lnwallet: obtain+verify aux sigs for all second level HTLCs

In this commit, we start to use the new AuxSigner to obtain+verify aux sigs for all second level HTLCs. This is similar to the existing SigPool, but we'll only attempt to do this if the AuxSigner is present (won't be for most channels).
2025-03-26 01:33:02 +01:00 · 2024-04-08 19:48:36 -07:00 · 2024-04-08 19:48:36 -07:00 · c0c511c686
commit c0c511c686
parent e9e10cc32f
12 changed files with 181 additions and 36 deletions
--- a/chainreg/chainregistry.go
+++ b/chainreg/chainregistry.go
@ -68,6 +68,10 @@ type Config struct {
 	// leaves for certain custom channel types.
 	AuxLeafStore fn.Option[lnwallet.AuxLeafStore]

+	// AuxSigner is an optional signer that can be used to sign auxiliary
+	// leaves for certain custom channel types.
+	AuxSigner fn.Option[lnwallet.AuxSigner]
+
 	// BlockCache is the main cache for storing block information.
 	BlockCache *blockcache.BlockCache

--- a/config_builder.go
+++ b/config_builder.go
@ -165,10 +165,14 @@ type AuxComponents struct {
 	MsgRouter fn.Option[protofsm.MsgRouter]

 	// AuxFundingController is an optional controller that can be used to
-	// modify the way we handle certain custom chanenl types. It's also
+	// modify the way we handle certain custom channel types. It's also
 	// able to automatically handle new custom protocol messages related to
 	// the funding process.
 	AuxFundingController fn.Option[funding.AuxFundingController]
+
+	// AuxSigner is an optional signer that can be used to sign auxiliary
+	// leaves for certain custom channel types.
+	AuxSigner fn.Option[lnwallet.AuxSigner]
 }

 // DefaultWalletImpl is the default implementation of our normal, btcwallet
@ -575,6 +579,7 @@ func (d *DefaultWalletImpl) BuildWalletConfig(ctx context.Context,
 		ChanStateDB:                 dbs.ChanStateDB.ChannelStateDB(),
 		NeutrinoCS:                  neutrinoCS,
 		AuxLeafStore:                aux.AuxLeafStore,
+		AuxSigner:                   aux.AuxSigner,
 		ActiveNetParams:             d.cfg.ActiveNetParams,
 		FeeURL:                      d.cfg.FeeURL,
 		Dialer: func(addr string) (net.Conn, error) {
@ -727,6 +732,7 @@ func (d *DefaultWalletImpl) BuildChainControl(
 		NetParams:             *walletConfig.NetParams,
 		CoinSelectionStrategy: walletConfig.CoinSelectionStrategy,
 		AuxLeafStore:          partialChainControl.Cfg.AuxLeafStore,
+		AuxSigner:             partialChainControl.Cfg.AuxSigner,
 	}

 	// The broadcast is already always active for neutrino nodes, so we
@ -906,10 +912,6 @@ type DatabaseInstances struct {
 	// for native SQL queries for tables that already support it. This may
 	// be nil if the use-native-sql flag was not set.
 	NativeSQLStore *sqldb.BaseDB
-
-	// AuxLeafStore is an optional data source that can be used by custom
-	// channels to fetch+store various data.
-	AuxLeafStore fn.Option[lnwallet.AuxLeafStore]
 }

 // DefaultDatabaseBuilder is a type that builds the default database backends
--- a/contractcourt/chain_arbitrator.go
+++ b/contractcourt/chain_arbitrator.go
@ -221,6 +221,10 @@ type ChainArbitratorConfig struct {
 	// AuxLeafStore is an optional store that can be used to store auxiliary
 	// leaves for certain custom channel types.
 	AuxLeafStore fn.Option[lnwallet.AuxLeafStore]
+
+	// AuxSigner is an optional signer that can be used to sign auxiliary
+	// leaves for certain custom channel types.
+	AuxSigner fn.Option[lnwallet.AuxSigner]
 }

