• Updates and fixes to the PSBT interface, fix PSBT signing with core v20.1
• New functions to clone transactions and calculate txid
• Documentation updates
• Bug fixes

We're pleased to announce the 0.9.1 release of c-lightning, named by Jon Griffiths.

This is a significant release with major bugfixes to multi-part payments and various notable speedups and improvements across the board.

Did you know: c-lightning deprecates features with 6 months warning, and you can set allow-deprecated-apis=false to test?

Highlights for Users

• The sending of multi-part payments has seen a lot of work, covering more corner cases and generally becoming much more robust.
• New official plugins create commands multiwithdraw and multifundchannel to easily produce a single transaction which does more than one thing; these use the PSBT plumbing created for v0.9.0.
• We produce far less log spam when log-level is set to debug, so if you've avoided setting that before, I recommend trying now.
• Startup checks that bitcoind is the correct version, and relays transactions
• Builtin plugins are now nominated as important, and you can nominate others as important too. The daemon will stop if these fail.
• You can now build a postgres-only installation, without sqlite3.

Highlights for the Network

• Our invoices now supply more than one routehint if we think you'll need to use multi-part-payments.
• We prune channels which are not updated in both directions every 2 weeks.
• Our default CTLV expiry has increased to 34 blocks, or 18 if we're the final node, as per updated specification recommendations (https://github.com/lightningnetwork/lightning-rfc/pull/785)

Highlights for Developers

• PSBT APIs fleshed out with utxopsbt and locktime arguments.
• Plugins can easily mark commands and options deprecated.
• The new channel_state_changed notification lets plugins easily track channel behavior.

More details can be found at https://github.com/ElementsProject/lightning/blob/v0.9.1/CHANGELOG.md

Thanks to everyone for their contributions and bug reports; please keep them coming.

Since 0.9.0, we've had 391 commits commits from 15 different authors. A special thanks goes to the 3 first time contributors:

• Matt Whitlock @whitslack
• Sergi Delgado Segura @sr-gi
• Moller40 @Moller40

Cheers, Christian, Rusty, ZmnSCPxj, and Lisa

Upgrade ERC20.

diff: https://github.com/LedgerHQ/ledger-live-common/commit/51f5b744bbff3df8d7e4ebb8a0ad6237139d0ab0

• LL-682: bitcoin operation details only display the "TO" that concerns the account
• bump axios version
• fix issue where -rc version in app would break our logic
• Update ASA list and minimal Algorand version required

WIP

• swap alpha feedbacks.
  • Bring back ratesTimestamp to logic.js, improve amount/useallamount logic.
  • Dont reset the amount on currency/account change
  • Use non-raw values for the device action for LLM compatibility

• Update flowtype
• minor ledgerjs bump https://github.com/LedgerHQ/ledgerjs/releases/tag/v5.23.1

• Swap - update minimum app versions for exchange

• #867 Fixes ETH gasLimit of regular ETH send to be 21000 and not amplified by 2
• #868 use production swap keys
• #866 Stellar: Remove recommended memo

• https://github.com/LedgerHQ/ledger-live-common/pull/863 new bakers
• swap type fixes
• Ethereum bug on the max spendable given by estimate max spendable when the contextual transaction is not having a recipient.

• ERC20 list update: added XAMP, APIX, ARCA, AWX, AWG, BOLT (token update), BZRX, VBZRX, CRE, CTT, CRV, DVC, EWTB, FNT, IGP, LIT, LBXC, NIAX, STAKE, SUSD (token update), TUSD (token update), TRIX, SWAP, YFI, YFII
• LL-3041 Fix send amount
• LL-3036 ETH bridge tx status error lag issue
• swap minimal version for apps
• minor libs bump (lodash, rxjs,..)

• Algorand fixes
• swap progress
• change currency display format (#816)
• tron fix: send to trc20
• #842 add new format to firmware hash
• (ETH): transaction status bridge patch to ensure not enough balance is always triggered when needed
• (ETH): transaction sttus bridge add specific NotEnoughBalanceInParentAccount condition

🎊 New features

• Added support for Algorand (ALGO) assets directly in Ledger Live!
• Manage your Algorand accounts, send, receive ALGO, and earn rewards!
• Coin Control support for Bitcoin and Bitcoin-based assets in the send flow.
• Full Bitcoin Cash CashAddr support, now used for receiving addresses and in operation details.
  
