Tendermint app behaves differently when compiled with SDK 1.4.2 or SDK 1.5.5

[jleni]

The validator app generates different keys when compiled with different SDKs. The reason is that when upgrading the SDK / Firmware, the behavior of os_perso_derive_node_bip32 changes.

Ledger SDK	API	Ed25519+bip32 implementation
1.5.5	os_perso_derive_node_bip32_seed_key	new implementation (only exists in 1.5.5)
1.5.5	os_perso_derive_node_bip32	new implementation
1.4.2	os_perso_derive_node_bip32_seed_key	Not Available
1.4.2	os_perso_derive_node_bip32	old implementation

The new derivation approach used by ledger has also been made available as a python script: https://github.com/LedgerHQ/orakolo/blob/master/src/python/orakolo/HDEd25519.py

In order to avoid any inconvenience, this issue recommends upgrading to os_perso_derive_node_bip32_seed_key making the app incompatible with 1.4.2 and requiring SDK >= 1.5.5

Note: This should not affect the Tendermint app in the Ledger Live, but may affect people compiling directly from source code

[jleni]

Fixed in PR https://github.com/tendermint/ledger-validator-app/pull/10 and merged in #121

[adrianbrink]

Does this mean that as long as the Ledger was upgraded to 1.5.5 everything is fine and the derivation didn't change?

[jleni]

Yes, this issue would not be applicable in that case. Only if you are using 1.4.2 and did compile from source.

[jleni]

To confirm, you can always run the python script offline and check the keys:

I explained a bit more here: https://github.com/tendermint/tendermint/issues/3320#issuecomment-471567939