 // ChainArbitrator is a sub-system that oversees the on-chain resolution of all
@ -307,6 +311,9 @@ func (a *arbChannel) NewAnchorResolutions() (*lnwallet.AnchorResolutions,
 	a.c.cfg.AuxLeafStore.WhenSome(func(s lnwallet.AuxLeafStore) {
 		chanOpts = append(chanOpts, lnwallet.WithLeafStore(s))
 	})
+	a.c.cfg.AuxSigner.WhenSome(func(s lnwallet.AuxSigner) {
+		chanOpts = append(chanOpts, lnwallet.WithAuxSigner(s))
+	})

 	chanMachine, err := lnwallet.NewLightningChannel(
 		a.c.cfg.Signer, channel, nil, chanOpts...,
@ -357,6 +364,9 @@ func (a *arbChannel) ForceCloseChan() (*lnwallet.LocalForceCloseSummary, error)
 	a.c.cfg.AuxLeafStore.WhenSome(func(s lnwallet.AuxLeafStore) {
 		chanOpts = append(chanOpts, lnwallet.WithLeafStore(s))
 	})
+	a.c.cfg.AuxSigner.WhenSome(func(s lnwallet.AuxSigner) {
+		chanOpts = append(chanOpts, lnwallet.WithAuxSigner(s))
+	})

 	// Finally, we'll force close the channel completing
 	// the force close workflow.
--- a/funding/manager.go
+++ b/funding/manager.go
@ -548,6 +548,10 @@ type Config struct {
 	// able to automatically handle new custom protocol messages related to
 	// the funding process.
 	AuxFundingController fn.Option[AuxFundingController]
+
+	// AuxSigner is an optional signer that can be used to sign auxiliary
+	// leaves for certain custom channel types.
+	AuxSigner fn.Option[lnwallet.AuxSigner]
 }

 // Manager acts as an orchestrator/bridge between the wallet's
@ -1077,6 +1081,9 @@ func (f *Manager) advanceFundingState(channel *channeldb.OpenChannel,
 	f.cfg.AuxLeafStore.WhenSome(func(s lnwallet.AuxLeafStore) {
 		chanOpts = append(chanOpts, lnwallet.WithLeafStore(s))
 	})
+	f.cfg.AuxSigner.WhenSome(func(s lnwallet.AuxSigner) {
+		chanOpts = append(chanOpts, lnwallet.WithAuxSigner(s))
+	})

 	// We create the state-machine object which wraps the database state.
 	lnChannel, err := lnwallet.NewLightningChannel(
--- a/htlcswitch/link.go
+++ b/htlcswitch/link.go
@ -2554,6 +2554,7 @@ func (l *channelLink) updateCommitTx() error {
 		CommitSig:  newCommit.CommitSig,
 		HtlcSigs:   newCommit.HtlcSigs,
 		PartialSig: newCommit.PartialSig,
+		ExtraData:  newCommit.AuxSigBlob,
 	}
 	l.cfg.Peer.SendMessage(false, commitSig)

--- a/lnwallet/aux_signer.go
+++ b/lnwallet/aux_signer.go
@ -77,6 +77,9 @@ type AuxSigJobResp struct {
 	// blob
 	SigBlob fn.Option[tlv.Blob]

+	// HtlcIndex is the index of the HTLC that was signed.
+	HtlcIndex uint64
+
 	// Err is the error that occurred when executing the specified
 	// signature job. In the case that no error occurred, this value will
 	// be nil.
--- a/lnwallet/channel.go
+++ b/lnwallet/channel.go
@ -3580,7 +3580,7 @@ func processFeeUpdate(feeUpdate *PaymentDescriptor, nextHeight uint64,
 func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 	chanState *channeldb.OpenChannel, leaseExpiry uint32,
 	remoteCommitView *commitment,
-	leafStore fn.Option[AuxLeafStore]) ([]SignJob, chan struct{}, error) {
+	leafStore fn.Option[AuxLeafStore]) ([]SignJob, []AuxSigJob, chan struct{}, error) {

 	var (
 		isRemoteInitiator = !chanState.IsInitiator
@ -3597,9 +3597,10 @@ func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 	// With the keys generated, we'll make a slice with enough capacity to
 	// hold potentially all the HTLCs. The actual slice may be a bit
 	// smaller (than its total capacity) and some HTLCs may be dust.
-	numSigs := (len(remoteCommitView.incomingHTLCs) +
-		len(remoteCommitView.outgoingHTLCs))
+	numSigs := len(remoteCommitView.incomingHTLCs) +
+		len(remoteCommitView.outgoingHTLCs)
 	sigBatch := make([]SignJob, 0, numSigs)
+	auxSigBatch := make([]AuxSigJob, 0, numSigs)

 	var err error
 	cancelChan := make(chan struct{})
@ -3609,7 +3610,7 @@ func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 		*keyRing,
 	)
 	if err != nil {
-		return nil, nil, fmt.Errorf("unable to fetch aux leaves: "+
+		return nil, nil, nil, fmt.Errorf("unable to fetch aux leaves: "+
 			"%w", err)
 	}

