coldcard / ckbunker Goto Github PK

I was tinkering with adding this on myNode and ran into an error. I've got a few questions as well.

Questions

• How critical is the data in the encrypted file? For example, if lost, are funds recoverable via seed or does it add new things you would need to backup to easily recover funds. Derivation paths, additional passwords, etc...?
• Is there an easy way to run setup only once rather than needing to start with setup, track if user saves config, and restart service with "run"? That process works well for people on command line, but not for enabling a service. For example, I just want to link to :9823.
• Would there be any security concerns running this as an always on service?

Error

[08/02/2021-22:01:24] Got bunker settings from: ./data/bp-1850f665aa1e22c0.dat
[08/02/2021-22:01:25] Web server at:    http://localhost:9823/setup
[08/02/2021-22:01:25] Connecting to Coldcard.
[08/02/2021-22:01:25] Tord version: 0.3.5.12
[08/02/2021-22:01:25] Found Coldcard 207030635848.
[08/02/2021-22:01:28] Connected to Coldcard 207030635848.
Traceback (most recent call last):
  File "/opt/mynode/ckbunker/env/bin/ck-bunker", line 11, in <module>
    load_entry_point('bunker', 'console_scripts', 'ck-bunker')()
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/opt/mynode/ckbunker/main.py", line 77, in setup_hsm
    asyncio.run(startup(True, local, config_file, None), debug=True)
  File "/usr/local/lib/python3.7/asyncio/runners.py", line 43, in run
    return loop.run_until_complete(main)
  File "/usr/local/lib/python3.7/asyncio/base_events.py", line 587, in run_until_complete
    return future.result()
  File "/opt/mynode/ckbunker/main.py", line 114, in startup
    await asyncio.gather(*aws)
  File "/opt/mynode/ckbunker/conn.py", line 80, in run
    await self.hsm_status()
  File "/opt/mynode/ckbunker/conn.py", line 185, in hsm_status
    h = h or (await self.send_recv(CCProtocolPacker.hsm_status()))
  File "/opt/mynode/ckbunker/conn.py", line 167, in send_recv
    return await asyncio.get_running_loop().run_in_executor(executor, doit)
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/opt/mynode/ckbunker/conn.py", line 163, in doit
    return self.dev.send_recv(msg, **kws)
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/ckcc/client.py", line 163, in send_recv
    return CCProtocolUnpacker.decode(resp)
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/ckcc/protocol.py", line 236, in decode
    return d(msg)
  File "/opt/mynode/ckbunker/env/lib/python3.7/site-packages/ckcc/protocol.py", line 250, in err_
    raise CCProtoError("Coldcard Error: " + str(msg[4:], 'utf8', 'ignore'), msg[4:])
ckcc.protocol.CCProtoError: Coldcard Error: Unknown cmd

It would be extremely cool if it could be used as HSM for c-lightning.
With a routing lightning node, you need to put the coins in hot storage. Using a real HSM could ensure that the funds in the hot wallet are used only for routing. Siphoning off the funds would be impossible even if the server was breached.

Seems like we can't leave the page unattended for more than a minute to make changes before bein prompted to enter the crazy letters again.

Would be better if the TOTP QR code showed up on web browser for user to setup... couldn't get the phone to pick up the QR code from CC screen, have to manually enter the code in.

Using Mac Catalina V 10.15.7 and python 3.9

Tord is running as a service via brew. When I open ckbunker setup I get
Unable to connect to local 'tord' serverin terminal.

When I click 'Operate Tor hidden service' tab in bunker setup page via browser I get
No local 'tord' server

Only when I open Tor browser does Ckbunker recognize Tor and allow me to generate an onion address.

• scrypt or better, a library that supports later upgrade of the hashing algo

When an element of the rule is has no value, then the restriction does not apply. For example, if Destination Whitelist is empty, then the Coldcard will not consider the destination address when considering the rule.

If no rules are defined, then no PSBT will be signed. This can be useful for text message signing applications. On the other hand, an empty rule, allows any transaction to be signed, so be careful!

This reads to me as - if no rules are defined (empty parameter) then no PSBT will be signed, ie... all submitted PSBT's will be denied.

Maybe you should remove the

If no rules are defined, then no PSBT will be signed.

