In order to verify that the software we publish only contains what we say it does, reproducibility is an important requirement.
What does reproducibility mean?
Reproducibility is a fundamental principle in the world of open source software. It refers to the ability of others to independently verify and replicate the results of a published piece of software by compiling software themselves. This is important for a number of reasons, including ensuring the security and integrity of the software, fostering collaboration within the open source community, and promoting transparency and trust in the development process.
Open source software like the BitBox02 firmware is freely available for anyone to use, modify and distribute, which makes reproducibility even more important. Without it, it becomes difficult to trust the software.
Reproducibility also plays a crucial role in research, such as cryptography, as it allows for others to independently verify and replicate results, which is key to maintaining trust and credibility in the field.
Reproducing the BitBox02 firmware
In order to build the BitBox02 firmware yourself, you first need to install Docker desktop. You can find the most up to date version here.
Next, download the BitBox02 firmware repository by clicking on Code and then Download ZIP on the github page. Unzip the file.
On macOS:
Open the terminal, then enter the BitBox02 firmware directory by typing:
cd Downloads
cd bitbox02-firmware-master
cd releases
Then, to build the Bitcoin-only firmware itself, use:
./build.sh firmware-btc-only/v9.13.1 "make firmware-btc"
Or to build the Multi edition firmware:
./build.sh firmware/v9.13.1 "make firmware"
The compilation will take a few minutes, depending on your computer. You will find the compiled firmware under:
./Downloads/bitbox02-firmware-master/releases/temp/build/bin/firmware-btc.bin
For the Bitcoin-only, or
./Downloads/bitbox02-firmware-master/releases/temp/build/bin/firmware.bin
If you compiled the Multi version.
Verifying the hashes
To verify that your compiled firmware matches our published binaries, run the following command:
shasum -a 256 temp/build/bin/firmware-btc.bin
This will return an alphanumeric string (hash).
To compare this with the published firmware, download the firmware from the release section of github and place it in the /Downloads/bitbox02-firmware-master/releases folder. Then run (make sure the filename in the command matches the version number):
./describe_signed_firmware.py firmware-btc.v9.13.1.signed.bin
Which should return the same alphanumeric string as your previous command.
Now you can be sure that the binaries of the firmware we are publishing actually match the open source code you find in our github repository.
You can also set up your BitBox02 so that it displays a firmware hash whenever you connect it to your host device, which you can compare to the second one displayed after running the ./describe_signed_firmware.py command.
Reproducibility is an important part of being open source. If the software cannot be compiled by others, it does not bring the benefits of open source software.
Community Assertions
If your hashes match, you can submit your result to our repository, where we maintain a list of community assertions. Please note that you will need to have a gpg key set up.
To submit a signature, go to the firmware folder by running (adjust the firmware version):
cd firmware/v4.1.0
Create a signature with:
gpg -o assertion-YOURNAME.sig --detach-sign assertion.txt
Please see our github page for instructions how to submit your assertation.
Don’t own a BitBox yet?
Keeping your crypto secure doesn't have to be hard. The BitBox02 hardware wallet stores the private keys for your cryptocurrencies offline. So you can manage your coins safely.
The BitBox02 also comes in Bitcoin-only version, featuring a radically focused firmware: less code means less attack surface, which further improves your security when only storing Bitcoin.
Frequently Asked Questions (FAQ)
What is reproducibility in open source software?
Reproducibility refers to the ability of others to independently verify and replicate the results of a published piece of software by compiling it themselves. It ensures security, integrity, and promotes transparency and trust.
Why is reproducibility important for the BitBox02 firmware?
The BitBox02 firmware is open source, making it freely available for anyone to use, modify, and distribute. Reproducibility ensures that the software can be trusted and that it truly represents the open source code provided.
How can I reproduce the BitBox02 firmware?
To reproduce the BitBox02 firmware, you need to install Docker desktop, download the BitBox02 firmware repository from GitHub, and follow the provided steps to build the firmware using the terminal.
How do I verify the compiled firmware matches the published binaries?
After compiling the firmware, you can verify it by running a command that returns a hash. This hash should match the one from the published firmware available on GitHub.
What is the significance of a firmware hash on the BitBox02?
The firmware hash displayed on the BitBox02 when connected to a host device can be compared to the hash obtained after running a specific command. This ensures the firmware's authenticity.
Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease - along with its software companion, the BitBoxApp.