• Improved crypto and fiat currency formatting.
• Added operation type in operation details (Send, Receive, Stake, etc.).
• Reformatted the identifier displayed during a firmware update to make it easier to verify.

🐛 Fixes

• Multiple UI bugs on Cosmos and Tron integration.
• Minor slider bug during gas limit selection.
• Fixed banner button and position.
• Fixed account name overflow in title bar breadcrumbs.

• Update libs https://github.com/LedgerHQ/ledgerjs/commit/dc95e195d9a359e5f6556f53d876862d61d62d9f
• (minor) Fixes flowtype of hw-app-btc

• ERC20 list update: added XAMP, APIX, ARCA, AWX, AWG, BOLT (token update), BZRX, VBZRX, CRE, CTT, CRV, DVC, EWTB, FNT, IGP, LIT, LBXC, NIAX, STAKE, SUSD (token update), TUSD (token update), TRIX, SWAP, YFI, YFII
• deps update (diff: https://github.com/LedgerHQ/ledgerjs/commit/e178c3d23fe90cb355e63ea27ffb140e4e71c8e8 )

This marks the first minor release in the v0.11.x series! This release contains no breaking changes, and no database migrations. Instead this release bundles a number of reliability improvements, some macaroon upgrades, and a change to make our version our anchor commitments spec compliant amongst several other chagnes.

Database Migrations

This release contains no database migrations.

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://keybase.io/roasbeef/pgp_keys.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest-v0.11.1-beta.rc3.txt and manifest-v0.11.1-beta.rc3.txt.sig are in the current directory) with:

gpg --verify manifest-v0.11.1-beta.rc3.txt.sig

You should see the following if the verification was successful:

gpg: assuming signed data in 'manifest-v0.11.1-beta.rc3.txt'
gpg: Signature made Tue Sep 15 19:13:32 2020 PDT
gpg:                using RSA key 4AB7F8DA6FAEBB3B70B1F903BC13F65E2DC84465
gpg: Good signature from &#34;Olaoluwa Osuntokun <laolu32@gmail.com>&#34; [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

Verifying the Release Timestamp

From this new version onwards, in addition time-stamping the git tag with OpenTimeStamps, we'll also now timestamp the manifest file along with its signature. Two new files are now included along with the rest of our release artifacts: manifest-v0.11.1-beta.txt.sig.ots and manifest-v0.11.1-beta.txt.ots.

Assuming you have the opentimestamps client installed locally, the timestamps can be verified with the following commands:

ots verify manifest-v0.11.1-beta.txt.ots
ots verify manifest-v0.11.1-beta.txt.sig.ots

These timestamps should give users confidence in the integrity of this release even after the key that signed the release expires.

Verifying the Release Binaries

Our release binaries are fully reproducible. Third parties are able to verify that the release binaries were produced properly without having to trust the release manager(s). See our reproducible builds guide for how this can be achieved. The release binaries are compiled with go1.14.7, which is required by verifiers to arrive at the same ones. They include the following build tags: autopilotrpc, signrpc, walletrpc, chainrpc, invoicesrpc, routerrpc, and watchtowerrpc. Note that these are already included in the release script, so they do not need to be provided.

The make release command can be used to ensure one rebuilds with all the same flags used for the release. If one wishes to build for only a single platform, then make release sys=<os-arch> tag=<tag> can be used.

