← All apps
Bitcoin · Inheritance

Liana Signer

Policy-aware Miniscript signing

A policy-aware Liana Miniscript signer that only ever signs a PSBT genuinely matching a registered descriptor.

View the code

Last updated Jul 2026

Passport Prime

Signing review

Overview

Liana remains your wallet software, building and broadcasting transactions as usual. Passport registers the wallet’s descriptor and enforces a cryptographic gate: it will only sign a PSBT that matches a registered policy and spends through a path this device holds a key for. It understands and explains, in plain language, single-key, recovery (timelocked older(n)), and decaying multi-tier P2WSH policies.

Validated end to end on a Passport Prime dev unit: import a policy, verify an address, sign, export to SD, then finalize and broadcast in Liana on signet. The Bitcoin logic is host-testable with 22 fixture-backed tests. Taproot is shelved until the signing flow is fully fixture-tested; P2WSH only for now.

What it does

  • Connect to Liana: export the device’s BIP48 account xpub ([fp/48’/1’/0’/2’]tpub) with a network selector.
  • Import policy: load the descriptor through a guided, plain-language review of spend paths and signers.
  • Verify address: scan a receive address and confirm it derives from a registered wallet (100-index gap).
  • Sign: match a PSBT against registered policies, show the active spend path, slide to sign.
  • Returns partial signatures only. It never finalizes (Liana combines and broadcasts).
  • Export signed PSBT / key / descriptor to microSD, USB, internal storage, or Airlock; descriptor also as QR.
  • Manage: archive, restore, rename, and delete policies behind a confirmation gate.

Technical breakdown

How the proof-of-concept is built, for developers evaluating the platform.

01

The signing gate

src/liana/signing.rs::decide() refuses to sign unless three conditions hold: every input’s scriptPubKey derives from a registered descriptor, the active spend path can be inferred from the input nSequence, and the device owns a key on that path whose fingerprint is in the PSBT’s BIP32 derivations. Recovery-path spends are allowed but require explicit on-device confirmation.

02

PSBT matching

Matching derives candidate scriptPubKeys for each descriptor path across a 100-index gap and compares them against the PSBT inputs (src/liana/psbt.rs). Signing uses miniscript’s PsbtExt::sign() and returns partial signatures without finalizing, correct for Liana’s coordinator workflow.

03

Architecture & transport

src/liana/ holds the host-testable Bitcoin logic (descriptor, policy, psbt, signing, store) built on ngwallet’s re-export of bitcoin + miniscript, so it compiles for both the hosted simulator and the armv7a-unknown-xous-elf device. Descriptors and PSBTs move by file (microSD, USB, Airlock); there is no QR/UR PSBT import. Liana is file-only.

Dig into the source

README, architecture notes, and the wire protocol live in the repo.

BitcoinQnA/passport-liana-signer

More on Passport Prime