From 10b82e080f13ce13c330b66466b4c65bbcedb116 Mon Sep 17 00:00:00 2001 From: "Peter D. Gray" Date: Wed, 16 Apr 2025 15:01:32 -0400 Subject: [PATCH] edits --- releases/ChangeLog.md | 97 +++++++++++++++++++------------------- releases/History-Mk4.md | 43 +++++++++++++++++ releases/History-Q.md | 49 +++++++++++++++++++ releases/Next-ChangeLog.md | 54 ++------------------- 4 files changed, 145 insertions(+), 98 deletions(-) diff --git a/releases/ChangeLog.md b/releases/ChangeLog.md index 20ad3b98..42c26432 100644 --- a/releases/ChangeLog.md +++ b/releases/ChangeLog.md @@ -4,65 +4,64 @@ This lists the changes in the most recent firmware, for each hardware platform. # Shared Improvements - Both Mk4 and Q -- New signing features: - - Sign message from note text, or password note - - JSON message signing. Use JSON object to pass data to sign in form - `{"msg":"","subpath":"","addr_fmt": ""}` - - Sign message with key resulting from positive ownership check. Press (0) and - enter or scan message text to be signed. - - Sign message with key selected from Address Explorer Custom Path menu. Press (2) and - enter or scan message text to be signed. -- Enhancement: New address display format improves address verification on screen (groups of 4). -- Deltamode enhancements: - - Hide Secure Notes & Passwords in Deltamode. Wipe seed if notes menu accessed. - - Hide Seed Vault in Deltamode. Wipe seed if Seed Vault menu accessed. - - Catch more DeltaMode cases in XOR submenus. Thanks [@dmonakhov](https://github.com/dmonakhov) -- Enhancement: Add ability to switch between BIP-32 xpub, and obsolete SLIP-132 format - in `Export XPUB` -- Enhancement: Use the fact that master seed cannot be used as ephemeral seed, to show message - about successful master seed verification. -- Enhancement: Allow devs to override backup password. -- Enhancement: Add option to show/export full multisg addresses without censorship. Enable - in `Settings > Multisig Wallets > Full Address View`. -- Enhancement: If derivation path is omitted during message signing, derivation path - default is no longer root (m), instead it is based on requested address format - (`m/44h/0h/0h/0/0` for p2pkh, and `m/84h/0h/0h/0/0` for p2wpkh). Conversely, - if address format is not provided but subpath derivation starts with: - `m/84h/...` or `m/49h/...`, then p2wpkh or p2sh-p2wpkh respectively, is used. -- Bugfix: Sometimes see a struck screen after _Verifying..._ in boot up sequence. - On Q, result is blank screen, on Mk4, result is three-dots screen. -- Bugfix: Do not allow to enable/disable Seed Vault feature when in temporary seed mode. -- Bugfix: Bless Firmware causes hanging progress bar. -- Bugfix: Prevent yikes in ownership search. -- Bugfix: Factory-disabled NFC was not recognized correctly. -- Bugfix: Be more robust about flash filesystem holding the settings. -- Bugfix: Do not include sighash in PSBT input data, if sighash value is `SIGHASH_ALL`. -- Bugfix: Allow import of multisig descriptor with root (m) keys in it. - Thanks [@turkycat](https://github.com/turkycat) -- Change: Do not purge settings of current active tmp seed when deleting it from Seed Vault. -- Change: Rename Testnet3 -> Testnet4 (all parameters unchanged). +- Huge new feature: CCC - ColdCard Cosign + - COLDCARD holds a key in a 2-of-3 multisig, in addition to the normal signing key it has. + - it applies a spending policy like an HSM: + - velocity and magnitude limits + - whitelisted destination addresses + - 2FA authentication using phone app ([RFC 6238](https://www.rfc-editor.org/rfc/rfc6238)) + - but will sign its part of a transaction automatically if those condition are met, + giving you 2 keys of the multisig and control over the funds + - spending policy can be exceeded with help of the other co-signer (3rd key), when needed + - cannot view or change the CCC spending policy once set, policy violations are not explained + - existing multisig wallets can be used by importing the spending-policy-controlled key + +- New Feature: Multisig transactions are finalized. Allows use of [PushTX](https://pushtx.org/) + with multisig wallets. Read more [here](https://github.com/Coldcard/firmware/blob/master/docs/limitations.md#p2sh--multisig) +- New Feature: Signing artifacts re-export to various media. Now you have the option of + exporting the signing products (transaction/PSBT) to different media than the original source. + Incoming PSBT over QR can be signed and saved to SD card if desired. +- New Feature: Multisig export files are signed now. Read more [here](https://github.com/Coldcard/firmware/blob/master/docs/msg-signing.md#signed-exports) +- Enhancement: NFC export usability upgrade: NFC keeps exporting until CANCEL/X is pressed +- Enhancement: Add `Bitcoin Safe` option to `Export Wallet` +- Enhancement: 10% performance improvement in USB upload speed for large files +- Bugfix: Do not allow change Main PIN to same value already used as Trick PIN, even if + Trick PIN is hidden. +- Bugfix: Fix stuck progress bar under `Receiving...