Skip to content

Merge master key fingerprint syscall and Remove Nano S #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
miketlk merged 17 commits into from
Jan 8, 2026
Merged

Merge master key fingerprint syscall and Remove Nano S #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
df58ad4
Add script for updating snapshots
miketlk May 29, 2025
cec2ed0
Update UI event handling to support the new SDK
miketlk Oct 30, 2025
8ba473a
Upgrade CodeQL actions to v3
miketlk Oct 30, 2025
cd861e6
Remove Nano S from GitHub test jobs
miketlk Oct 30, 2025
6e7e292
Remove Nano S from GitHub workflows
miketlk Oct 30, 2025
8ff7f88
Update Docker image for app builder (CodeQL workflow)
miketlk Oct 30, 2025
b79c96f
Limit Ragger tests in workflow to Nano S and Nano X
miketlk Oct 30, 2025
e4721a0
Fixing unit tests
iartemov-ledger Nov 24, 2025
5cdb4c3
Updating few tests that did not respect the derivation path hardening
iartemov-ledger Nov 20, 2025
d4a14f7
Special handling for get_extended_pubkey_at_path() distinguishing err…
iartemov-ledger Nov 24, 2025
7043be9
Removing DERIVE_MASTER flag, enforcing the derivation paths
iartemov-ledger Nov 14, 2025
111e93d
handler_get_master_fingerprint through new os_perso_get_master_key_id…
iartemov-ledger Nov 10, 2025
2b69066
Move requirements.txt to project root
miketlk Dec 17, 2025
4eb2281
Restrict derivation paths for the Liquid app
miketlk Dec 17, 2025
2743aa6
Fix broken pip dependencies in CI workflow
miketlk Dec 17, 2025
4bae3b0
Remove Nano S support from project configuration
miketlk Dec 17, 2025
d32593f
Merge pull request #11 from miketlk/merge-master-key-fingerprint-syscall
miketlk Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/build_and_functional_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ jobs:
with:
download_app_binaries_artifact: "compiled_app_binaries"
test_dir: "tests_liquid"
run_for_devices: '["nanosp","nanox"]'
14 changes: 5 additions & 9 deletions .github/workflows/ci-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,11 @@ on:

jobs:
job_build:
name: Compilation for NanoS, X, and S+
name: Compilation for Nano X, and S+

strategy:
matrix:
include:
- model: nanos
SDK: "$NANOS_SDK"
- model: nanox
SDK: "$NANOX_SDK"
- model: nanosp
Expand Down Expand Up @@ -113,7 +111,6 @@ jobs:
strategy:
matrix:
include:
- model: nanos
- model: nanox
- model: nanosp

Expand All @@ -137,16 +134,15 @@ jobs:

- name: Run tests
run: |
cd tests_liquid_main
pip install --prefer-binary -r requirements.txt
cd tests_liquid_main
PYTHONPATH=$PYTHONPATH:/speculos pytest --tb=short -v --device=${{matrix.model}} --speculos_api_port 5000

job_test_testnet:
name: Tests on testnet
strategy:
matrix:
include:
- model: nanos
- model: nanox
- model: nanosp

Expand All @@ -170,8 +166,8 @@ jobs:

- name: Run tests
run: |
cd tests_liquid_testnet
pip install --prefer-binary -r requirements.txt
cd tests_liquid_testnet
PYTHONPATH=$PYTHONPATH:/speculos pytest --tb=short -v --device=${{matrix.model}} --speculos_api_port 5000

job_test_python_lib_legacyapp:
Expand All @@ -197,9 +193,9 @@ jobs:

- name: Run tests
run: |
pip install --prefer-binary -r requirements.txt
cd bitcoin_client/tests
pip install -r requirements.txt
PYTHONPATH=$PYTHONPATH:/speculos pytest --headless --timeout=300 --model=nanos
PYTHONPATH=$PYTHONPATH:/speculos pytest --headless --timeout=300 --model=nanosp

job_test_js_lib:
if: false
Expand Down
10 changes: 3 additions & 7 deletions .github/workflows/codeql-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,14 @@ jobs:
language: [ 'cpp' ]
runs-on: ubuntu-latest
container:
image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest
permissions:
actions: read
contents: read
security-events: write
image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest

steps:
- name: Clone
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
Expand All @@ -47,5 +43,5 @@ jobs:
make BOLOS_SDK=${{ matrix.SDK }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3

174 changes: 81 additions & 93 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,35 +27,9 @@ ifeq ($(BOLOS_SDK),)
$(error Environment variable BOLOS_SDK is not set)
endif

include $(BOLOS_SDK)/Makefile.defines

# TODO: Compile with the right path restrictions
#
# The right path restriction would be something like
# --path "*'/0'"
# for mainnet, and
# --path "*'/1'"
# for testnet.
#
# That is, restrict the BIP-44 coin_type, but not the purpose.
# However, such wildcards are not currently supported by the OS.
#
# Note that the app still requires explicit user approval before exporting
# any xpub outside of a small set of allowed standard paths.

