Liana Signer
Policy-aware Miniscript signing
A policy-aware Liana Miniscript signer that only ever signs a PSBT genuinely matching a registered descriptor.
Last updated Jul 2026

Signing review
Overview
Liana remains your wallet software, building and broadcasting transactions as usual. Passport registers the wallet’s descriptor and enforces a cryptographic gate: it will only sign a PSBT that matches a registered policy and spends through a path this device holds a key for. It understands and explains, in plain language, single-key, recovery (timelocked older(n)), and decaying multi-tier P2WSH policies.
Validated end to end on a Passport Prime dev unit: import a policy, verify an address, sign, export to SD, then finalize and broadcast in Liana on signet. The Bitcoin logic is host-testable with 22 fixture-backed tests. Taproot is shelved until the signing flow is fully fixture-tested; P2WSH only for now.
What it does
- Connect to Liana: export the device’s BIP48 account xpub ([fp/48’/1’/0’/2’]tpub) with a network selector.
- Import policy: load the descriptor through a guided, plain-language review of spend paths and signers.
- Verify address: scan a receive address and confirm it derives from a registered wallet (100-index gap).
- Sign: match a PSBT against registered policies, show the active spend path, slide to sign.
- Returns partial signatures only. It never finalizes (Liana combines and broadcasts).
- Export signed PSBT / key / descriptor to microSD, USB, internal storage, or Airlock; descriptor also as QR.
- Manage: archive, restore, rename, and delete policies behind a confirmation gate.
Technical breakdown
How the proof-of-concept is built, for developers evaluating the platform.
The signing gate
src/liana/signing.rs::decide() refuses to sign unless three conditions hold: every input’s scriptPubKey derives from a registered descriptor, the active spend path can be inferred from the input nSequence, and the device owns a key on that path whose fingerprint is in the PSBT’s BIP32 derivations. Recovery-path spends are allowed but require explicit on-device confirmation.
PSBT matching
Matching derives candidate scriptPubKeys for each descriptor path across a 100-index gap and compares them against the PSBT inputs (src/liana/psbt.rs). Signing uses miniscript’s PsbtExt::sign() and returns partial signatures without finalizing, correct for Liana’s coordinator workflow.
Architecture & transport
src/liana/ holds the host-testable Bitcoin logic (descriptor, policy, psbt, signing, store) built on ngwallet’s re-export of bitcoin + miniscript, so it compiles for both the hosted simulator and the armv7a-unknown-xous-elf device. Descriptors and PSBTs move by file (microSD, USB, Airlock); there is no QR/UR PSBT import. Liana is file-only.
Dig into the source
README, architecture notes, and the wire protocol live in the repo.