` after a USB communications failure +- Bugfix: Showing derivation path in Address Explorer for root key (m) showed double slash (//) +- Bugfix: Can restore developer backup with custom password other than 12 words format +- Bugfix: Virtual Disk auto mode ignores already signed PSBTs (with "-signed" in file name) +- Bugfix: Virtual Disk auto mode stuck on "Reading..." screen sometimes +- Bugfix: Finalization of foreign inputs from partial signatures. Thanks Christian Uebber +- Bugfix: Temporary seed from COLDCARD backup failed to load stored multisig wallets +- Change: `Destroy Seed` also removes all Trick PINs from SE2. +- Change: `Lock Down Seed` requires pressing confirm key (4) to execute # Mk4 Specific Changes -## 5.4.1 - 2025-02-13 +## 5.4.2 - 2025-04-16 -- Enhancement: Export single sig descriptor with simple QR. +- All of the above, but not Key Teleport which requires QR scanner. # Q Specific Changes -## 1.3.1Q - 2025-02-13 - -- New Feature: Verify Signed RFC messages via BBQr -- New Feature: Sign message from QR scan (format has to be JSON) -- Enhancement: Sign/Verify Address in Sparrow via QR -- Enhancement: Sign scanned Simple Text by pressing (0). Next screen query information - about which key to use. -- Enhancement: Add option to "Sort By Title" in Secure Notes and Passwords. Thanks to - [@MTRitchey](https://x.com/MTRitchey) for suggestion. -- Bugfix: Properly re-draw status bar after Restore Master on COLDCARD without master seed. +## 1.3.2Q - 2025-04-16 +- Feature: Key Teleport -- Easily and securely move seed phrases, secure notes/passwords, + multisig PSBT files, and even full Coldcard backups, between two Q using QR codes + and/or NFC with helper website. See protocol spec in + [docs/key-teleport.md](https://github.com/Coldcard/firmware/blob/master/docs/key-teleport.md) + - can send master seed (words, xprv), anything held in seed vault, secure notes/passwords + (singular, or all) and PSBT involved in a multisig to the other co-signers + - full COLDCARD backup is possible as well, but receiver must be "unseeded" Q for best result + - ECDH to create session key for AES-256-CTR, with another layer of AES-256-CTR using a + short password (stretched by PBKDF2-SHA512) inside + - receiver shows sender a (simple) QR and a numeric code; sender replies with larger BBQr + and 8-char password +- Enhancement: Always choose the biggest possible display size for QR +- Bugfix: Only BBQr is allowed to export Coldcard, Core, and pretty descriptor # Release History diff --git a/releases/History-Mk4.md b/releases/History-Mk4.md index dfd7e37c..1eb631bf 100644 --- a/releases/History-Mk4.md +++ b/releases/History-Mk4.md @@ -1,5 +1,48 @@ *See ChangeLog.md for more recent changes, these are historic versions* +## 5.4.1 - 2025-02-13 + +- New signing features: + - Sign message from note text, or password note + - JSON message signing. Use JSON object to pass data to sign in form + `{"msg":"","subpath":"","addr_fmt": ""}` + - Sign message with key resulting from positive ownership check. Press (0) and + enter or scan message text to be signed. + - Sign message with key selected from Address Explorer Custom Path menu. Press (2) and + enter or scan message text to be signed. +- Enhancement: New address display format improves address verification on screen (groups of 4). +- Deltamode enhancements: + - Hide Secure Notes & Passwords in Deltamode. Wipe seed if notes menu accessed. + - Hide Seed Vault in Deltamode. Wipe seed if Seed Vault menu accessed. + - Catch more DeltaMode cases in XOR submenus. Thanks [@dmonakhov](https://github.com/dmonakhov) +- Enhancement: Add ability to switch between BIP-32 xpub, and obsolete SLIP-132 format + in `Export XPUB` +- Enhancement: Use the fact that master seed cannot be used as ephemeral seed, to show message + about successful master seed verification. +- Enhancement: Allow devs to override backup password. +- Enhancement: Add option to show/export full multisg addresses without censorship. Enable + in `Settings > Multisig Wallets > Full Address View`. +- Enhancement: If derivation path is omitted during message signing, derivation path + default is no longer root (m), instead it is based on requested address format + (`m/44h/0h/0h/0/0` for p2pkh, and `m/84h/0h/0h/0/0` for p2wpkh). Conversely, + if address format is not provided but subpath derivation starts with: + `m/84h/...