Merge master key fingerprint syscall and remove Nano S support

.github/workflows/build_and_functional_tests.yml

@@ -34,3 +34,4 @@ jobs:
     with:
       download_app_binaries_artifact: "compiled_app_binaries"
       test_dir: "tests_liquid"
+      run_for_devices: '["nanosp","nanox"]'

.github/workflows/ci-workflow.yml

@@ -17,13 +17,11 @@ on:
 
 jobs:
   job_build:
-    name: Compilation for NanoS, X, and S+
+    name: Compilation for Nano X, and S+
 
     strategy:
       matrix:
         include:
-          - model: nanos
-            SDK: "$NANOS_SDK"
           - model: nanox
             SDK: "$NANOX_SDK"
           - model: nanosp
@@ -115,7 +113,6 @@ jobs:
     strategy:
       matrix:
         include:
-          - model: nanos
           - model: nanox
           - model: nanosp
 
@@ -139,16 +136,15 @@ jobs:
 
       - name: Run tests
         run: |
-          cd tests_liquid_main
           pip install --prefer-binary -r requirements.txt
+          cd tests_liquid_main
           PYTHONPATH=$PYTHONPATH:/speculos pytest --tb=short -v --device=${{matrix.model}} --speculos_api_port 5000
 
   job_test_testnet:
     name: Tests on testnet
     strategy:
       matrix:
         include:
-          - model: nanos
           - model: nanox
           - model: nanosp
 
@@ -172,8 +168,8 @@ jobs:
 
       - name: Run tests
         run: |
-          cd tests_liquid_testnet
           pip install --prefer-binary -r requirements.txt
+          cd tests_liquid_testnet
           PYTHONPATH=$PYTHONPATH:/speculos pytest --tb=short -v --device=${{matrix.model}} --speculos_api_port 5000
 
   job_test_python_lib_legacyapp:
@@ -199,9 +195,9 @@ jobs:
 
       - name: Run tests
         run: |
+          pip install --prefer-binary -r requirements.txt
           cd bitcoin_client/tests
-          pip install -r requirements.txt
-          PYTHONPATH=$PYTHONPATH:/speculos pytest --headless --timeout=300 --model=nanos
+          PYTHONPATH=$PYTHONPATH:/speculos pytest --headless --timeout=300 --model=nanosp
 
   job_test_js_lib:
     if: false

.github/workflows/codeql-workflow.yml

@@ -28,18 +28,14 @@ jobs:
         language: [ 'cpp' ]
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
+      image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest
 
     steps:
       - name: Clone
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
@@ -49,5 +45,5 @@ jobs:
           make BOLOS_SDK=${{ matrix.SDK }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
 

Makefile

@@ -27,35 +27,9 @@ ifeq ($(BOLOS_SDK),)
 $(error Environment variable BOLOS_SDK is not set)
 endif
 
-include $(BOLOS_SDK)/Makefile.defines
-
-# TODO: Compile with the right path restrictions
-#
-#       The right path restriction would be something like
-#         --path "*'/0'"
-#       for mainnet, and
-#         --path "*'/1'"
-#       for testnet.
-#
-#       That is, restrict the BIP-44 coin_type, but not the purpose.
-#       However, such wildcards are not currently supported by the OS.
-#
-#       Note that the app still requires explicit user approval before exporting
-#       any xpub outside of a small set of allowed standard paths.
-
 # Application allowed derivation curves.
 CURVE_APP_LOAD_PARAMS = secp256k1
 
-# Application allowed derivation paths.
-#
-#       If there would be a dedicated SDK function returning master key
-#       fingerprint without the need to derive the root pubkey, the proper path
-#       configuration should be:
-#
-#       PATH_APP_LOAD_PARAMS = "44'/1'" "48'/1'" "49'/1'" "84'/1'" "86'/1'"
-#
-PATH_APP_LOAD_PARAMS = ""
-
 # Allowed SLIP21 paths
 PATH_SLIP21_APP_LOAD_PARAMS = "LEDGER-Wallet policy"
 
@@ -83,65 +57,70 @@ VARIANT_VALUES = liquid_regtest liquid_testnet liquid
 ########################################
 #     Application custom permissions   #
 ########################################
-HAVE_APPLICATION_FLAG_DERIVE_MASTER = 1
 HAVE_APPLICATION_FLAG_GLOBAL_PIN = 1
 HAVE_APPLICATION_FLAG_BOLOS_SETTINGS = 1
 
 ifeq ($(COIN),liquid_regtest)
-
-# Liquid regtest
-DEFINES   += BIP32_PUBKEY_VERSION=0x043587CF
-DEFINES   += BIP32_PRIVKEY_VERSION=0x04358394
-DEFINES   += BIP44_COIN_TYPE=1
-DEFINES   += COIN_P2PKH_VERSION=111
-DEFINES   += COIN_P2SH_VERSION=75
-DEFINES   += COIN_PREFIX_CONFIDENTIAL=4
-DEFINES   += HAVE_LIQUID
-DEFINES   += LIQUID_NET_REGTEST
-DEFINES   += COIN_COINID_SHORT=\"tLBTC\"
-DEFINES   += COIN_NATIVE_SEGWIT_PREFIX=\"ert\"
-DEFINES   += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"el\"
-
-APPNAME = "Liquid Regtest"
+    # Application allowed derivation paths (Liquid testnet/regtest).
+    PATH_APP_LOAD_PARAMS = "*/1'"   # purpose=* / coin_type=Testnet(1)
+
+    # Liquid regtest
+    DEFINES   += BIP32_PUBKEY_VERSION=0x043587CF
+    DEFINES   += BIP32_PRIVKEY_VERSION=0x04358394
+    DEFINES   += BIP44_COIN_TYPE=1
+    DEFINES   += COIN_P2PKH_VERSION=111
+    DEFINES   += COIN_P2SH_VERSION=75
+    DEFINES   += COIN_PREFIX_CONFIDENTIAL=4
+    DEFINES   += HAVE_LIQUID
+    DEFINES   += LIQUID_NET_REGTEST
+    DEFINES   += COIN_COINID_SHORT=\"tLBTC\"
+    DEFINES   += COIN_NATIVE_SEGWIT_PREFIX=\"ert\"
+    DEFINES   += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"el\"
+
+    APPNAME = "Liquid Regtest"
 
