Skip to content

Signing PSBTs

This guide covers how to sign Theft Shield PSBTs with various hardware wallets and software.

Understanding the Signing Process

What You're Signing

Each PSBT authorizes:

  • Inputs: All UTXOs from your monitored wallet
  • Output: Your safe address
  • Fee: A specific amount for that RBF round

Before Signing

Verify Before Signing

Always verify on your hardware wallet display:

  1. The destination address matches YOUR safe address
  2. The amount is correct (your balance minus fees)
  3. You're comfortable with the fee amount

Hardware Wallet Guides

Coldcard

Coldcard is ideal for Theft Shield due to its air-gapped signing capability.

Using SD Card

  1. Export PSBTs from Vigil
  2. Download as .psbt files

  3. Copy to MicroSD card

  4. Insert SD Card into Coldcard

  5. Power on Coldcard

  6. Insert MicroSD card

  7. Sign Each PSBT

  8. Ready to Sign → Choose file
  9. Review transaction details:
    • Spending from: [your addresses]
    • Sending to: [your safe address]
    • Fee: [amount in BTC]
  10. Press ✓ to approve

  11. Repeat for each PSBT

  12. Export Signed PSBTs

  13. Signed files saved to SD card with -signed suffix

  14. Remove SD card

  15. Upload to Vigil

  16. Upload all -signed.psbt files
  17. Vigil validates signatures

Using USB (if enabled)

  1. Connect Coldcard via USB
  2. Use Electrum or Sparrow to sign
  3. Follow software-specific instructions

Ledger

Using Sparrow Wallet

  1. Connect Ledger
  2. Connect via USB
  3. Open Bitcoin app on device

  4. Unlock Sparrow wallet

  5. Load PSBT

  6. File → Open Transaction → Load PSBT

  7. Or paste Base64 PSBT

  8. Sign Transaction

  9. Click "Finalize Transaction for Signing"
  10. Review on Ledger screen:
    • Output address
    • Amount
    • Fees

  11. Approve on device

  12. Export Signed PSBT

  13. File → Save Transaction

  14. Save as signed PSBT

  15. Repeat for Each Round

  16. Sign all PSBT rounds

  17. Upload to Vigil

  18. Upload signed PSBT files

Using Ledger Live

  1. Open Ledger Live
  2. Go to your Bitcoin account
  3. Load PSBT via advanced features
  4. Sign on device
  5. Export signed transaction

Trezor

Using Trezor Suite

  1. Connect Trezor
  2. Connect via USB

  3. Enter PIN

  4. Load PSBT

  5. Advanced → Sign PSBT

  6. Paste or upload PSBT

  7. Review on Device

  8. Verify output address
  9. Verify amount

  10. Confirm fees

  11. Approve and Export

  12. Confirm on Trezor
  13. Export signed PSBT

Using Electrum

  1. Open Electrum with Trezor wallet
  2. Tools → Load transaction → From file
  3. Sign transaction
  4. Export signed transaction

BitBox02

  1. Connect BitBox02
  2. Use BitBoxApp or Sparrow
  3. Load PSBT
  4. Review and sign on device
  5. Export signed PSBT

Software Wallet Signing

Sparrow Wallet

For hot wallets or watch-only with hardware signing:

  1. File → Open Transaction → Load PSBT
  2. Click "Finalize for Signing"
  3. If hot wallet: Signs automatically
  4. If hardware: Follow device prompts
  5. File → Save Transaction (signed)

Electrum

  1. Tools → Load transaction → From file
  2. Select PSBT file
  3. Click "Sign"
  4. Enter password (for hot wallets)
  5. Export signed transaction

Bitcoin Core

# Decode and inspect PSBT
bitcoin-cli decodepsbt <base64_psbt>

# Sign PSBT (if wallet has keys)
bitcoin-cli walletprocesspsbt <base64_psbt>

# Output will include signed PSBT

Batch Signing

Multiple PSBTs

Vigil generates multiple PSBTs (one per RBF round). Sign them all:

  1. Download all PSBTs as a batch file
  2. Sign each PSBT individually
  3. Upload all signed PSBTs together

Coldcard Batch Signing

Coldcard can sign multiple PSBTs from SD card:

  1. Copy all .psbt files to SD card
  2. Sign each one in sequence
  3. All signed files saved automatically

Verification

What Vigil Checks

When you upload signed PSBTs, Vigil verifies:

Check Purpose
Valid signatures Cryptographic verification
Correct output Matches your safe address
Proper fees Matches budget allocation
UTXO coverage All monitored UTXOs included
Signature type SIGHASH_ALL required

Signature Errors

Error Cause Solution
Invalid signature Signing error Re-sign the PSBT
Wrong output Address mismatch Verify safe address in setup
Missing signatures Incomplete signing Complete all signatures
UTXO mismatch UTXOs changed Regenerate PSBTs

Security Best Practices

Do

  • ✅ Verify addresses on hardware wallet screen
  • ✅ Double-check fee amounts
  • ✅ Sign in a secure environment
  • ✅ Keep signed PSBTs confidential

Don't

  • ❌ Sign without verifying destination
  • ❌ Share signed PSBTs publicly
  • ❌ Sign on compromised computers
  • ❌ Ignore hardware wallet warnings

Next: Safe Addresses →