Finally, you can also verify the tag itself with the following command:

$ git verify-tag v0.11.1-beta.rc3
gpg: Signature made Tue Sep 15 18:55:00 2020 PDT
gpg:                using RSA key 4AB7F8DA6FAEBB3B70B1F903BC13F65E2DC84465
gpg: Good signature from &#34;Olaoluwa Osuntokun <laolu32@gmail.com>&#34; [ultimate]

Building the Contained Release

Users are able to rebuild the target release themselves without having to fetch any of the dependencies. In order to do so, assuming that vendor.tar.gz and lnd-source-v0.11.1-beta.rc3.tar.gz are in the current directory, follow these steps:

tar -xvzf vendor.tar.gz
tar -xvzf lnd-source-v0.11.1-beta.rc3.tar.gz
GO111MODULE=on go install -v -mod=vendor -ldflags "-X github.com/lightningnetwork/lnd/build.Commit=v0.11.1-beta" ./cmd/lnd
GO111MODULE=on go install -v -mod=vendor -ldflags "-X github.com/lightningnetwork/lnd/build.Commit=v0.11.1-beta" ./cmd/lncli

The -mod=vendor flag tells the go build command that it doesn't need to fetch the dependencies, and instead, they're all enclosed in the local vendor directory.

Additionally, it's now possible to use the enclosed release.sh script to bundle a release for a specific system like so:

make release sys="linux-arm64 darwin-amd64"

⚡️⚡️⚡️ OK, now to the rest of the release notes! ⚡️⚡️⚡️

Release Notes (WIP)

Wumbo Soft Limit

lnd now has a soft-limit of 10 BTC for wumbo channels, when they're enabled. This limit can be reduced by specifying the new --maxchansize command line flag. This new flag allows node operators to better control their exposure to very large channels, while still allowing channels above the prior pre-wumbo limit.

Healthchecks

This release contains a new health checks subsystem which periodically runs a set of health checks and requests that lnd gracefully shutdown if the check fails. The following health checks are implemented: * Chain backend: lnd requires access to a bitcoin backend, and may be at risk of losing funds if it loses its connection to the chain. A health check which periodically queries the chain backend for the best block is added, and enabled by default. * Disk space: lnd needs disk space to update its database with operational data. A disk space health check which will request shutdown if available disk space falls below a threshold percentage has been added, but is disabled by default to ensure that this check does affect any existing deployments (particularly mobile).

Both of these checks are configurable, and the following options can be set in the healtcheck.chainbackend and healthcheck.diskspace config groups: * Interval: how often the check should be run * Attempts: the number of attempts we allow the check to fail before we request shutdown; this value can be set to 0 to disable a check. * Timeout: the amount of time we allow a check to take before failing it due to timeout * Backoff: the amount of time we backoff between failed checks

Anchor channels

The experimental anchor channel type introduced in lnd v0.10.0 has now been finalized in the BOLT spec, and this release makes the lnd implementation compatible with these changes. If you already have channels of the previous type you can still update. The only thing you must be aware is that cooperative close will fail until your channel party also update to a spec compliant implementation.

Note that this channel type still remains experimental.

Channel Configuration

A new flag has been added to allow node operators to limit the total number of HTLCs they'll allow to exist on "their side" of the commitment. In the future, we may lower this default in order to mitigate certain "fee siphoning" attacks that exist with high fee rates and a large number of HTLCs. Users can set this new value to control the value used for all newly created channels using the following flag: --default-remote-max-htlcs.

RPC Server

The WalletUnlocker proxy now exposes CORS options like the rest of the REST proxy.

A new flag has been added to lnd which allows TLS certs to be generated without leaking sensitive data such as certain IP address information.

The existing PSBT funding flow has been modified to accept a raw transaction during the Finalize step. This makes our workflow more compatible with certain wallets like Electrum. Additionally, our flow is now compatible with wallet's that have implemented mandatory measures to mitigate certain signing fault attacks.

Macaroons

Granular Method Macaroons

A series of new calls to enable granular macaroon access has landed in this new version. These new calls allow users to bake a macaroon with a specific method call URI. In other words, macaroons can now be created that only allow access to a specific set of RPC calls. As an example, it's now possible to create a macaroon that only lets a user obtain the current snapshot of the graph and nothing more.

A new local CLI command: lncli listpermissions, allows one to view all the current permissions available when baking a macaroon.

If we wanted to make a macaroon that only allowed access to GetInfo and `GetVersion, then we'd execute the following command:

lncli bakemacaroon uri:/lnrpc.Lightning/GetInfo uri:/verrpc.Versioner/GetVersion

A new CLI command lncli printmacaroon has also been added that shows what permissions an already baked macaroon contains.

For more information on this new feature, check out the updated set of docs on macaroons.