` or `m/49h/...`, then p2wpkh or p2sh-p2wpkh respectively, is used. +- Bugfix: Sometimes see a struck screen after _Verifying..._ in boot up sequence. + On Q, result is blank screen, on Mk4, result is three-dots screen. +- Bugfix: Do not allow to enable/disable Seed Vault feature when in temporary seed mode. +- Bugfix: Bless Firmware causes hanging progress bar. +- Bugfix: Prevent yikes in ownership search. +- Bugfix: Factory-disabled NFC was not recognized correctly. +- Bugfix: Be more robust about flash filesystem holding the settings. +- Bugfix: Do not include sighash in PSBT input data, if sighash value is `SIGHASH_ALL`. +- Bugfix: Allow import of multisig descriptor with root (m) keys in it. + Thanks [@turkycat](https://github.com/turkycat) +- Change: Do not purge settings of current active tmp seed when deleting it from Seed Vault. +- Change: Rename Testnet3 -> Testnet4 (all parameters unchanged). +- Mk4 Specific Change: + - Enhancement: Export single sig descriptor with simple QR. + + ## 5.4.0 - 2024-09-12 - New Feature: Opt-in support for unsorted multisig, which ignores BIP-67 policy. Use diff --git a/releases/History-Q.md b/releases/History-Q.md index a90cea0b..0fb3c217 100644 --- a/releases/History-Q.md +++ b/releases/History-Q.md @@ -1,5 +1,54 @@ *See ChangeLog.md for more recent changes, these are historic versions* +## 1.3.1Q - 2025-02-13 + +- New signing features: + - Sign message from note text, or password note + - JSON message signing. Use JSON object to pass data to sign in form + `{"msg":"","subpath":"","addr_fmt": ""}` + - Sign message with key resulting from positive ownership check. Press (0) and + enter or scan message text to be signed. + - Sign message with key selected from Address Explorer Custom Path menu. Press (2) and + enter or scan message text to be signed. +- Enhancement: New address display format improves address verification on screen (groups of 4). +- Deltamode enhancements: + - Hide Secure Notes & Passwords in Deltamode. Wipe seed if notes menu accessed. + - Hide Seed Vault in Deltamode. Wipe seed if Seed Vault menu accessed. + - Catch more DeltaMode cases in XOR submenus. Thanks [@dmonakhov](https://github.com/dmonakhov) +- Enhancement: Add ability to switch between BIP-32 xpub, and obsolete SLIP-132 format + in `Export XPUB` +- Enhancement: Use the fact that master seed cannot be used as ephemeral seed, to show message + about successful master seed verification. +- Enhancement: Allow devs to override backup password. +- Enhancement: Add option to show/export full multisg addresses without censorship. Enable + in `Settings > Multisig Wallets > Full Address View`. +- Enhancement: If derivation path is omitted during message signing, derivation path + default is no longer root (m), instead it is based on requested address format + (`m/44h/0h/0h/0/0` for p2pkh, and `m/84h/0h/0h/0/0` for p2wpkh). Conversely, + if address format is not provided but subpath derivation starts with: + `m/84h/...` or `m/49h/...`, then p2wpkh or p2sh-p2wpkh respectively, is used. +- Bugfix: Sometimes see a struck screen after _Verifying..._ in boot up sequence. + On Q, result is blank screen, on Mk4, result is three-dots screen. +- Bugfix: Do not allow to enable/disable Seed Vault feature when in temporary seed mode. +- Bugfix: Bless Firmware causes hanging progress bar. +- Bugfix: Prevent yikes in ownership search. +- Bugfix: Factory-disabled NFC was not recognized correctly. +- Bugfix: Be more robust about flash filesystem holding the settings. +- Bugfix: Do not include sighash in PSBT input data, if sighash value is `SIGHASH_ALL`. +- Bugfix: Allow import of multisig descriptor with root (m) keys in it. + Thanks [@turkycat](https://github.com/turkycat) +- Change: Do not purge settings of current active tmp seed when deleting it from Seed Vault. +- Change: Rename Testnet3 -> Testnet4 (all parameters unchanged). + +- New Feature: Verify Signed RFC messages via BBQr +- New Feature: Sign message from QR scan (format has to