@ -3660,11 +3661,9 @@ func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 			fn.FlattenOption(auxLeaf),
 		)
 		if err != nil {
-			return nil, nil, err
+			return nil, nil, nil, err
 		}

-		// TODO(roasbeef): hook up signer interface here
-
 		// Construct a full hash cache as we may be signing a segwit v1
 		// sighash.
 		txOut := remoteCommitView.txn.TxOut[htlc.remoteOutputIndex]
@ -3696,6 +3695,12 @@ func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 		}

 		sigBatch = append(sigBatch, sigJob)
+
+		auxSigJob := NewAuxSigJob(
+			sigJob, *keyRing, htlc, remoteCommitView.customBlob,
+			fn.FlattenOption(auxLeaf), cancelChan,
+		)
+		auxSigBatch = append(auxSigBatch, auxSigJob)
 	}
 	for _, htlc := range remoteCommitView.outgoingHTLCs {
 		if HtlcIsDust(
@ -3740,7 +3745,7 @@ func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 			fn.FlattenOption(auxLeaf),
 		)
 		if err != nil {
-			return nil, nil, err
+			return nil, nil, nil, err
 		}

 		// Construct a full hash cache as we may be signing a segwit v1
@ -3773,9 +3778,15 @@ func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 		}

 		sigBatch = append(sigBatch, sigJob)
+
+		auxSigJob := NewAuxSigJob(
+			sigJob, *keyRing, htlc, remoteCommitView.customBlob,
+			fn.FlattenOption(auxLeaf), cancelChan,
+		)
+		auxSigBatch = append(auxSigBatch, auxSigJob)
 	}

-	return sigBatch, cancelChan, nil
+	return sigBatch, auxSigBatch, cancelChan, nil
 }

 // createCommitDiff will create a commit diff given a new pending commitment
@ -3784,7 +3795,8 @@ func genRemoteHtlcSigJobs(keyRing *CommitmentKeyRing,
 // new commitment to the remote party. The commit diff returned contains all
 // information necessary for retransmission.
 func (lc *LightningChannel) createCommitDiff(newCommit *commitment,
-	commitSig lnwire.Sig, htlcSigs []lnwire.Sig) (*channeldb.CommitDiff,
+	commitSig lnwire.Sig, htlcSigs []lnwire.Sig,
+	auxSigs map[input.HtlcIndex]fn.Option[tlv.Blob]) (*channeldb.CommitDiff,
 	error) {

 	// First, we need to convert the funding outpoint into the ID that's
@ -3908,6 +3920,11 @@ func (lc *LightningChannel) createCommitDiff(newCommit *commitment,
 	// disk.
 	diskCommit := newCommit.toDiskCommit(false)

+	auxSigBlob, err := packSigs(auxSigs, lc.auxSigner)
+	if err != nil {
+		return nil, fmt.Errorf("error packing aux sigs: %w", err)
+	}
+
 	return &channeldb.CommitDiff{
 		Commitment: *diskCommit,
 		CommitSig: &lnwire.CommitSig{
@ -3916,6 +3933,7 @@ func (lc *LightningChannel) createCommitDiff(newCommit *commitment,
 			),
 			CommitSig: commitSig,
 			HtlcSigs:  htlcSigs,
+			ExtraData: auxSigBlob,
 		},
 		LogUpdates:        logUpdates,
 		OpenedCircuitKeys: openCircuitKeys,
@ -4365,6 +4383,10 @@ type CommitSigs struct {
 	// PartialSig is the musig2 partial signature for taproot commitment
 	// transactions.
 	PartialSig lnwire.OptPartialSigWithNonceTLV
+
+	// AuxSigBlob is the blob containing all the auxiliary signatures for
+	// this new commitment state.
+	AuxSigBlob tlv.Blob
 }

