Forbidden Key Path Error

Hi,

I’m curious about why BIP48 paths like m/48’/0’/7’/2’/0/0 are restricted from signing transactions and checking addresses. This derivation path adheres to the BIP48 standard but uses a custom account index. Can Trezor team provide insight into this limitation?

This is getAddress params for the multisig address:

{
    "coin": "BTC",
    "path": [
        2147483696,
        2147483648,
        2147483655,
        2147483650
    ],
    "multisig": {
        "m": 2,
        "signatures": [
            "",
            ""
        ],
        "pubkeys": [
            {
                "address_n": [],
                "node": {
                    "depth": 0,
                    "child_num": 0,
                    "fingerprint": 0,
                    "chain_code": "0000000000000000000000000000000000000000000000000000000000000000",
                    "public_key": "03f3b7bfacd0788adc58a8ea64a254382435b8ef64d5c28eb64a9eecb288f2360c"
                }
            },
            {
                "address_n": [],
                "node": {
                    "depth": 0,
                    "child_num": 0,
                    "fingerprint": 0,
                    "chain_code": "0000000000000000000000000000000000000000000000000000000000000000",
                    "public_key": "03e68efbe3756217406c0b887c0646ebc6b695fc795194e82cb00207e13c58f7cf"
                }
            },
            {
                "address_n": [],
                "node": {
                    "depth": 0,
                    "child_num": 0,
                    "fingerprint": 0,
                    "chain_code": "0000000000000000000000000000000000000000000000000000000000000000",
                    "public_key": "03cae9774fd27f7584f99e110bcaa90d02f01e9de4fa6c3a613412e244f86d72ec"
                }
            }
        ]
    }
}

If I try to sign the transaction, I get “Input does not match scriptPubKey” error, have verified that the pubkeys generated from associated devices are correct.

{
    "coin": "BTC",
    "version": 2,
    "inputs": [
        {
            "amount": "80000",
            "address_n": [
                2147483696,
                2147483648,
                2147483655,
                2147483650,
                0,
                0
            ],
            "script_type": "SPENDWITNESS",
            "prev_hash": "83850a319d8a8541df979b4252390603085cc266f3a52a655fe8467d32e02eff",
            "prev_index": 0,
            "sequence": 4294967293,
            "multisig": {
                "m": 2,
                "pubkeys": [
                    {
                        "address_n": [],
                        "node": {
                            "depth": 0,
                            "child_num": 0,
                            "fingerprint": 0,
                            "chain_code": "0000000000000000000000000000000000000000000000000000000000000000",
                            "public_key": "03f3b7bfacd0788adc58a8ea64a254382435b8ef64d5c28eb64a9eecb288f2360c"
                        }
                    },
                    {
                        "address_n": [],
                        "node": {
                            "depth": 0,
                            "child_num": 0,
                            "fingerprint": 0,
                            "chain_code": "0000000000000000000000000000000000000000000000000000000000000000",
                            "public_key": "03e68efbe3756217406c0b887c0646ebc6b695fc795194e82cb00207e13c58f7cf"
                        }
                    },
                    {
                        "address_n": [],
                        "node": {
                            "depth": 0,
                            "child_num": 0,
                            "fingerprint": 0,
                            "chain_code": "0000000000000000000000000000000000000000000000000000000000000000",
                            "public_key": "03cae9774fd27f7584f99e110bcaa90d02f01e9de4fa6c3a613412e244f86d72ec"
                        }
                    }
                ],
                "signatures": [
                    "",
                    ""
                ]
            }
        }
    ],
    "outputs": [
        {
            "address": "bc1qveh5pvk05gnzw8rjkpkhqvu9lfcuj0xr99a4wf",
            "amount": "37535",
            "script_type": "PAYTOADDRESS"
        }
    ]
}

Descriptor:

wsh(sortedmulti(2,[36d799d4/48'/0'/2'/2']xpub6EitxRNNKCLSaiXkGSgtmiiYUnXSWSWwN8yqzYeLqnh5TY9A4ctowhuAYiTJ1YgQdmoRhEB35gnwUVUyQqixp7tatWtJr57HNBfeAtp2LJG/*/*,[5bda6d6f/48'/0'/18'/2']xpub6EJcozispr11daajvRth6EShS6BndZvnUN6mu1oo2crTZJqZrDmUZBXUSAyebVdqdf2A4AAqMFMDaeGs7tDsgqowLgP7ziquBFn1ejWLHhy/*/*,[d98f3472/48'/0'/7'/2']xpub6Eaat5DKiPYhtQidt49EELwrCZf8zkHH7LJ3vJ72UsfiNVBfRV9VcGXhJnTtJ47TAeTrr9unrLxdBovcnFA7jhsXNFaCazV3MbzqfVM6Ssr/*/*))

However, I’m able to sign message for derivation path m/48'/0'/7'/2'/0/0 using the same Trezor device.

Thanks!

cc @matejcik happy to share more details if needed

Is this on a Trezor One by any chance? By a cursory read, TT and TS3 should accept this derivation path. (didn’t test it yet though)

You can close this post. Change/Receive index & address index were missing from getAddressParams. Pubkeys were not sorted, so transaction signing does not work (which is working as intended as the address / script used sortedmulti)