lightningd: test that hsm_secret is as expected, at startup.

If you get the wrong hsm_secret, your node_id will change, and peers won't know who you are, bitcoind will reject your transaction signatures, and other madness. Catch this as soon as it happens, by storing our node_id in the db. Suggested-by: @cdecker, @fiatjaf Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Changelog-Changed: Config: `lightningd` will refuse to start with the wrong node_id (i.e. hsm_secret changes).
2025-12-19 15:14:23 +01:00 · 2022-07-20 11:58:25 +09:30
parent e70729b04b
commit e96eb07ef4
6 changed files with 74 additions and 14 deletions
--- a/lightningd/lightningd.c
+++ b/lightningd/lightningd.c
@@ -1048,9 +1048,12 @@ int main(int argc, char *argv[])

 	/*~ Our default names, eg. for the database file, are not dependent on
 	 * the network.  Instead, the db knows what chain it belongs to, and we
-	 * simple barf here if it's wrong. */
-	if (!wallet_network_check(ld->wallet))
-		errx(1, "Wallet network check failed.");
+	 * simple barf here if it's wrong.
+	 *
+	 * We also check that our node_id is what we expect: otherwise a change
+	 * in hsm_secret will have strange consequences! */
+	if (!wallet_sanity_check(ld->wallet))
+		errx(1, "Wallet sanity check failed.");

 	/*~ Initialize the transaction filter with our pubkeys. */
 	init_txfilter(ld->wallet, ld->owned_txfilter);