification to use commitment-transaction-derived verification with stricter input filtering, and enhances wallet signing error messages to include outpoint information.

Changes

Cohort / File(s) Summary
Signing logs and error messages
internal/core/application/service.go, pkg/arkd-wallet/core/application/wallet/service.go		 Added debug log for boarding input signing in finalizeRound; updated error message from "failed to sign commitment tx" to "failed to sign boarding inputs of commitment tx". Enhanced wallet signing error to explicitly state when a script is not a wallet script and include outpoint information.
Commitment transaction verification refactoring
internal/infrastructure/tx-builder/covenantless/builder.go		 Refactored VerifyAndCombinePartialTx to replace inline Taproot signature verification with commitment-transaction-based verification using PrevOut fetcher. Changed input filtering to accept only inputs with exactly one TaprootLeafScript and matching TaprootScriptSpendSig. Replaced getTaprootPreimage helper with in-place CalcTapscriptSignaturehash-based preimage calculation. Added propagation of TaprootScriptSpendSig and TaprootLeafScript to commitment transaction inputs post-verification.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • builder.go requires careful review of the Taproot signature verification refactoring, especially the new input filtering logic and preimage computation flow
  • Verify that the stricter input filtering (exactly one TaprootLeafScript requirement) doesn't inadvertently reject valid signing scenarios
  • Confirm that signature verification state transitions correctly between verification and propagation steps

Possibly related PRs

Suggested reviewers

  • altafan
  • Kukks

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Safer boarding input signature validation' directly and specifically summarizes the main security-focused change: improving the validation of boarding input signatures through safer verification using the server's commitment transaction.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Nov 7, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7d544aa and a7ddf59.

📒 Files selected for processing (3)
  • internal/core/application/service.go (1 hunks)
  • internal/infrastructure/tx-builder/covenantless/builder.go (1 hunks)
  • pkg/arkd-wallet/core/application/wallet/service.go (1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-08-19T10:58:41.042Z 
Learnt from: louisinger
Repo: arkade-os/arkd PR: 691
File: internal/core/application/service.go:557-562
Timestamp: 2025-08-19T10:58:41.042Z
Learning: In the arkd SubmitOffchainTx method, using the checkpoint PSBT input's tapscript (forfeit path) for the VtxoInput.Tapscript field is the correct behavior, not a bug as initially thought. The system correctly handles the relationship between checkpoint inputs and Ark transaction inputs.

Applied to files:

  • internal/infrastructure/tx-builder/covenantless/builder.go
  • pkg/arkd-wallet/core/application/wallet/service.go
🧬 Code graph analysis (2)
internal/core/application/service.go (1)
pkg/errors/errors.go (1)
  • INTERNAL_ERROR (208-208)
internal/infrastructure/tx-builder/covenantless/builder.go (1)
pkg/ark-lib/intent/proof.go (1)
  • Verify (53-128)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Build and Scan
  • GitHub Check: integration tests
  • GitHub Check: unit tests
🔇 Additional comments (4)
pkg/arkd-wallet/core/application/wallet/service.go (1)

542-543: LGTM! Improved error message with outpoint information.

The enhanced error message now includes the previous outpoint, making it much easier to debug which specific input failed to sign. This aligns well with the PR's goal of improving logging and error messages.

internal/core/application/service.go (1)

2712-2712: LGTM! Enhanced logging for boarding input signing.

The added debug log and more specific error message at line 2721 improve traceability of the boarding input signing flow, making it easier to diagnose issues when signing the commitment transaction.

internal/infrastructure/tx-builder/covenantless/builder.go (2)

1049-1055: Excellent security improvement: commitment-tinned verification.

Using the commitment transaction's prevout fetcher ensures that signature verification is computed against the server-built transaction, preventing malicious users from supplying forged witnessUtxo fields to create seemingly valid signatures. This addresses the core security concern described in the PR objectives.

1059-1066: Stricter validation improves robustness—comment approved.

The code correctly validates boarding inputs with exactly one TaprootLeafScript (line 1059) rather than checking > 0. This strict check is appropriate given the architectural design: boarding inputs have a single forfeit path and therefore only one valid tapscript leaf. Taking the first signature (line 1069) is consistent with this single-signature-per-input constraint. The VerifyAndCombinePartialTx function returns INVALID_BOARDING_INPUT_SIG errors, confirming it's specifically used for boarding input signature verification, and the codebase maintains this invariant throughout.

@louisinger louisinger requested a review from altafan November 7, 2025 20:04
@altafan altafan merged commit d00def2 into arkade-os:master Nov 10, 2025
5 of 7 checks passed
This was referenced Nov 10, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@altafan altafan altafan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@louisinger @altafan