Let's talk about Reproducible Builds for Hardware Wallets firmware

[maxirosson]

Verifiable Source wallets let you inspect code for flaws, but pre-compiled software lacks a way to verify if it matches the source. Reproducible builds ensure that anyone can recreate identical copies from source code, build environment, and instructions. That's why is important for all wallet users to learn how to build the firmware and verify it before upgrading their wallets.
If not possible for you, at least see if there are proofs of others doing that verification. One good place to find those proofs is https://bitcoinbinary.org

This week on Twitter & Nostr NVK (Coldcard creator) encouraged people to learn how to verify builds. This was a success, a lot of people could learn how to build and verify the Coldcard firmware.

From http://thebitcoinhole.com we want to also collaborate. So, we added a new section "Reproducible Builds" on our website. There you can find for each wallet if they offer reproducible builds instructions and if there are proofs of verification on http://bitcoinbinary.org

We encourage all the hardware wallet manufacturers (or anyone interested) to collaborate and automate proofs of verifications on http://bitcoinbinary.org.

According to our research: Blockstream Jade, Coldcard, BitBox02, Passport Batch 2, Trezor, KeepKey, SeedSigner, and Specter DIY offers reproducible builds instructions and/or proofs of verification.

Remember: #LearnToBuild #donttrustverify

[1714554756]

1714554756

[1714554756]

1714554756

[1714554756]

1714554756

[1714554756]

1714554756

[dkbit98]

Verifiable Source wallets let you inspect code for flaws, but pre-compiled software lacks a way to verify if it matches the source. Reproducible builds ensure that anyone can recreate identical copies from source code, build environment, and instructions. That's why is important for all wallet users to learn how to build the firmware and verify it before upgrading their wallets.
If not possible for you, at least see if there are proofs of others doing that verification. One good place to find those proofs is https://bitcoinbinary.org

I am not saying bitcoinbinary is bad but in my opinion there is a better website that first started doing this Reproducible builds, and it's called WalletsSrutiny.
I think they have bigger base of wallets they tested and they are constantly working on adding new ones, not to mention they received lawsuits for doing this...
Bitcoinbinary was created after NVK changed license for ColdCard wallet from open source to CC, because it was not showing reproducible Coldcard on WalletScrutiny website
It's different story now:


https://walletscrutiny.com/

[maxirosson]

I know walletscrutiny has more wallets, but sometimes it is not updated. They changed Coldcard to reproducible this week, after NVK started to talk about this topic on Twitter.

If I am not wrong, walletscrutiny has two issues:

1.They are not verifying all the versions, just one
2. AFAIK, We don't have real proof that the verification was executed. We must trust on walletscrutiny.com

Bitcoinbinary.org fix those two issues:

1. They have a bot to run the verification for each version. You can also manually upload a proof of verification.
2. The github action with the execution is a proof that it was executed, so we don't need to trust in Bitcoinbinary.org

[n0nce]

2. AFAIK, We don't have real proof that the verification was executed. We must trust on walletscrutiny.com

Well, they show you the script which was run so you can re-do it yourself if you wish so.
The whole reason for such sites to exist is that some people are not willing / able to verify builds themselves and want to trust someone to do it for them.

Now, my main issue is: this site not only gets donations or is sponsored by a hardware wallet manufacturer, but is directly run by one.

Patronage by Coinkite

https://github.com/coinkite/bitcoinbinary.org

So this whole thing is a charade. I see no logical reason to run a site that on first sight seems just slightly tied / sponsored by CoinKite / ColdCard, while being actually run by them, instead of just posting reproducibility instructions on the actual wallet's GitHub page and calling it a day.
Something like: https://github.com/Foundation-Devices/passport2/blob/main/REPRODUCIBILITY.md

[Pmalek]

<Snip>

I understand what you mean, but the only important question is if the information posted on the site is 100% accurate and verifiable or not. In other words, is everything they say reproducible really reproducible and vice versa. At least they aren't hiding their connection with Coinkite. It is what it is. In theory, walletscrutiny could be sponsored or patronaged by someone as well, and they might be quiet about it.   

[n0nce]

<Snip>

I understand what you mean, but the only important question is if the information posted on the site is 100% accurate and verifiable or not. In other words, is everything they say reproducible really reproducible and vice versa. At least they aren't hiding their connection with Coinkite. It is what it is. In theory, walletscrutiny could be sponsored or patronaged by someone as well, and they might be quiet about it.   

Sure, I just don't understand the added benefit of having a website saying 'we ran the CoinKite reproducibility script and it was OK' while actually being CoinKite themselves, when it's already on their GitHub.
I'm not alleging anything but it seems deliberate.

If we say that we could / should reproduce what the site is saying, then we don't need the site at all.

[Pmalek]

Sure, I just don't understand the added benefit of having a website saying 'we ran the CoinKite reproducibility script and it was OK' while actually being CoinKite themselves, when it's already on their GitHub.
I'm not alleging anything but it seems deliberate.

But wouldn't you say it would be weird the other way around as well? Imagine if they are running this site checking if builds are reproducible, and they have listed dozens of projects but left out Coldcard - a hardware wallet which has reproducible builds. I would find that weird, regardless of who is behind the site. Their connection to Coinkite is visible in the header.     

[n0nce]

Sure, I just don't understand the added benefit of having a website saying 'we ran the CoinKite reproducibility script and it was OK' while actually being CoinKite themselves, when it's already on their GitHub.
I'm not alleging anything but it seems deliberate.

But wouldn't you say it would be weird the other way around as well? Imagine if they are running this site checking if builds are reproducible, and they have listed dozens of projects but left out Coldcard - a hardware wallet which has reproducible builds. I would find that weird, regardless of who is behind the site. Their connection to Coinkite is visible in the header.     

That's not my point, though. 'Connection' to CoinKite is an understatement. This site is operated by them. For one, that is not obviously clear, it looks more like it's just sponsored by them.
And secondly, I simply don't see the reason to make a website that shows their stuff is reproducible if they already have it on their wallet's GitHub page.

Maybe I can't put it into words well. This picture might help.

[dkbit98]

So this whole thing is a charade. I see no logical reason to run a site that on first sight seems just slightly tied / sponsored by CoinKite / ColdCard, while being actually run by them, instead of just posting reproducibility instructions on the actual wallet's GitHub page and calling it a day.

Funny thing that I exposed this charade first time this website was released, when they showed fake donation received from Coinkite aka Coldcard  
However, I don't think bitcoinbinary.org website is a bad idea overall, since everyone can use it for all other bitcoin wallets.
Question is how many people are actually using bitcoinbinary.org for this purpose, according to their log I see that last checked wallet was ColCard back in April of this year, before that it was Bitcoin Core in January... there is nothing more in whole 2023...



Archive of ''donation'':


http://web.archive.org/web/20210916165204/https://bitcoinbinary.org/

I was never a fan of circus shows.

[Pmalek]

And secondly, I simply don't see the reason to make a website that shows their stuff is reproducible if they already have it on their wallet's GitHub page.

I would agree with you if BitcoinBinary only showed reproducibility information about Coldcard. But that's not the case. They show the same information about other open-source and reproducible wallet builds. Bitcoin Core is there, so is Wasabi, Blockstream, Sparrow, etc. That's why it's not only a website to show their software, but it's a part of it.

Let's put it this way. Imagine if I was the CEO of Trezor, and for some reason I wanted to run a website discussing and highlighting open-source hardware wallets produced and/or assembled in the EU. There is a list of every single brand except for Trezor, which is headquartered in the Czech Republic and thus belongs on the list. You would not find that weird? I would.