Multisig fix

[onvej-sl]

• d99fea3 and cae49da disallow per-node paths which fixes https://github.com/satoshilabs/trezor-firmware/issues/191.
• d19cbfa introduces sorting of pubkeys in multisig which fixes https://github.com/satoshilabs/trezor-firmware/issues/193.
• 267c1c7 removes a path that is not used anymore (see https://satoshilabs.slack.com/archives/C01L1HT4B46/p1730908353546419). This was the only allowed path that doesn't end with /change/address_index. This caused some paths weren't properly recognized as change outputs. However, the main reason for removing this path is primarily to prevent further problems in the future.
• d9b7a57 forbid multisig to singlesig change outputs. This allows users to have greater control over where their funds are sent because since Send flow style update #2925, we also display the path for internal outputs. Nevertheless, this doesn't always work as expected, see Path doesn't fit line when confirming internal output on T3T1 #4319).

None of these changes were backported to legacy.

[github-actions]

core UI changes	device test	click test	persistence test
T2T1 Model T	test(screens) main(screens)	test(screens) main(screens)	test(screens) main(screens)
T3B1 Safe 3	test(screens) main(screens)	test(screens) main(screens)	test(screens) main(screens)
T3T1 Safe 5	test(screens) main(screens)	test(screens) main(screens)	test(screens) main(screens)
All	main(screens)

[github-actions]

legacy UI changes	device test(screens) main(screens)

[onvej-sl]

Related issue: #4356

[onvej-sl]

@andrewkozlik please do a high-level review, ensuring particularly that this pull request fixes the mentioned issue.
@mmilata please do a generic review.

[mmilata]

Looking good, found some nits, another pair of eyes on apps/bitcoin/sign_tx/ would be nice.

[andrewkozlik]

High level this LGTM. Good job! Awaiting final approval from @mmilata.

@Hannsek we will need 3rd party multisig providers (Unchained, Casa, ...) to test that these changes do not break their setups. I believe you have the full set of contacts. Please coordinate with them before the next firmware release.

[andrewtoth]

Doesn't this break multisig_pubkey_index if using lexicographic order, since that will return the index of the pubkey if unsorted?

[onvej-sl]

Doesn't this break multisig_pubkey_index if using lexicographic order, since that will return the index of the pubkey if unsorted?

I'm afraid you are right. It breaks the serialization of the multisig witness and signature. What is strange is that this test didn't catch it.

[andrewtoth]

That's because that test does not use that function in a breaking way. That is testing unsigned txs. The multisig_pubkey_index function breaks when it is used for inserting the signatures.

[andrewtoth]

I have it fixed in d066232

[onvej-sl]

That's because that test does not use that function in a breaking way. That is testing unsigned txs. The multisig_pubkey_index function breaks when it is used for inserting the signatures.

I'm not sure if this is exactly what you're saying, but I discovered that the test fails to catch it because I use empty signatures in MultisigRedeemScriptType.

I have it fixed in d066232

The fix is not completely correct because multisig_pubkey_index is used here to detect which xpub belongs to you and the xpubs are not sorted.