 // NewCommitState wraps the various signatures needed to properly
@ -4483,7 +4505,7 @@ func (lc *LightningChannel) SignNextCommitment() (*NewCommitState, error) {
 	if lc.channelState.ChanType.HasLeaseExpiration() {
 		leaseExpiry = lc.channelState.ThawHeight
 	}
-	sigBatch, cancelChan, err := genRemoteHtlcSigJobs(
+	sigBatch, auxSigBatch, cancelChan, err := genRemoteHtlcSigJobs(
 		keyRing, lc.channelState, leaseExpiry, newCommitView,
 		lc.leafStore,
 	)
@ -4492,6 +4514,16 @@ func (lc *LightningChannel) SignNextCommitment() (*NewCommitState, error) {
 	}
 	lc.sigPool.SubmitSignBatch(sigBatch)

+	err = fn.MapOptionZ(lc.auxSigner, func(a AuxSigner) error {
+		return a.SubmitSecondLevelSigBatch(
+			lc.channelState, newCommitView.txn, auxSigBatch,
+		)
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error submitting second level sig "+
+			"batch: %w", err)
+	}
+
 	// While the jobs are being carried out, we'll Sign their version of
 	// the new commitment transaction while we're waiting for the rest of
 	// the HTLC signatures to be processed.
@ -4535,11 +4567,18 @@ func (lc *LightningChannel) SignNextCommitment() (*NewCommitState, error) {
 	sort.Slice(sigBatch, func(i, j int) bool {
 		return sigBatch[i].OutputIndex < sigBatch[j].OutputIndex
 	})
+	sort.Slice(auxSigBatch, func(i, j int) bool {
+		return auxSigBatch[i].OutputIndex < auxSigBatch[j].OutputIndex
+	})

 	// With the jobs sorted, we'll now iterate through all the responses to
 	// gather each of the signatures in order.
 	htlcSigs = make([]lnwire.Sig, 0, len(sigBatch))
-	for _, htlcSigJob := range sigBatch {
+	auxSigs := make(
+		map[input.HtlcIndex]fn.Option[tlv.Blob], len(auxSigBatch),
+	)
+	for i := range sigBatch {
+		htlcSigJob := sigBatch[i]
 		jobResp := <-htlcSigJob.Resp

 		// If an error occurred, then we'll cancel any other active
@ -4550,12 +4589,30 @@ func (lc *LightningChannel) SignNextCommitment() (*NewCommitState, error) {
 		}

 		htlcSigs = append(htlcSigs, jobResp.Sig)
+
+		if lc.auxSigner.IsNone() {
+			continue
+		}
+
+		auxHtlcSigJob := auxSigBatch[i]
+		auxJobResp := <-auxHtlcSigJob.Resp
+
+		// If an error occurred, then we'll cancel any other active
+		// jobs.
+		if auxJobResp.Err != nil {
+			close(cancelChan)
+			return nil, auxJobResp.Err
+		}
+
+		auxSigs[auxJobResp.HtlcIndex] = auxJobResp.SigBlob
 	}

 	// As we're about to proposer a new commitment state for the remote
 	// party, we'll write this pending state to disk before we exit, so we
 	// can retransmit it if necessary.
-	commitDiff, err := lc.createCommitDiff(newCommitView, sig, htlcSigs)
+	commitDiff, err := lc.createCommitDiff(
+		newCommitView, sig, htlcSigs, auxSigs,
+	)
 	if err != nil {
 		return nil, err
 	}
@ -4577,6 +4634,7 @@ func (lc *LightningChannel) SignNextCommitment() (*NewCommitState, error) {
 			CommitSig:  sig,
 			HtlcSigs:   htlcSigs,
 			PartialSig: lnwire.MaybePartialSigWithNonce(partialSig),
+			AuxSigBlob: commitDiff.CommitSig.ExtraData,
 		},
 		PendingHTLCs: commitDiff.Commitment.Htlcs,
 	}, nil
@ -5054,7 +5112,8 @@ func (lc *LightningChannel) computeView(view *HtlcView, remoteChain bool,
 func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 	localCommitmentView *commitment, keyRing *CommitmentKeyRing,
 	htlcSigs []lnwire.Sig, leaseExpiry uint32,
-	leafStore fn.Option[AuxLeafStore]) ([]VerifyJob, error) {
+	leafStore fn.Option[AuxLeafStore], auxSigner fn.Option[AuxSigner],
+	sigBlob fn.Option[tlv.Blob]) ([]VerifyJob, []AuxVerifyJob, error) {

