tapgarden: adjust validation for external key re-issuance

This commit fixes two checks that prevented us to re-issue more assets
into an existing group using an external group key.

Author: guggero

tapgarden/planter.go

@@ -2668,7 +2668,12 @@ func (c *ChainPlanter) prepAssetSeedling(ctx context.Context,
 	// If a group internal key or tapscript root is specified, emission must
 	// also be enabled.
 	if !req.EnableEmission {
-		if req.GroupInternalKey != nil {
+		// For re-issuing grouped assets or regular (non-grouped)
+		// assets, the group internal key shouldn't be set. It is,
+		// however, set for re-issuance with an external key, because
+		// the internal group key is the key we compare the external key
+		// against.
+		if req.GroupInternalKey != nil && req.ExternalKey.IsNone() {
 			return fmt.Errorf("cannot specify group internal key " +
 				"without enabling emission")
 		}

tapgarden/seedling.go

@@ -183,10 +183,49 @@ func (c Seedling) validateFields() error {
 func (c Seedling) validateGroupKey(group asset.AssetGroup,
 	anchorMeta *proof.MetaReveal) error {
 
-	// We must be able to sign with the group key.
-	if !group.GroupKey.IsLocal() {
-		groupKeyBytes := c.GroupInfo.GroupPubKey.SerializeCompressed()
-		return fmt.Errorf("can't sign with group key %x", groupKeyBytes)
+	switch {
+	// If we have an external key, we need to check that the group key
+	// matches the external key.
+	case c.ExternalKey.IsSome():
+		err := fn.MapOptionZ(
+			c.ExternalKey, func(extKey asset.ExternalKey) error {
+				if group.GroupKey == nil {
+					return fmt.Errorf("group key is nil")
+				}
+
+				if group.GroupKey.RawKey.PubKey == nil {
+					return fmt.Errorf("group raw key is " +
+						"nil")
+				}
+
+				pk, err := extKey.PubKey()
+				if err != nil {
+					return fmt.Errorf("error getting "+
+						"external key: %w", err)
+				}
+
+				if !pk.IsEqual(group.RawKey.PubKey) {
+					return fmt.Errorf("external key " +
+						"does not match group key")
+				}
+
+				return nil
+			},
+		)
+		if err != nil {
+			return fmt.Errorf("error validating external key: %w",
+				err)
+		}
+
+	// If it's not an external key, we need to check that we can actually
+	// sign with the group key.
+	default:
+		if !group.GroupKey.IsLocal() {
+			groupPubKey := c.GroupInfo.GroupPubKey
+			groupKeyBytes := groupPubKey.SerializeCompressed()
+			return fmt.Errorf("can't sign with group key %x",
+				groupKeyBytes)
+		}
 	}
 
 	// The seedling asset type must match the group asset type.