docs: Clarify various aspects of external-group-key.md and add specificity

[dstadulis]

To clarify the initialization requirements in d2bcf02#diff-fbf71c6773b80a460904ed011166dd8e71eb52ac13f614beb4488ad02f2ef720

The #1272 Pr should include

• Command/shell prompts which include a, demonstrative, hostname, which indicate which device
• Commands / actions necessary to broadcast the sealed minting transaction
• Signing environment considerations (ensure that CSRNGs have sufficient entropy seeding before generation)
  • or physical entropy-source recommendations
• If necessary, any bitcoin backend initialization requirements
• Any lnd / litd readiness requirements

[ZZiigguurraatt]

merging comments from #1281

• At

  taproot-assets/docs/external-group-key.md

  Line 91 in cabfd1d

  $ tapcli assets mint --type normal --name usdt --supply 500000000 --new_grouped_asset \

  it is unclear if this tapd instance is offline. It is implied that it should be, but under what conditions are bitcoind/lnd/tapd supposed to be started on the offline computer? If we are offline, do we need bitcoind or can we startup lnd with --lnd.bitcoin.node=nochainbackend ?
• At

  taproot-assets/docs/external-group-key.md

  Line 143 in cabfd1d

  Funding the batch means reserving a BTC on-chain output that will be used to

  it is unclear how we are reserving on chain BTC from an offline computer that has no UTXO set.

It is unclear how to use this workflow with these uncertainties.

[ZZiigguurraatt]

Also need clarity if we can run litd in integrated mode or if we need separate lnd+tapd instances?

[ZZiigguurraatt]

• It is implied that it should be, but under what conditions are bitcoind/lnd/tapd supposed to be started on the offline computer?

Context for this question comes from

taproot-assets/README.md

Line 59 in 8719b40

Run Taproot Assets with the command `tapd`. Specify how Taproot Assets can reach LND and what network to run Tapd with by passing it additional flags. The Bitcoin backend and LND need to be running and synced before the Taproot Assets daemon can be started.

.

[ZZiigguurraatt]

• At

  taproot-assets/docs/external-group-key.md

  Line 91 in cabfd1d

  $ tapcli assets mint --type normal --name usdt --supply 500000000 --new_grouped_asset \

  it is unclear if this tapd instance is offline. It is implied that it should be, but under what conditions are bitcoind/lnd/tapd supposed to be started on the offline computer? If we are offline, do we need bitcoind or can we startup lnd with --lnd.bitcoin.node=nochainbackend ?

Through trial and error I have discovered that either 1 block needs to be mined in bitcoind OR --lnd.bitcoin.node=nochainbackend must be set, otherwise tapd does not start up and there is no macaroon for tapcli to use.

[ZZiigguurraatt]

taproot-assets/docs/external-group-key.md

Lines 91 to 93 in e61d638

	$ tapcli assets mint --type normal --name usdt --supply 500000000 --new_grouped_asset \
	--group_key_xpub tpubDD2EgfmrtDs51w46DHDa87yiwiidEYC3ECXXyFp72ESAt5SV661R19kGAMiQMPm8No438YmW5yeYLKUJYuDByAkJvfxA13n2u79ZeDvryHb \
	--group_key_derivation_path "m/86'/1'/0'/0/0" --group_key_fingerprint 10608bb9

seems to be able to be run with --lnd.bitcoin.node=nochainbackend, I get

{
    "pending_batch": {
        "batch_key": "02f2d5c0f51da7c6146beb8daff55ac95de237e6c8840cf17217be2e544a7e212f",
        "batch_txid": "",
        "state": "BATCH_STATE_PENDING",
        "assets": [
            {
                "asset_version": "ASSET_VERSION_V0",
                "asset_type": "NORMAL",
                "name": "usdt",
                "asset_meta": null,
                "amount": "500000000",
                "new_grouped_asset": true,
                "group_key": "",
                "group_anchor": "",
                "group_internal_key": {
                    "raw_key_bytes": "03a6553ff1aa8bb1dc91b35e1f8428f99e6dfc3a66e39945ad9c0c22fffec677ff",
                    "key_loc": {
                        "key_family": 0,
                        "key_index": 0
                    }
                },
                "group_tapscript_root": "",
                "script_key": {
                    "pub_key": "b0203256482ac394f5bab04453199c13073c692020573d4e4914404bbfb3a2d1",
                    "key_desc": {
                        "raw_key_bytes": "0278a0c80b9b6700c1c949bbe8612d8cf54bd281af4c924a0ba70c159387239ee6",
                        "key_loc": {
                            "key_family": 212,
                            "key_index": 0
                        }
                    },
                    "tap_tweak": ""
                }
            }
        ],
        "created_at": "1736442818",
        "height_hint": 1,
        "batch_psbt": ""
    }
}