Custom Macaroon Validators

When initializing lnd, it's now possible to register a custom macaroon validator for a sub-server. This allows certain components to be unbundled, yet still retain lnd's primary RPC server interface for macaroon validation.

Bug Fixes

A bug has been fixed that would at times cause lnd to crash due to an edge case in the logic within the ChainNotifier sub-server.

A bug has been fixed in the routerrpc server that would previously cause it to crash when given bad input.

The full list of changes since v0.11.0-beta can be found here:

• https://github.com/lightningnetwork/lnd/compare/v0.11.0-beta...v0.11.1-beta.rc3

Contributors (Alphabetical Order)

Carla Kirk-Cohen Calvin Zachman Conner Fromknecht Graham Krizek Johan T. Halseth Olaoluwa Osuntokun Oliver Gugger Wilmer Paulino /laolu32@gmail.com/laolu32@gmail.com

This marks the first minor release in the v0.11.x series! This release contains no breaking changes, and no database migrations. Instead this release bundles a number of reliability improvements, some macaroon upgrades, and a change to make our version our anchor commitments spec compliant amongst several other chagnes.

Database Migrations

This release contains no database migrations.

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://keybase.io/roasbeef/pgp_keys.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest-v0.11.1-beta.rc2.txt and manifest-v0.11.1-beta.rc2.txt.sig are in the current directory) with:

gpg --verify manifest-v0.11.1-beta.rc2.txt.sig

You should see the following if the verification was successful:

gpg: assuming signed data in 'manifest-v0.11.1-beta.rc2.txt'
gpg: Signature made Tue Sep 15 19:13:32 2020 PDT
gpg:                using RSA key 4AB7F8DA6FAEBB3B70B1F903BC13F65E2DC84465
gpg: Good signature from &#34;Olaoluwa Osuntokun <laolu32@gmail.com>&#34; [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

Verifying the Release Timestamp

From this new version onwards, in addition time-stamping the git tag with OpenTimeStamps, we'll also now timestamp the manifest file along with its signature. Two new files are now included along with the rest of our release artifacts: manifest-v0.11.1-beta.txt.sig.ots and manifest-v0.11.1-beta.txt.ots.

Assuming you have the opentimestamps client installed locally, the timestamps can be verified with the following commands:

ots verify manifest-v0.11.1-beta.txt.ots
ots verify manifest-v0.11.1-beta.txt.sig.ots

These timestamps should give users confidence in the integrity of this release even after the key that signed the release expires.

Verifying the Release Binaries

Our release binaries are fully reproducible. Third parties are able to verify that the release binaries were produced properly without having to trust the release manager(s). See our reproducible builds guide for how this can be achieved. The release binaries are compiled with go1.14.7, which is required by verifiers to arrive at the same ones. They include the following build tags: autopilotrpc, signrpc, walletrpc, chainrpc, invoicesrpc, routerrpc, and watchtowerrpc. Note that these are already included in the release script, so they do not need to be provided.

The make release command can be used to ensure one rebuilds with all the same flags used for the release. If one wishes to build for only a single platform, then make release sys=<os-arch> tag=<tag> can be used.

Finally, you can also verify the tag itself with the following command:

$ git verify-tag v0.11.1-beta.rc2
gpg: Signature made Tue Sep 15 18:55:00 2020 PDT
gpg:                using RSA key 4AB7F8DA6FAEBB3B70B1F903BC13F65E2DC84465
gpg: Good signature from &#34;Olaoluwa Osuntokun <laolu32@gmail.com>&#34; [ultimate]

Building the Contained Release

Users are able to rebuild the target release themselves without having to fetch any of the dependencies. In order to do so, assuming that vendor.tar.gz and lnd-source-v0.11.1-beta.rc2.tar.gz are in the current directory, follow these steps:

tar -xvzf vendor.tar.gz
tar -xvzf lnd-source-v0.11.1-beta.rc2.tar.gz
GO111MODULE=on go install -v -mod=vendor -ldflags "-X github.com/lightningnetwork/lnd/build.Commit=v0.11.1-beta" ./cmd/lnd
GO111MODULE=on go install -v -mod=vendor -ldflags "-X github.com/lightningnetwork/lnd/build.Commit=v0.11.1-beta" ./cmd/lncli

The -mod=vendor flag tells the go build command that it doesn't need to fetch the dependencies, and instead, they're all enclosed in the local vendor directory.

