The bitbox02 firmware releases are
firmware/vX.Y.Z for the Multi edition, and
firmware-btc-only/vX.Y.Z for the Bitcoin-only
edition. The binaries are built from those tags in a reproducible manner, based on fixed versions of
all dependencies. We use Docker to fix those dependencies.
Note: it is possible to reproduce the binaries without Docker by installing the correct dependencies. The instructions below use Docker however, as it makes it a easier to get started.
What is the purpose of this?
The purpose is twofold:
- It is much more technically involved to actually build the binaries from source, than it is to
verify signatures using
gpgon the command line or in a GUI. This gives users who are willing and eager to verify the option to verify our releases even if they are unable to build the binaries themselves.
- The firmware binaries are only practically reproducible for a limited amount of time after the release. In the future, the dependencies of our Dockerfile might have changed, or Docker itself might even become incompatible or obsolete. This historic record allows you to be reasonably sure that the released binary was created correctly, even if it becomes infeasible to re-build the binary.
Verify assertions by the community
assertion.txt file of the relevant subdir,
The assertion.txt is created by the maintainers of this repo with every release.
Verify a signature confirming its contents, for example:
cd firmware-v4.1.0/ # import any missing public keys gpg --import pubkeys/benma.asc gpg --verify assertion-benma.sig assertion.txt
A valid signature means that the signer confirms that they could reproduce the binary from the stated version tag.
You can check that the released signed firmware (usually named
the unsigned binary with:
Contribute your signature
We kindly ask you to independently build the firmware binaries we released, and verify that you get the same result. Please open a PR to add your signed message confirming this. Signing a confirmation like this only confirms that you got the same result. It does not endorse the contents or quality of the binary itself.
How to reproduce:
./build.sh <version tag> <make command>, e.g.:
./build.sh firmware/v4.1.0 "make firmware" # or Bitcoin-only: ./build.sh firmware-btc-only/v4.1.0 "make firmware-btc"
This script is very simple and you can review it or run all the steps inside manually.
When it successfully finishes, print the sha256 hash of the binary:
# linux sha256sum temp/build/bin/firmware.bin # macOS shasum -a 256 temp/build/bin/firmware.bin
Contributing your signature
Please inspect the
assertion.txt in the relevant subfolder,
e.g. firmware-v4.1.0/assertion.txt. If you agree to its contents
and verified that the sha256 hash therein matches the one you got, please sign the file using:
cd firmware/v4.1.0 # go to the relevant subfolder gpg -o assertion-YOURNAME.sig --detach-sign assertion.txt
Open a PR adding your signature file to this folder. Also add your pgp pubkey to the ./pubkeys folder:
gpg --export --armor YOUR_PGP_KEY_ID > ./pubkeys/YOURNAME.asc