# Application allowed derivation curves.
CURVE_APP_LOAD_PARAMS = secp256k1

# Application allowed derivation paths.
#
# If there would be a dedicated SDK function returning master key
# fingerprint without the need to derive the root pubkey, the proper path
# configuration should be:
#
# PATH_APP_LOAD_PARAMS = "44'/1'" "48'/1'" "49'/1'" "84'/1'" "86'/1'"
#
PATH_APP_LOAD_PARAMS = ""

# Allowed SLIP21 paths
PATH_SLIP21_APP_LOAD_PARAMS = "LEDGER-Wallet policy"

Expand Down Expand Up @@ -83,94 +57,108 @@ VARIANT_VALUES = bitcoin_testnet bitcoin liquid_regtest liquid_testnet liquid
########################################
# Application custom permissions #
########################################
HAVE_APPLICATION_FLAG_DERIVE_MASTER = 1
HAVE_APPLICATION_FLAG_GLOBAL_PIN = 1
HAVE_APPLICATION_FLAG_BOLOS_SETTINGS = 1
ifneq (,$(findstring bitcoin,$(COIN)))
HAVE_APPLICATION_FLAG_LIBRARY = 1
endif


ifeq ($(COIN),bitcoin_testnet)
# Application allowed derivation paths (testnet).
PATH_APP_LOAD_PARAMS = "*/1'"

# Bitcoin testnet, no legacy support
DEFINES += BIP32_PUBKEY_VERSION=0x043587CF
DEFINES += BIP44_COIN_TYPE=1
DEFINES += COIN_P2PKH_VERSION=111
DEFINES += COIN_P2SH_VERSION=196
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"tb\"
DEFINES += COIN_COINID_SHORT=\"TEST\"
# Bitcoin testnet, no legacy support
DEFINES += BIP32_PUBKEY_VERSION=0x043587CF
DEFINES += BIP44_COIN_TYPE=1
DEFINES += COIN_P2PKH_VERSION=111
DEFINES += COIN_P2SH_VERSION=196
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"tb\"
DEFINES += COIN_COINID_SHORT=\"TEST\"

APPNAME = "Bitcoin Test"
DISPLAYED_APPNAME = "Bitcoin Testnet"
APPNAME = "Bitcoin Test"
DISPLAYED_APPNAME = "Bitcoin Testnet"

else ifeq ($(COIN),bitcoin)
# Application allowed derivation paths (mainnet).
PATH_APP_LOAD_PARAMS = "*/0'"

# the version for performance tests automatically approves all requests
# there is no reason to ever compile the mainnet app with this flag
ifneq ($(AUTOAPPROVE_FOR_PERF_TESTS),0)
$(error Use testnet app for performance tests)
endif

# Bitcoin mainnet, no legacy support
DEFINES += BIP32_PUBKEY_VERSION=0x0488B21E
DEFINES += BIP44_COIN_TYPE=0
DEFINES += COIN_P2PKH_VERSION=0
DEFINES += COIN_P2SH_VERSION=5
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"bc\"
DEFINES += COIN_COINID_SHORT=\"BTC\"
# Bitcoin mainnet, no legacy support
DEFINES += BIP32_PUBKEY_VERSION=0x0488B21E
DEFINES += BIP44_COIN_TYPE=0
DEFINES += COIN_P2PKH_VERSION=0
DEFINES += COIN_P2SH_VERSION=5
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"bc\"
DEFINES += COIN_COINID_SHORT=\"BTC\"

APPNAME = "Bitcoin"
APPNAME = "Bitcoin"

else ifeq ($(COIN),liquid_regtest)

# Liquid regtest
DEFINES += BIP32_PUBKEY_VERSION=0x043587CF
DEFINES += BIP32_PRIVKEY_VERSION=0x04358394
DEFINES += BIP44_COIN_TYPE=1
DEFINES += COIN_P2PKH_VERSION=111
DEFINES += COIN_P2SH_VERSION=75
DEFINES += COIN_PREFIX_CONFIDENTIAL=4
DEFINES += HAVE_LIQUID
DEFINES += LIQUID_NET_REGTEST
DEFINES += COIN_COINID_SHORT=\"tLBTC\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"ert\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"el\"