but

taproot-assets/docs/external-group-key.md

Line 149 in e61d638

$ tapcli assets mint fund --sat_per_vbyte 20

gives me

[tapcli] unable to fund batch: rpc error: code = Unknown desc = unable to fund batch: unable to fund minting batch: unable to fund minting PSBT for batch: 02f2d5c0f51da7c6146beb8daff55ac95de237e6c8840cf17217be2e544a7e212f unable to fund psbt: unable to fund psbt: rpc error: code = Unknown desc = error selecting coins: not enough witness outputs to create funding transaction, need 0.00001000 BTC only have 0 BTC available

[ZZiigguurraatt]

@dstadulis, this command I also don't understand how it can be run offline as tapcli assets mint finalize normally broadcasts the transaction to the network.

taproot-assets/docs/external-group-key.md

Lines 389 to 437 in e61d638

	## Step 7: Finalize the batch
	If the step above didn't result in an error, the minting batch is ready to be
	finalized:
	```shell
	$ tapcli assets mint finalize
	{
	"batch": {
	"batch_key": "031cad33f9c2d11ba1955c86d30e99414010a3d8db3cf005cdfd7b5947884d152b",
	"batch_txid": "07be90fa33795ddb4d20c397ddfb07827c898b8096df75a12871e25ae8f7653a",
	"state": "BATCH_STATE_BROADCAST",
	"assets": [
	{
	"asset_version": "ASSET_VERSION_V0",
	"asset_type": "NORMAL",
	"name": "usdt",
	"asset_meta": null,
	"amount": "500000000",
	"new_grouped_asset": false,
	"group_key": "02a947e56ec036b80fcfdaa61eeaa725b14a31ee4a05091de1d71930878f8cd704",
	"group_anchor": "",
	"group_internal_key": {
	"raw_key_bytes": "03a6553ff1aa8bb1dc91b35e1f8428f99e6dfc3a66e39945ad9c0c22fffec677ff",
	"key_loc": {
	"key_family": 0,
	"key_index": 0
	}
	},
	"group_tapscript_root": "93ece4efce6d317e9ecb74d1bfc26c2eadb43080ff38aa21069dc81379defd8d",
	"script_key": {
	"pub_key": "ff3608f3e5e608317011201b104bf87352655f4ea47c14edad0cabe6d69ff5b4",
	"key_desc": {
	"raw_key_bytes": "03a0fc40fd7d5ecbc34cfd479aa44320af064a9df7a3c9d1940ebe2fc9bcd8f1a9",
	"key_loc": {
	"key_family": 212,
	"key_index": 15
	}
	},
	"tap_tweak": ""
	}
	}
	],
	"created_at": "1735303474",
	"height_hint": 157,
	"batch_psbt": "70736274ff010089020000000193267bc4203fbcd503f52ebf10e57cb1bea854617ac27b07df36d6feae38407100000000000000000002e8030000000000002251208e7e9e413a2ed27bee7bd378720589005d310e24814449e16f39d0a3087eba5439d0f50500000000225120b57e85d54f10ff813207ebb49e0c1a174813946516ca0e1c0b06191ba6b2667400000000000100de02000000000101049ea356718188c25b111a07f293158e6fbff2c0780643aa8731d392ac3b5b180100000000fdffffff0200e1f50500000000160014dd2f53994b70a2c43b72bb7f66b63d8b8e629a5cd05b93d600000000160014c10699dfa395cc2d48d7ed5fc697c5efddd18fe60247304402202d46b3fc55d7ca7140ac38a3847c1c1df9984f8c2abbdbcdb8779208810199b00220134869b61fee2a09fcbd4a5bc6b2ce813f1f785b692d8971ee30f6dd2a172ce20121028a0bda7fde65fc310d5a2540aee5f20c2693faab85331c3161063b842611e2d98c00000001011f00e1f50500000000160014dd2f53994b70a2c43b72bb7f66b63d8b8e629a5c01086b02473044022004d32c69c7fbb54d2f4278d0f2b2f3506dc1d273a252b8b487c8a425693240a502203e2682d58292fc1339857fd0321b1c8555e63ce4f117dfdded8b8b418333b0d50121020b76f7e4cb9de0a39697e085815ec8c32ad3124f693bf6cfe2ae44477f4c23ed0000220203b59023dd9a58fb64dad00948ad44fe5c194cf2e36b2e104bd8ef255bc480f21718000000005600008000000080000000800100000007000000010520b59023dd9a58fb64dad00948ad44fe5c194cf2e36b2e104bd8ef255bc480f2172107b59023dd9a58fb64dad00948ad44fe5c194cf2e36b2e104bd8ef255bc480f217190000000000560000800000008000000080010000000700000000"
	}
	}

[ffranr]

@ZZiigguurraatt I'll re-approach your questions with more care later. But for clarity I can say that every tapcli command is executed on a "hot" internet connected computer. And every chantools command is executed on a "cold" offline computer. The bitcoin-cli can be on either.

I'll update the doc to reflect that soon.

[dstadulis]

tapcli assets mint finalize normally broadcasts the transaction to the network.

Your assessment of the finalize command needing to be run on a WAN connected host is accurate.

Helpful to have clarity about the remaining commands from ffranr.

Given this info, seems there's no remaining blocker to validation work.

[ZZiigguurraatt]

At

taproot-assets/docs/external-group-key.md

Lines 236 to 251 in c0c6795

	## Step 5: Sign the group PSBT
	We now copy the `group_virtual_psbt` from the previous step and sign it with
	`chantools`:
	```shell
	$ chantools --regtest signpsbt --walletdb /tmp/wallet.db \
	--psbt cHNidP8BAF4CAAAAATKZro+KSjqg4YQvE0bqBCbWuii3ekKAdufOGo57L8lwAAAAAAAAAAAAAQBlzR0AAAAAIlEgxoSpM86Pyu/bCRKhOc6/2TLXDGXnUnXn69FQqD8gw7cAAAAAAAEBKwBlzR0AAAAAIlEgqUflbsA2uA/P2qYe6qclsUox7koFCR3h1xkwh4+M1wQiBgOmVT/xqoux3JGzXh+EKPmebfw6ZuOZRa2cDCL//sZ3/xgQYIu5VgAAgAEAAIAAAACAAAAAAAAAAAAhFqZVP/Gqi7HckbNeH4Qo+Z5t/Dpm45lFrZwMIv/+xnf/GQAQYIu5VgAAgAEAAIAAAACAAAAAAAAAAAABFyCmVT/xqoux3JGzXh+EKPmebfw6ZuOZRa2cDCL//sZ3/wEYIJPs5O/ObTF+nst00b/CbC6ttDCA/ziqIQadyBN53v2NAAA=
	2024-12-27 13:45:06.344 [INF] CHAN: chantools version v0.13.5 commit
	Input wallet password:
	Successfully signed PSBT:
	cHNidP8BAF4CAAAAATKZro+KSjqg4YQvE0bqBCbWuii3ekKAdufOGo57L8lwAAAAAAAAAAAAAQBlzR0AAAAAIlEgxoSpM86Pyu/bCRKhOc6/2TLXDGXnUnXn69FQqD8gw7cAAAAAAAEBKwBlzR0AAAAAIlEgqUflbsA2uA/P2qYe6qclsUox7koFCR3h1xkwh4+M1wQBCEIBQAv/X4PJqGyO2YzL2uJgIK+gDFGCTIFkzAq29ThWcBuW5mFIc7aQX1CBtxHSXiF8/jn+F5sWeL0pve1ZKxY7L4EAAA==
	```

we should also recommend to use the --bip39 option if using a non-persistent wallet. See also, lightninglabs/chantools#180.

[ZZiigguurraatt]

It's worth noting the doc that the h notation cannot be used in place of the ' notation for hardened derivation paths.