If empty==undefined, you should pick one word and use it throughout documentation.

My assessment of this section is : if all rules are empty then any PSBT submitted will be signed.

Please clarify so I can explain properly in Guide.

When I run ckbunker the captcha image is a broken image on login page ... localhost:9823 ... if i open image in new tab i get ... make_captcha.py line 37 in draw dx,dy = fn.getsize('W') attribute error 'FreeTypeFont' object has no attribute 'getsize' ...

I've seen this on another project; the API has changed and "getsize" method isn't offered anymore.

Seems jinja2 has change a bit and ckbunker need some adaptation.

I am having this error with jinja2 version 3.1.2:

AttributeError: module 'jinja2' has no attribute 'escape'

Reading https://jinja.palletsprojects.com/en/3.1.x/changes/ I see

Markup and escape should be imported from MarkupSafe.

I downgraded to 3.0.3 and now everything works well.

pip uninstall jinja2
pip install jinja2==3.0.3

Created a 2-3 on the Coldcard.

Created an HSM policy.
{ "never_log": false, "must_log": false, "priv_over_ux": false, "boot_to_hsm": null, "period": 1440, "set_sl": null, "allow_sl": null, "rules": [ { "whitelist": [], "per_period": 1000000, "max_amount": null, "users": [ "Single" ], "min_users": 1, "local_conf": false, "wallet": "1" }, { "whitelist": [], "per_period": 10000000, "max_amount": null, "users": [ "Multisig" ], "min_users": 1, "local_conf": false, "wallet": "CC-2-of-3" } ], "msg_paths": null, "share_xpubs": null, "share_addrs": null }

Started HSM mode and let it run for few hours... restarted the Coldcard and the multisig wallet was gone and the CC gave me an error that it couldn't run the HSM policy on device.

from @tehelsper

I've also noticed that the CC can lose connection with CKBunker after a while and need to be reset. This seemed to fix it. The ColdCard was still running and appeared to be in the expected state.

echo 0 > /sys/bus/usb/devices//authorized
echo 1 > /sys/bus/usb/devices//authorized

I've encountered an error when installing ckbunker on a RaspberryPi4 with aarch64-linux.
Hope someone knows a way to get the dependencies compatible...

Installing collected packages: Click, stem, attrs, chardet, multidict, idna, yarl, async-timeout, aiohttp, MarkupSafe, jinja2, aiohttp-jinja2, six, ecdsa, hidapi, pyaes, ckcc-protocol, bunker
Running setup.py install for hidapi ... error
ERROR: Command errored out with exit status 1:
command: /root/Coldcard/ENV/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-8vxcxhta/hidapi/setup.py'"'"'; file='"'"'/tmp/pip-install-8vxcxhta/hidapi/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-lsvtqog3/install-record.txt --single-version-externally-managed --compile --install-headers /root/Coldcard/ENV/include/site/python3.7/hidapi
cwd: /tmp/pip-install-8vxcxhta/hidapi/
Complete output (17 lines):
running install
running build
running build_ext
skipping 'hid.c' Cython extension (up-to-date)
skipping 'hidraw.c' Cython extension (up-to-date)
building 'hid' extension
creating build
creating build/temp.linux-aarch64-3.7
creating build/temp.linux-aarch64-3.7/hidapi
creating build/temp.linux-aarch64-3.7/hidapi/libusb
aarch64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ihidapi/hidapi -I/usr/include/libusb-1.0 -I/usr/include/python3.7m -I/root/Coldcard/ENV/include/python3.7m -c hid.c -o build/temp.linux-aarch64-3.7/hid.o
aarch64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ihidapi/hidapi -I/usr/include/libusb-1.0 -I/usr/include/python3.7m -I/root/Coldcard/ENV/include/python3.7m -c hidapi/libusb/hid.c -o build/temp.linux-aarch64-3.7/hidapi/libusb/hid.o
hidapi/libusb/hid.c:47:10: fatal error: libusb.h: No such file or directory
47 | #include <libusb.h>
| ^~~~~~~~~~
compilation terminated.
error: command 'aarch64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
ERROR: Command errored out with exit status 1: /root/Coldcard/ENV/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-8vxcxhta/hidapi/setup.py'"'"'; file='"'"'/tmp/pip-install-8vxcxhta/hidapi/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-lsvtqog3/install-record.txt --single-version-externally-managed --compile --install-headers /root/Coldcard/ENV/include/site/python3.7/hidapi Check the logs for full command output.