APPNAME = "Liquid Regtest"
# Application allowed derivation paths (Liquid testnet/regtest).
PATH_APP_LOAD_PARAMS = "*/1'" # purpose=* / coin_type=Testnet(1)

# Liquid regtest
DEFINES += BIP32_PUBKEY_VERSION=0x043587CF
DEFINES += BIP32_PRIVKEY_VERSION=0x04358394
DEFINES += BIP44_COIN_TYPE=1
DEFINES += COIN_P2PKH_VERSION=111
DEFINES += COIN_P2SH_VERSION=75
DEFINES += COIN_PREFIX_CONFIDENTIAL=4
DEFINES += HAVE_LIQUID
DEFINES += LIQUID_NET_REGTEST
DEFINES += COIN_COINID_SHORT=\"tLBTC\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"ert\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"el\"

APPNAME = "Liquid Regtest"

else ifeq ($(COIN),liquid_testnet)

# Liquid testnet
DEFINES += BIP32_PUBKEY_VERSION=0x043587CF
DEFINES += BIP32_PRIVKEY_VERSION=0x04358394
DEFINES += BIP44_COIN_TYPE=1
DEFINES += COIN_P2PKH_VERSION=36
DEFINES += COIN_P2SH_VERSION=19
DEFINES += COIN_PREFIX_CONFIDENTIAL=23
DEFINES += HAVE_LIQUID
DEFINES += LIQUID_NET_TESTNET
DEFINES += COIN_COINID_SHORT=\"tLBTC\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"tex\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"tlq\"

APPNAME = "Liquid Testnet"
# Application allowed derivation paths (Liquid testnet/regtest).
PATH_APP_LOAD_PARAMS = "*/1'" # purpose=* / coin_type=Testnet(1)

# Liquid testnet
DEFINES += BIP32_PUBKEY_VERSION=0x043587CF
DEFINES += BIP32_PRIVKEY_VERSION=0x04358394
DEFINES += BIP44_COIN_TYPE=1
DEFINES += COIN_P2PKH_VERSION=36
DEFINES += COIN_P2SH_VERSION=19
DEFINES += COIN_PREFIX_CONFIDENTIAL=23
DEFINES += HAVE_LIQUID
DEFINES += LIQUID_NET_TESTNET
DEFINES += COIN_COINID_SHORT=\"tLBTC\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"tex\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"tlq\"

APPNAME = "Liquid Testnet"

else ifeq ($(COIN),liquid)

# Liquid
DEFINES += BIP32_PUBKEY_VERSION=0x0488B21E
DEFINES += BIP32_PRIVKEY_VERSION=0x0488ADE4
DEFINES += BIP44_COIN_TYPE=1776
DEFINES += COIN_P2PKH_VERSION=57
DEFINES += COIN_P2SH_VERSION=39
DEFINES += COIN_PREFIX_CONFIDENTIAL=12
DEFINES += HAVE_LIQUID
DEFINES += LIQUID_NET_MAINNET
DEFINES += COIN_COINID_SHORT=\"LBTC\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"ex\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"lq\"

APPNAME = "Liquid"
# Application allowed derivation paths (Liquid main network, liquidv1).
PATH_APP_LOAD_PARAMS = "*/1776'" # purpose=* / coin_type=Liquid(1776)

# Liquid
DEFINES += BIP32_PUBKEY_VERSION=0x0488B21E
DEFINES += BIP32_PRIVKEY_VERSION=0x0488ADE4
DEFINES += BIP44_COIN_TYPE=1776
DEFINES += COIN_P2PKH_VERSION=57
DEFINES += COIN_P2SH_VERSION=39
DEFINES += COIN_PREFIX_CONFIDENTIAL=12
DEFINES += HAVE_LIQUID
DEFINES += LIQUID_NET_MAINNET
DEFINES += COIN_COINID_SHORT=\"LBTC\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX=\"ex\"
DEFINES += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"lq\"

APPNAME = "Liquid"

else
ifeq ($(filter clean,$(MAKECMDGOALS)),)
$(error Unsupported COIN - use bitcoin_testnet, bitcoin, liquid_regtest, liquid_testnet, liquid)
endif
ifeq ($(filter clean,$(MAKECMDGOALS)),)
$(error Unsupported COIN - use bitcoin_testnet, bitcoin, liquid_regtest, liquid_testnet, liquid)
endif
endif

ifneq (,$(findstring liquid,$(COIN)))
Expand Down
2 changes: 1 addition & 1 deletion ledger_app.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[app]
build_directory = "./"
sdk = "C"
devices = ["nanos", "nanox", "nanos+"]
devices = ["nanox", "nanos+"]

[tests]
unit_directory = "./unit-tests/"
Expand Down
Loading
Loading