Revisitng Trezor external inputs support

[achow101]

Currently we are able to sign transactions that contain external inputs through a hack of telling the Trezor to make a p2wpkh signature and then discarding the returned signature. This is not ideal as it results in the user going through signing prompts on their device when the signatures may then end up being discarded and nothing was actually signed. This hack may also cease to exist in the future, and appears that it may not work with Taproot (the test that has the Taproot output mutated to be external does not pass).

Trezor does now support external inputs but such inputs need to be accompanied by a SLIP 19 ownership proof. I'm not sure that this is widely used, and there is no official PSBT field for them so HWI would also be unable to provide those proofs at signing time.

[andrewkozlik]

The hack for adding external inputs described above is incorrect and indeed cannot work with Taproot. With the next release of Trezor firmware it will cease to work with all script types. There are three possible ways to correctly provide external inputs:

1. Provide a SLIP 19 ownership proof for each external input. Works only in Trezor T.
2. Provide a valid script_sig and/or witness for each external input that has already been signed by one of the other parties. Works only in Trezor T.
3. Disable safety checks by setting the safety_checks field in the ApplySettings message to PromptTemporarily. Works in both Trezor models.

In each case the script_type for the external inputs is set to EXTERNAL and the script_pubkey field needs to be set to the scriptPubKey of the previous output that is being spent by the external input.

For more details see the Trezor documentation and earlier discussions here and here.