 	var (
 		isLocalInitiator = chanState.IsInitiator
@ -5073,13 +5132,22 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 	numHtlcs := (len(localCommitmentView.incomingHTLCs) +
 		len(localCommitmentView.outgoingHTLCs))
 	verifyJobs := make([]VerifyJob, 0, numHtlcs)
+	auxVerifyJobs := make([]AuxVerifyJob, 0, numHtlcs)

 	auxLeaves, err := AuxLeavesFromCommit(
 		chanState, *localCommitmentView.toDiskCommit(true), leafStore,
 		*keyRing,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("unable to fetch aux leaves: %w",
+		return nil, nil, fmt.Errorf("unable to fetch aux leaves: %w",
+			err)
+	}
+
+	// If we have a sig blob, then we'll attempt to map that to individual
+	// blobs for each HTLC we might need a signature for.
+	auxHtlcSigs, err := unpackSigs(sigBlob, auxSigner)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error unpacking aux sigs: %w",
 			err)
 	}

@ -5093,6 +5161,8 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 			htlcIndex uint64
 			sigHash   func() ([]byte, error)
 			sig       input.Signature
+			htlc      *PaymentDescriptor
+			auxLeaf   input.AuxTapLeaf
 			err       error
 		)

@ -5103,7 +5173,7 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 		// index, then this means that we need to generate an HTLC
 		// success transaction in order to validate the signature.
 		case localCommitmentView.incomingHTLCIndex[outputIndex] != nil:
-			htlc := localCommitmentView.incomingHTLCIndex[outputIndex]
+			htlc = localCommitmentView.incomingHTLCIndex[outputIndex]

 			htlcIndex = htlc.HtlcIndex

@ -5116,20 +5186,20 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 				htlcFee := HtlcSuccessFee(chanType, feePerKw)
 				outputAmt := htlc.Amount.ToSatoshis() - htlcFee

-				auxLeaf := fn.MapOption(func(
+				leaf := fn.MapOption(func(
 					l CommitAuxLeaves) input.AuxTapLeaf {

 					leaves := l.IncomingHtlcLeaves
 					idx := htlc.HtlcIndex
 					return leaves[idx].SecondLevelLeaf
 				})(auxLeaves)
+				auxLeaf = fn.FlattenOption(leaf)

 				successTx, err := CreateHtlcSuccessTx(
 					chanType, isLocalInitiator, op,
 					outputAmt, uint32(localChanCfg.CsvDelay),
 					leaseExpiry, keyRing.RevocationKey,
-					keyRing.ToLocalKey,
-					fn.FlattenOption(auxLeaf),
+					keyRing.ToLocalKey, auxLeaf,
 				)
 				if err != nil {
 					return nil, err
@ -5172,7 +5242,7 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,

 			// Make sure there are more signatures left.
 			if i >= len(htlcSigs) {
-				return nil, fmt.Errorf("not enough HTLC " +
+				return nil, nil, fmt.Errorf("not enough HTLC " +
 					"signatures")
 			}

@ -5188,7 +5258,7 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 			// is valid.
 			sig, err = htlcSigs[i].ToSignature()
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}
 			htlc.sig = sig

@ -5196,7 +5266,7 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 		// generate a timeout transaction so we can verify the
 		// signature presented.
 		case localCommitmentView.outgoingHTLCIndex[outputIndex] != nil:
-			htlc := localCommitmentView.outgoingHTLCIndex[outputIndex]
+			htlc = localCommitmentView.outgoingHTLCIndex[outputIndex]

 			htlcIndex = htlc.HtlcIndex

@ -5209,21 +5279,21 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 				htlcFee := HtlcTimeoutFee(chanType, feePerKw)
 				outputAmt := htlc.Amount.ToSatoshis() - htlcFee