be JSON) +- Enhancement: Sign/Verify Address in Sparrow via QR +- Enhancement: Sign scanned Simple Text by pressing (0). Next screen query information + about which key to use. +- Enhancement: Add option to "Sort By Title" in Secure Notes and Passwords. Thanks to + [@MTRitchey](https://x.com/MTRitchey) for suggestion. +- Bugfix: Properly re-draw status bar after Restore Master on COLDCARD without master seed. + ## 1.3.0Q - 2024-09-12 diff --git a/releases/Next-ChangeLog.md b/releases/Next-ChangeLog.md index b578f8f9..ceff9833 100644 --- a/releases/Next-ChangeLog.md +++ b/releases/Next-ChangeLog.md @@ -2,64 +2,20 @@ This lists the new changes that have not yet been published in a normal release. - # Shared Improvements - Both Mk4 and Q -- Huge new feature: CCC - ColdCard Cosign - - COLDCARD holds a key in a 2-of-3 multisig, in addition to the normal signing key it has. - - it applies a spending policy like an HSM: - - velocity and magnitude limits - - whitelisted destination addresses - - 2FA authentication using phone app ([RFC 6238](https://www.rfc-editor.org/rfc/rfc6238)) - - but will sign its part of a transaction automatically if those condition are met, - giving you 2 keys of the multisig and control over the funds - - spending policy can be exceeded with help of the other co-signer (3rd key), when needed - - cannot view or change the CCC spending policy once set, policy violations are not explained - - existing multisig wallets can be used by importing the spending-policy-controlled key - -- New Feature: Multisig transactions are finalized. Allows use of [PushTX](https://pushtx.org/) - with multisig wallets. Read more [here](https://github.com/Coldcard/firmware/blob/master/docs/limitations.md#p2sh--multisig) -- New Feature: Signing artifacts re-export to various media. Now you have the option of - exporting the signing products (transaction/PSBT) to different media than the original source. - Incoming PSBT over QR can be signed and saved to SD card if desired. -- New Feature: Multisig export files are signed now. Read more [here](https://github.com/Coldcard/firmware/blob/master/docs/msg-signing.md#signed-exports) -- Enhancement: NFC export usability upgrade: NFC keeps exporting until CANCEL/X is pressed -- Enhancement: Add `Bitcoin Safe` option to `Export Wallet` -- Enhancement: 10% performance improvement in USB upload speed for large files -- Bugfix: Do not allow change Main PIN to same value already used as Trick PIN, even if - Trick PIN is hidden. -- Bugfix: Fix stuck progress bar under `Receiving...` after a USB communications failure -- Bugfix: Showing derivation path in Address Explorer for root key (m) showed double slash (//) -- Bugfix: Can restore developer backup with custom password other than 12 words format -- Bugfix: Virtual Disk auto mode ignores already signed PSBTs (with "-signed" in file name) -- Bugfix: Virtual Disk auto mode stuck on "Reading..." screen sometimes -- Bugfix: Finalization of foreign inputs from partial signatures. Thanks Christian Uebber -- Bugfix: Temporary seed from COLDCARD backup failed to load stored multisig wallets -- Change: `Destroy Seed` also removes all Trick PINs from SE2. -- Change: `Lock Down Seed` requires pressing confirm key (4) to execute +- tbd # Mk4 Specific Changes -## 5.4.2 - 2025-04-17 +## 5.4.? - 2025-05- -- All of the above, but not Key Teleport which requires QR scanner. +- tbd # Q Specific Changes -## 1.3.2Q - 2025-04-17 +## 1.3.?Q - 2025-05- -- Feature: Key Teleport -- Easily and securely move seed phrases, secure notes/passwords, - multisig PSBT files, and even full Coldcard backups, between two Q using QR codes - and/or NFC with helper website. See protocol spec in - [docs/key-teleport.md](https://github.com/Coldcard/firmware/blob/master/docs/key-teleport.md) - - can send master seed (words, xprv), anything held in seed vault, secure notes/passwords - (singular, or all) and PSBT involved in a multisig to the other co-signers - - full COLDCARD backup is possible as well, but receiver must be "unseeded" Q for best result - - ECDH to create session key for AES-256-CTR, with another layer of AES-256-CTR using a - short password (stretched by PBKDF2-SHA512) inside - - receiver shows sender a (simple) QR and a numeric code; sender replies with larger BBQr - and 8-char password -- Enhancement: Always choose the biggest possible display size for QR -- Bugfix: Only BBQr is allowed to export Coldcard, Core, and pretty descriptor +- tbd