4-Security
Verify Firmware

"Don’t trust, Verify."


KeepKey Firmware Verification Process

Reproducible Builds and Authenticating KeepKey Firmware

In the realm of device security, particularly with hardware wallets like KeepKey, the maxim "Don’t trust, Verify" couldn't be more relevant. How can you be sure that what is displayed on your KeepKey's screen is what's truly being signed? How do you know if the device is signing a transaction to your intended target and not maliciously redirecting your funds? The integrity of your private keys—ensuring they remain confidential and within the device—is paramount.

"It takes a Village."

Trust in the digital security domain is a communal effort, underscored by rigorous scrutiny and peer review, especially for open-source firmware like KeepKey's. This article delves into the history of KeepKey, underscoring the essential role of community engagement and transparency in ensuring device security.

Overview

Today, we will explore how to compile KeepKey firmware and verify that the code on your device matches the publicly available source code from KeepKey. This process underscores the importance of open-source firmware and demonstrates how reproducible builds form the foundation of KeepKey's trustworthiness.

Step 1: Compile KeepKey Firmware

Pre-Requisites:

  • Docker
  • Git

First, clone the KeepKey firmware repository:

git clone https://github.com/keepkey/keepkey-firmware

Next, checkout the commit of the release:

git checkout <commit-hash>

Install submodules:

git submodule update --init --recursive

Build the firmware:

./scripts/build/docker/device/release.sh

Step 2: Create Hash of Compiled Firmware

Generate the hash of the unsigned firmware you built locally:

tail -c +257 ./bin/firmware.keepkey.bin | shasum -a 256

Step 3: Compare with Hash of Released and Signed Firmware

Finally, compare your hash with the hash of the firmware binary downloaded from the KeepKey releases page:

tail -c +257 'firmware.keepkey (version).bin' | shasum -a 256

If the hashes match, the integrity of the firmware is confirmed. If not, the process should be reviewed and attempted again.

Conclusion

By following this guide, you've taken a crucial step in validating the signed firmware released by KeepKey against its source code. This ensures that the firmware's behavior on your device aligns with the peer-reviewed code in the repository, fortifying your trust in KeepKey's security measures.