-				auxLeaf := fn.MapOption(func(
+				leaf := fn.MapOption(func(
 					l CommitAuxLeaves) input.AuxTapLeaf {

 					leaves := l.OutgoingHtlcLeaves
 					idx := htlc.HtlcIndex
 					return leaves[idx].SecondLevelLeaf
 				})(auxLeaves)
+				auxLeaf = fn.FlattenOption(leaf)

 				timeoutTx, err := CreateHtlcTimeoutTx(
 					chanType, isLocalInitiator, op,
 					outputAmt, htlc.Timeout,
 					uint32(localChanCfg.CsvDelay),
 					leaseExpiry, keyRing.RevocationKey,
-					keyRing.ToLocalKey,
-					fn.FlattenOption(auxLeaf),
+					keyRing.ToLocalKey, auxLeaf,
 				)
 				if err != nil {
 					return nil, err
@ -5268,7 +5338,7 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,

 			// Make sure there are more signatures left.
 			if i >= len(htlcSigs) {
-				return nil, fmt.Errorf("not enough HTLC " +
+				return nil, nil, fmt.Errorf("not enough HTLC " +
 					"signatures")
 			}

@ -5284,7 +5354,7 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 			// is valid.
 			sig, err = htlcSigs[i].ToSignature()
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}

 			htlc.sig = sig
@ -5301,16 +5371,26 @@ func genHtlcSigValidationJobs(chanState *channeldb.OpenChannel,
 		})

 		i++
+
+		// TODO(roasbeef): meld aux six into tlv blob for htlc on disk?
+
+		auxSig := auxHtlcSigs[htlcIndex]
+		auxVerifyJob := NewAuxVerifyJob(
+			auxSig, *keyRing, *htlc,
+			localCommitmentView.customBlob, auxLeaf,
+		)
+
+		auxVerifyJobs = append(auxVerifyJobs, auxVerifyJob)
 	}

 	// If we received a number of HTLC signatures that doesn't match our
 	// commitment, we'll return an error now.
 	if len(htlcSigs) != i {
-		return nil, fmt.Errorf("number of htlc sig mismatch. "+
+		return nil, nil, fmt.Errorf("number of htlc sig mismatch. "+
 			"Expected %v sigs, got %v", i, len(htlcSigs))
 	}

-	return verifyJobs, nil
+	return verifyJobs, auxVerifyJobs, nil
 }

 // InvalidCommitSigError is a struct that implements the error interface to
@ -5472,6 +5552,11 @@ func (lc *LightningChannel) ReceiveNewCommitment(commitSigs *CommitSigs) error {
 		}),
 	)

+	var auxSigBlob fn.Option[tlv.Blob]
+	if commitSigs.AuxSigBlob != nil {
+		auxSigBlob = fn.Some(commitSigs.AuxSigBlob)
+	}
+
 	// As an optimization, we'll generate a series of jobs for the worker
 	// pool to verify each of the HTLC signatures presented. Once
 	// generated, we'll submit these jobs to the worker pool.
@ -5479,9 +5564,10 @@ func (lc *LightningChannel) ReceiveNewCommitment(commitSigs *CommitSigs) error {
 	if lc.channelState.ChanType.HasLeaseExpiration() {
 		leaseExpiry = lc.channelState.ThawHeight
 	}
-	verifyJobs, err := genHtlcSigValidationJobs(
+	verifyJobs, auxVerifyJobs, err := genHtlcSigValidationJobs(
 		lc.channelState, localCommitmentView, keyRing,
-		commitSigs.HtlcSigs, leaseExpiry, lc.leafStore,
+		commitSigs.HtlcSigs, leaseExpiry, lc.leafStore, lc.auxSigner,
+		auxSigBlob,
 	)
 	if err != nil {
 		return err
@ -5630,6 +5716,17 @@ func (lc *LightningChannel) ReceiveNewCommitment(commitSigs *CommitSigs) error {
 		}
 	}

+	// Now that we know all the normal sigs are valid, we'll also verify
+	// the aux jobs, if any exist.
+	err = fn.MapOptionZ(lc.auxSigner, func(a AuxSigner) error {
+		return a.VerifySecondLevelSigs(
+			lc.channelState, localCommitTx, auxVerifyJobs,
+		)
+	})
+	if err != nil {
+		return fmt.Errorf("unable to validate aux sigs: %w", err)
+	}
+
 	// The signature checks out, so we can now add the new commitment to
 	// our local commitment chain. For regular channels, we can just
 	// serialize the ECDSA sig. For taproot channels, we'll serialize the
--- a/lnwallet/config.go
+++ b/lnwallet/config.go
@ -67,4 +67,8 @@ type Config struct {
 	// AuxLeafStore is an optional store that can be used to store auxiliary
 	// leaves for certain custom channel types.
 	AuxLeafStore fn.Option[AuxLeafStore]
+
+	// AuxSigner is an optional signer that can be used to sign auxiliary
+	// leaves for certain custom channel types.
+	AuxSigner fn.Option[AuxSigner]
 }
--- a/lnwallet/sigpool.go
+++ b/lnwallet/sigpool.go
@ -43,6 +43,8 @@ type VerifyJob struct {