 else ifeq ($(COIN),liquid_testnet)
-
-# Liquid testnet
-DEFINES   += BIP32_PUBKEY_VERSION=0x043587CF
-DEFINES   += BIP32_PRIVKEY_VERSION=0x04358394
-DEFINES   += BIP44_COIN_TYPE=1
-DEFINES   += COIN_P2PKH_VERSION=36
-DEFINES   += COIN_P2SH_VERSION=19
-DEFINES   += COIN_PREFIX_CONFIDENTIAL=23
-DEFINES   += HAVE_LIQUID
-DEFINES   += LIQUID_NET_TESTNET
-DEFINES   += COIN_COINID_SHORT=\"tLBTC\"
-DEFINES   += COIN_NATIVE_SEGWIT_PREFIX=\"tex\"
-DEFINES   += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"tlq\"
-
-APPNAME = "Liquid Testnet"
+    # Application allowed derivation paths (Liquid testnet/regtest).
+    PATH_APP_LOAD_PARAMS = "*/1'"   # purpose=* / coin_type=Testnet(1)
+
+    # Liquid testnet
+    DEFINES   += BIP32_PUBKEY_VERSION=0x043587CF
+    DEFINES   += BIP32_PRIVKEY_VERSION=0x04358394
+    DEFINES   += BIP44_COIN_TYPE=1
+    DEFINES   += COIN_P2PKH_VERSION=36
+    DEFINES   += COIN_P2SH_VERSION=19
+    DEFINES   += COIN_PREFIX_CONFIDENTIAL=23
+    DEFINES   += HAVE_LIQUID
+    DEFINES   += LIQUID_NET_TESTNET
+    DEFINES   += COIN_COINID_SHORT=\"tLBTC\"
+    DEFINES   += COIN_NATIVE_SEGWIT_PREFIX=\"tex\"
+    DEFINES   += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"tlq\"
+
+    APPNAME = "Liquid Testnet"
 
 else ifeq ($(COIN),liquid)
-
-# Liquid
-DEFINES   += BIP32_PUBKEY_VERSION=0x0488B21E
-DEFINES   += BIP32_PRIVKEY_VERSION=0x0488ADE4
-DEFINES   += BIP44_COIN_TYPE=1776
-DEFINES   += COIN_P2PKH_VERSION=57
-DEFINES   += COIN_P2SH_VERSION=39
-DEFINES   += COIN_PREFIX_CONFIDENTIAL=12
-DEFINES   += HAVE_LIQUID
-DEFINES   += LIQUID_NET_MAINNET
-DEFINES   += COIN_COINID_SHORT=\"LBTC\"
-DEFINES   += COIN_NATIVE_SEGWIT_PREFIX=\"ex\"
-DEFINES   += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"lq\"
-
-APPNAME = "Liquid"
+    # Application allowed derivation paths (Liquid main network, liquidv1).
+    PATH_APP_LOAD_PARAMS = "*/1776'"   # purpose=* / coin_type=Liquid(1776)
+
+    # Liquid
+    DEFINES   += BIP32_PUBKEY_VERSION=0x0488B21E
+    DEFINES   += BIP32_PRIVKEY_VERSION=0x0488ADE4
+    DEFINES   += BIP44_COIN_TYPE=1776
+    DEFINES   += COIN_P2PKH_VERSION=57
+    DEFINES   += COIN_P2SH_VERSION=39
+    DEFINES   += COIN_PREFIX_CONFIDENTIAL=12
+    DEFINES   += HAVE_LIQUID
+    DEFINES   += LIQUID_NET_MAINNET
+    DEFINES   += COIN_COINID_SHORT=\"LBTC\"
+    DEFINES   += COIN_NATIVE_SEGWIT_PREFIX=\"ex\"
+    DEFINES   += COIN_NATIVE_SEGWIT_PREFIX_CONFIDENTIAL=\"lq\"
+
+    APPNAME = "Liquid"
 
 else
-ifeq ($(filter clean,$(MAKECMDGOALS)),)
-$(error Unsupported COIN - use liquid_regtest, liquid_testnet, liquid)
-endif
+    ifeq ($(filter clean,$(MAKECMDGOALS)),)
+        $(error Unsupported COIN - use liquid_regtest, liquid_testnet, liquid)
+    endif
 endif
 
 ifneq (,$(findstring liquid,$(COIN)))

ledger_app.toml

@@ -1,7 +1,7 @@
 [app]
 build_directory = "./"
 sdk = "C"
-devices = ["nanos", "nanox", "nanos+"]
+devices = ["nanox", "nanos+"]
 
 [tests]
 unit_directory = "./unit-tests/"