offline / multisig UX about gui HOT 6 OPEN

Unfortunately yes, there is always the online-offline-online information flow somewhat inherent in this workflow. USB sticks are popular for this but obviously have a certain amount of attack surface. QR codes are definitely the most popular proposed alternative I'm aware of (but for large transactions you end up needing more than one, which has its own issues.)

from gui.

Why does this start with, 'On your ONLINE computer: Click 'Save to file...'to save your unsigned transaction to a file and transport it to your offline computer'

Shouldn't the online computer only be used for broadcasting the transaction? This would be more secure

from gui.

@Rspigler The offline computer, inherently due to being offline, does not have a copy of the blockchain. That means it can't create transactions, because of Bitcoin's UTXO model. Every transaction must spend some coins, but you need the blockchain in order to know what coins you have.

I copied this basic workflow from Armory, and from BIP 174 PSBT, but in principle there are other workflows possible, and you could push more work onto the offline machine -- you could have the online machine merely provide a list of coins in the wallet, and let the offline machine perform all coin selection and transaction creation. I don't have a sense of what the benefits / drawbacks of such a setup might be. (In the Bitcoin setting, where all transaction contents are public, there can be no privacy benefit that I can see; everything will eventually have to pass through the online machine anyway. Any security benefit from having the offline machine build the transaction SHOULD also be available from using the offline machine to review the transaction before signing it, which is the current workflow that I think everybody uses.)

(One could imagine a privacy-coin setting, unlike Bitcoin, where the online machine need not even know which coins were spent. But I don't know enough to speculate about what information the offline machine would need for transaction creation in that case, and it's not directly relevant to Bitcoin Core at any rate.)

from gui.

'Facepalm'. Duh.

My concern was that if the workflow was going online->offline and back to online, that that wouldn't be a secure airgap, and would be an avenue for malware transfer.

If more work was pushed onto the offline machine, it would still need some data input, like you alluded to. Unless that data could be manually input on the offline machine (probably not recommended due to user error), qr codes would be a good solution because they have a small attack surface and are verifiable (unlike USB's).

from gui.

This probably is no longer the place for this discussion then, as I don't want to crowd or slow the implementation of better UX for current offline/multisig design.

Core produces QR codes currently, but doesn't have the ability to scan them: bitcoin/bitcoin#9913
This discussion can probably be continued after that is merged.

Is there still a plan for a general 'Wallet Composer File' like discussed here: bitcoin/bitcoin#18142

from gui.

There is now a proposed BIP standardizing a process for setting up multisignature wallets - bitcoin/bips#1097
Also a proposed BIP for an updated hierarchy for cosigners in multisignature wallets - bitcoin/bips#1089

This would include descriptor wallets, PSBTs, and (hopefully) QR codes.

from gui.