Request to create an official ckbunker package for start9 embassy. The developer docs can be found here.

Coldcard details:
Mk3 Rev C v4.1.2

Platform:
WSL2 - Ubunut 22.04

Issue:
Coldcard has been connected to WSL as can be seen here:

But it does not show up in ckbunker list

More importantly it does not seem to be contactable by ckbunker

A user is seeing this exception after installing CKBunker. Any ideas? Device is a Raspi 4.

Mar 31 06:54:55 myNode systemd[1]: ckbunker.service: Failed with result 'exit-code'.
Mar 31 06:54:55 myNode systemd[1]: ckbunker.service: Main process exited, code=exited, status=1/FAILURE
Mar 31 06:54:55 myNode ckbunker[1470]: AttributeError: module 'jinja2' has no attribute 'contextfunction'
Mar 31 06:54:55 myNode ckbunker[1470]:     @jinja2.contextfunction  # type: ignore
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/lib/python3.8/site-packages/aiohttp_jinja2/helpers.py", line 12, in 
Mar 31 06:54:55 myNode ckbunker[1470]:     from .helpers import GLOBAL_HELPERS
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/lib/python3.8/site-packages/aiohttp_jinja2/__init__.py", line 9, in 
Mar 31 06:54:55 myNode ckbunker[1470]:     import sys, os, asyncio, logging, aiohttp_jinja2, jinja2, time, weakref, re
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/webapp.py", line 5, in 
Mar 31 06:54:55 myNode ckbunker[1470]:     import webapp
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/main.py", line 110, in startup
Mar 31 06:54:55 myNode ckbunker[1470]:     return future.result()
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/usr/local/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
Mar 31 06:54:55 myNode ckbunker[1470]:     return loop.run_until_complete(main)
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/usr/local/lib/python3.8/asyncio/runners.py", line 44, in run
Mar 31 06:54:55 myNode ckbunker[1470]:     asyncio.run(startup(False, local, config_file, psbt), debug=True)
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/main.py", line 68, in start_service
Mar 31 06:54:55 myNode ckbunker[1470]:     return __callback(*args, **kwargs)
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/lib/python3.8/site-packages/click/core.py", line 760, in invoke
Mar 31 06:54:55 myNode ckbunker[1470]:     return ctx.invoke(self.callback, **ctx.params)
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
Mar 31 06:54:55 myNode ckbunker[1470]:     return _process_result(sub_ctx.command.invoke(sub_ctx))
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
Mar 31 06:54:55 myNode ckbunker[1470]:     rv = self.invoke(ctx)
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/lib/python3.8/site-packages/click/core.py", line 1055, in main
Mar 31 06:54:55 myNode ckbunker[1470]:     return self.main(*args, **kwargs)
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
Mar 31 06:54:55 myNode ckbunker[1470]:     sys.exit(load_entry_point('bunker', 'console_scripts', 'ck-bunker')())
Mar 31 06:54:55 myNode ckbunker[1470]:   File "/opt/mynode/ckbunker/env/bin/ck-bunker", line 33, in 
Mar 31 06:54:55 myNode ckbunker[1470]: Traceback (most recent call last):
Mar 31 06:54:54 myNode ckbunker[1470]: [31/03/2022-06:54:54] /mnt/hdd/mynode/ckbunker/bp-1850f665aa1e22c0.dat: not found (probably fine)
Mar 31 06:54:53 myNode systemd[1]: Started CKBunker.

I can't get the recovery tool and address generator to work.. the buttons aren't clickable. I've tried both in setup mode with no policy and with policy outlined below.

Currently I have a Coldcard that is now stuck while booting.

Steps to reproduce.
2. Enable HSM Mode
3. Plug into Dell R730 front usb port (left)
4. Device reboots many times in quick succession
5. Device halts and is bricked.

I believe this could be due to a power delivery issue.

Video
https://youtube.com/shorts/uAUxfT_uets?feature=share

Another thread of the same behavior.
https://www.reddit.com/r/coldcard/comments/11dxex7/mk4_no_longer_boots_past_title_screen/