 	// HtlcIndex is the index of the HTLC from the PoV of the remote
 	// party's update log.
+	//
+	// TODO(roasbeef): remove -- never actually used?
 	HtlcIndex uint64

 	// Cancel is a channel that should be closed if the caller wishes to
--- a/lnwallet/wallet.go
+++ b/lnwallet/wallet.go
@ -2602,6 +2602,9 @@ func (l *LightningWallet) ValidateChannel(channelState *channeldb.OpenChannel,
 	l.Cfg.AuxLeafStore.WhenSome(func(s AuxLeafStore) {
 		chanOpts = append(chanOpts, WithLeafStore(s))
 	})
+	l.Cfg.AuxSigner.WhenSome(func(s AuxSigner) {
+		chanOpts = append(chanOpts, WithAuxSigner(s))
+	})

 	// First, we'll obtain a fully signed commitment transaction so we can
 	// pass into it on the chanvalidate package for verification.
--- a/peer/brontide.go
+++ b/peer/brontide.go
@ -364,6 +364,10 @@ type Config struct {
 	// leaves for certain custom channel types.
 	AuxLeafStore fn.Option[lnwallet.AuxLeafStore]

+	// AuxSigner is an optional signer that can be used to sign auxiliary
+	// leaves for certain custom channel types.
+	AuxSigner fn.Option[lnwallet.AuxSigner]
+
 	// PongBuf is a slice we'll reuse instead of allocating memory on the
 	// heap. Since only reads will occur and no writes, there is no need
 	// for any synchronization primitives. As a result, it's safe to share
@ -902,6 +906,9 @@ func (p *Brontide) loadActiveChannels(chans []*channeldb.OpenChannel) (
 		p.cfg.AuxLeafStore.WhenSome(func(s lnwallet.AuxLeafStore) {
 			chanOpts = append(chanOpts, lnwallet.WithLeafStore(s))
 		})
+		p.cfg.AuxSigner.WhenSome(func(s lnwallet.AuxSigner) {
+			chanOpts = append(chanOpts, lnwallet.WithAuxSigner(s))
+		})
 		lnChan, err := lnwallet.NewLightningChannel(
 			p.cfg.Signer, dbChan, p.cfg.SigPool, chanOpts...,
 		)
@ -4030,6 +4037,9 @@ func (p *Brontide) addActiveChannel(c *lnpeer.NewChannel) error {
 	p.cfg.AuxLeafStore.WhenSome(func(s lnwallet.AuxLeafStore) {
 		chanOpts = append(chanOpts, lnwallet.WithLeafStore(s))
 	})
+	p.cfg.AuxSigner.WhenSome(func(s lnwallet.AuxSigner) {
+		chanOpts = append(chanOpts, lnwallet.WithAuxSigner(s))
+	})

 	// If not already active, we'll add this channel to the set of active
 	// channels, so we can look it up later easily according to its channel
--- a/server.go
+++ b/server.go
@ -1249,6 +1249,7 @@ func newServer(cfg *Config, listenAddrs []net.Addr,
 			return &pc.Incoming
 		},
 		AuxLeafStore: implCfg.AuxLeafStore,
+		AuxSigner:    implCfg.AuxSigner,
 	}, dbs.ChanStateDB)

 	// Select the configuration and funding parameters for Bitcoin.
@ -3913,6 +3914,7 @@ func (s *server) peerConnected(conn net.Conn, connReq *connmgr.ConnReq,
 		DisallowRouteBlinding:  s.cfg.ProtocolOptions.NoRouteBlinding(),
 		Quit:                   s.quit,
 		AuxLeafStore:           s.implCfg.AuxLeafStore,
+		AuxSigner:              s.implCfg.AuxSigner,
 		MsgRouter:              s.implCfg.MsgRouter,
 	}