external_signer: validate fingerprint from enumerate response #35639

pull kwsantiago wants to merge 1 commits into bitcoin:master from privkeyio:signer-validate-fingerprint changing 2 files +9 −0
  1. kwsantiago commented at 2:24 AM on July 2, 2026: none

    enumeratesigners takes the fingerprint field from the external signer's enumerate output and stores it without checking it. That value is later handed back to the signer command as --fingerprint <value> (e.g. in displayaddress), so a malformed value propagates unchecked.

    A master key fingerprint is 4 bytes, i.e. 8 hex characters. This adds a check that the reported fingerprint is exactly 8 hex characters and throws a clear error otherwise. A functional test covers empty, wrong-length, and non-hex inputs.

  2. DrahtBot commented at 2:24 AM on July 2, 2026: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--006a51241073e994b41acfe9ec718e94-->

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/35639.

    <!--021abf342d371248e50ceaed478a90ca-->

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK Sjors

    If your review is incorrectly listed, please copy-paste <code>&lt;!--meta-tag:bot-skip--&gt;</code> into the comment that the bot should ignore.

    <!--5faf32d7da4f0f540f40219e4f7537a3-->

  3. in src/external_signer.cpp:51 in 7b82478eee outdated
      47 | @@ -48,6 +48,9 @@ bool ExternalSigner::Enumerate(const std::string& command, std::vector<ExternalS
      48 |              throw std::runtime_error(strprintf("'%s' received invalid response, missing signer fingerprint", command));
      49 |          }
      50 |          const std::string& fingerprintStr{fingerprint.get_str()};
      51 | +        if (fingerprintStr.size() != 8 || !IsHex(fingerprintStr)) {
    


    vicjuma commented at 12:29 PM on July 2, 2026:

    Concept-wise this makes sense, but is it addressing a specific case you've observed — i.e. a supported external signer actually returning a malformed fingerprint? A linked issue or example would help clarify the failure and provide a useful context.


    kwsantiago commented at 1:23 PM on July 2, 2026:

    No specific issue I ran into specifically which I can report. A master fingerprint is always 8 hex chars, so this just validates it at the boundary and fails with a clear error instead of letting a bad value reach ParseHex() in SignTransaction

  4. external_signer: validate fingerprint from enumerate response 4c9de7d5b3
  5. kwsantiago force-pushed on Jul 2, 2026
  6. Sjors commented at 4:52 PM on July 4, 2026: member

    utACK 4c9de7d5b329f8ffca7222d8f53c2f5a5616dfc9

    The docs already specify that fingerprints must be 8 hex characters: https://github.com/bitcoin/bitcoin/blob/master/doc/external-signer.md#flag---fingerprint-fingerprint-required-except-for-enumerate

  7. willcl-ark added the label Wallet on Jul 8, 2026

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-07-09 06:47 UTC