Additionally, it's now possible to use the enclosed release.sh script to bundle a release for a specific system like so:

make release sys="linux-arm64 darwin-amd64"

⚡️⚡️⚡️ OK, now to the rest of the release notes! ⚡️⚡️⚡️

Release Notes (WIP)

Wumbo Soft Limit

lnd now has a soft-limit of 10 BTC for wumbo channels, when they're enabled. This limit can be reduced by specifying the new --maxchansize command line flag. This new flag allows node operators to better control their exposure to very large channels, while still allowing channels above the prior pre-wumbo limit.

Healthchecks

This release contains a new health checks subsystem which periodically runs a set of health checks and requests that lnd gracefully shutdown if the check fails. The following health checks are implemented: * Chain backend: lnd requires access to a bitcoin backend, and may be at risk of losing funds if it loses its connection to the chain. A health check which periodically queries the chain backend for the best block is added, and enabled by default. * Disk space: lnd needs disk space to update its database with operational data. A disk space health check which will request shutdown if available disk space falls below a threshold percentage has been added, but is disabled by default to ensure that this check does affect any existing deployments (particularly mobile).

Both of these checks are configurable, and the following options can be set in the healtcheck.chainbackend and healthcheck.diskspace config groups: * Interval: how often the check should be run * Attempts: the number of attempts we allow the check to fail before we request shutdown; this value can be set to 0 to disable a check. * Timeout: the amount of time we allow a check to take before failing it due to timeout * Backoff: the amount of time we backoff between failed checks

Anchor channels

The experimental anchor channel type introduced in lnd v0.10.0 has now been finalized in the BOLT spec, and this release makes the lnd implementation compatible with these changes. If you already have channels of the previous type you can still update. The only thing you must be aware is that cooperative close will fail until your channel party also update to a spec compliant implementation.

Note that this channel type still remains experimental.

Channel Configuration

A new flag has been added to allow node operators to limit the total number of HTLCs they'll allow to exist on "their side" of the commitment. In the future, we may lower this default in order to mitigate certain "fee siphoning" attacks that exist with high fee rates and a large number of HTLCs. Users can set this new value to control the value used for all newly created channels using the following flag: --default-remote-max-htlcs.

RPC Server

The WalletUnlocker proxy now exposes CORs options like the rest of the REST proxy.

Macaroons

Granular Method Macaroons

A series of new calls to enable granular macaroon access has landed in this new version. These new calls allow users to bake a macaroon with a specific method call URI. In other words, macaroons can now be created that only allow access to a specific set of RPC calls. As an example, it's now possible to create a macaroon that only lets a user obtain the current snapshot of the graph and nothing more.

A new local CLI command: lncli listpermissions, allows one to view all the current permissions available when baking a macaroon.

If we wanted to make a macaroon that only allowed access to GetInfo and `GetVersion, then we'd execute the following command:

lncli bakemacaroon uri:/lnrpc.Lightning/GetInfo uri:/verrpc.Versioner/GetVersion

For more information on this new feature, check out the updated set of docs on macaroons.

Custom Macaroon Validators

When initializing lnd, it's now possible to register a custom macaroon validator for a sub-server. This allows certain components to be unbundled, yet still retain lnd's primary RPC server interface for macaroon validation.

Bug Fixes

A bug has been fixed that would at times cause lnd to crash due to an edge case in the logic within the ChainNotifier sub-server.

A bug has been fixed in the routerrpc server that would previously cause it to crash when given bad input.

The full list of changes since v0.11.0-beta can be found here:

• https://github.com/lightningnetwork/lnd/compare/v0.11.0-beta...v0.11.1-beta.rc2

Contributors (Alphabetical Order)

Carla Kirk-Cohen Calvin Zachman Conner Fromknecht Graham Krizek Johan T. Halseth Olaoluwa Osuntokun Oliver Gugger Wilmer Paulino /laolu32@gmail.com/laolu32@gmail.com