CIP-105 / CIP-1852: suggested HD paths incompatible with security policy of Ledger HWW for Conway roles

[ptrdsh]

Hi,
CIP-105/CIP-1852 suggest to use the derivation path structure: m / purpose' / coin_type' / account' / role / index
with the following logic for roles:

Name	Value	Description
External chain	0	Same as defined in BIP44
Internal chain	1	Same as defined in BIP44
Staking Key	2	See CIP-0011
DRep Key	3	See CIP-0105
Constitutional Committee Cold Key	4	See CIP-0105
Constitutional Committee Hot Key	5	See CIP-0105

when exporting hw signing files from a ledger on fw v1.1.2 and cardano-app v7.1.2 using e.g. the above logic to get DRep keys, it fails, because of _"Details: DeviceStatusError: Action rejected by Ledger's security policy"_

cardano-hw-cli address key-gen \
--path 1854H/1815H/0H/3/0 \
--verification-key-file cc_hot_threshold1.vkey \
--hw-signing-file cc_hot_threshold1.hwsfile

Ledger's security policy seems to reject roles different from 0, 1, 2 . I'm not sure if "Ledger's security policy" is global within the Ledger fw, or if this is solvable through the Ledger Cardano App. If the latter is the case, then this issue belongs to elsewhere, but if its the former, it could get very tricky.. Dont think Ledger would loosen this policy for Cardano Governance alone..

Havent tested with Trezor, or with other HW wallets.

[gitmachtl]

@ptrdsh

--path 1854H/1815H/0H/3/0 \ is the wrong path

this works fine in my scripts:
${cardanohwcli} address key-gen --path 1852H/1815H/${accNo}H/3/${idxNo} --verification-key-file ${drepName}.drep.vkey --hw-signing-file ${drepName}.drep.hwsfile

https://github.com/gitmachtl/scripts/blob/9511773838e8a7465296cd448d7d24c9fd4e2703/cardano/testnet/21a_genDRepKeys.sh#L275

[Crypto2099]

Is this still an issue or could it be closed?