Verifying/testing offline signer safely?

[PhoenixFire]

In a typical split setup:

• An offline computer with the private keys and Armory running in offline mode
• An online computer with a full Bitcoin Core node & Armory watching wallet (i.e. Security: Offline)

What is the safest way to test the spending of coins in the wallet without actually spending them? i.e. doing everything but broadcasting the transaction. By safe I mean the avoidance of loss of coins.
Possibly paranoia but given there are so many stories of lost coins over the years I personally feel it is warranted to be confident in performing a dry run.
I think these are the safest steps below but I don't know beyond a shadow of a doubt, and reassurance from experienced users would be very welcome.

Open Armory on the Online Computer (PC 1)
Select wallet with coins, choose Send Bitcoins
Check "MAX" next to amount in order to test all private keys in wallet with UTXOs.
Open address book, and find a "Receiving" address that already has coins in your same wallet. Select that address.

Why? My logic being that worst case if the transaction is broadcast accidentally you've compromised your privacy but the coins are going to go straight back to an address for a private key you know you control, without a doubt.

Drop fees to 1 sat/byte
Turn off RBF? May not matter if on or off?
Preview transaction and ensure the only output is the previously selected address and that address is one of the inputs. No "change addresses" to cause slip ups.
Continue to the "Review Offline Transaction" page.
Follow instructions to save the unsigned transaction to USB drive or other removable media.
Transfer to the Offline Computer (PC 2)
Load transaction in offline Armory on PC 2.
Review transaction fully and check it is as expected.
Sign the transaction.
Final step since we don't want to broadcast is to delete the signed transaction on PC 2.

At this point I assume the transaction signer is functioning as expected because PC 2 was able to sign the transaction. If I didn't have the right private keys signing would presumably fail in some way, is that correct?
Or is it not 100% assured until the transaction is loaded into Armory on PC 1?

Am I missing anything? Any pitfalls?

Thank you,
PhoenixFire

[nc50lc]

Final step since we don't want to broadcast is to delete the signed transaction on PC 2.

At this point I assume the transaction signer is functioning as expected because PC 2 was able to sign the transaction. If I didn't have the right private keys signing would presumably fail in some way, is that correct?
Or is it not 100% assured until the transaction is loaded into Armory on PC 1?

Having it signed without errors is a good sign already but you can still test if the transaction can be broadcasted without actually broadcasting it.

Since you have a fully synced Bitcoin Core already in the online machine,
You can start it (after closing Armory) and use the command: testmempoolaccept to see if your node will accept it and check if there's nothing wrong with the final transaction.
If you're using the default standards when it reported "allowed: true", then it's safe to assume that most of the bitcoin nodes will accept it as well.

e.g.:

Code:

testmempoolaccept '["0200000000010145_signed_raw_transaction_b700000000"]'

[goatpig]

I don't like the idea of signing transactions you do not intent to broadcast, even less if you would expose them to an online machine.

It may be more tedious but you could check individual private keys via the bitcoin message signing feature in "Tools -> Message Signing/Verification".

This will sign messages for you using the Bitcoin message signing protocol. It uses a different hash from transaction signing so it can be abused to move coins, and you can then check the signatures with any other machine/service without risk.

What is the safest way to test the spending of coins in the wallet without actually spending them?

To "prove" coins are spendable, you have to pass 3 tests:

1. the coins have to be spendable on chain.
2. your wallet has to be able to resolve script. If your coins are in straight forward scripts like P2PKH, simply having the public key will cover for that. With more complex stuff like nested multiscript or taproot, it is unlikely the script data can be generated from the privates keys alone, so that needs checked too.
3. you have to be able to sign for the script.

What you have described is the most straight forward way to check you can achieve step 2&3, not the safest. You could always get a copy of the chain on an offline machine, run Core there and broadcast said tx on that system. Or you could use Core's command prompt tools to check the tx and its signature.