From e5b9b74546ab3d17d412b87029bb20913130734c Mon Sep 17 00:00:00 2001 From: keepkeyjon Date: Thu, 16 Jan 2020 15:58:36 -0700 Subject: [PATCH] firmware: fix build reproducibility Fixes #212. --- README.md | 11 ++++++++--- deps/python-keepkey | 2 +- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 45159cedf..27753292f 100644 --- a/README.md +++ b/README.md @@ -31,13 +31,14 @@ $ ./scripts/build/docker/device/release.sh Compare the hash of a given tagged build: ``` -$ git checkout v5.8.1 +$ git checkout v6.2.0 $ git submodule update --init --recursive $ ./scripts/build/docker/device/release.sh -$ shasum -a 256 ./bin/firmware.keepkey.bin +$ tail -c +257 ./bin/firmware.keepkey.bin | shasum -a 256 ``` -With that of the [signed v5.8.1 binary on github](https://github.com/keepkey/keepkey-firmware/releases/download/v5.8.1/firmware.keepkey.bin), ignoring signatures and firmware metadata: +With that of the [signed v6.2.0 binary on github](https://github.com/keepkey/keepkey-firmware/releases/download/v6.2.0/firmware.keepkey.bin), ignoring signatures and firmware metadata: + ``` $ tail -c +257 firmware.keepkey.bin | shasum -a 256 ``` @@ -49,6 +50,10 @@ $ head -c +256 signed_firmware.bin | xxd - ``` +Caveats: +1. v6.2.2 and v6.3.0 had an issue with build reproducibility. See https://github.com/keepkey/keepkey-firmware/issues/212. +1. As of v6.1.0 and later, we started prepending empty slots for signatures as part of the build, and prior firmwares were emitted without that metadata section. See https://github.com/keepkey/keepkey-firmware/commit/87b9ebb846b241e6357f296e37fd29808ddfa51a + ### Docs Documentation can be found [here](docs/README.md). diff --git a/deps/python-keepkey b/deps/python-keepkey index e7846abe0..586a34659 160000 --- a/deps/python-keepkey +++ b/deps/python-keepkey @@ -1 +1 @@ -Subproject commit e7846abe025d172a60cd8cbeb5b4ece20b3d776d +Subproject commit 586a346594049df50b87e8fb2e9d26f45ffdeb17