Developers guide:Deterministic firmware build

From Trezor Wiki
Jump to: navigation, search
Trezor Wiki/Developer/Developers guide/ Deterministic firmware build


We want to invite the wider community to participate in the verification of the firmware built by SatoshiLabs. To do this, one has to check the source code of the particular tag and compare the fingerprints of the built firmware with the fingerprints of the official firmware.

Trezor One firmware[edit]

  1. clone the sources using git clone --recursive https://github.com/trezor/trezor-mcu.git
  2. select the tag you want to build, e.g., git checkout v1.7.0
  3. run ./build.sh - you need to have Docker installed for this to work
  4. compare the fingerprint computed via the command above with fingerprint in releases.json

The firmware headers have changed in firmware 1.8.0, so if you are building firmware >= 1.8.0 you need to strip those. You can download the official firmware and then run:


tail -c +1280 trezor-1.8.0-official.bin | sha256sum

tail -c +1024 trezor-1.8.0-your-build.bin | sha256sum

Those two hashes should equal. See issue for more details.

Trezor Model T firmware[edit]

  1. clone the sources using git clone --recursive https://github.com/trezor/trezor-core.git
  2. run PRODUCTION=1 ./build-docker.sh [TAG] where tag is the version you want to build. For example, for version 2.0.7 run: PRODUCTION=1 ./build-docker.sh v2.0.7. You need to have Docker installed for this to work.
  3. compare the fingerprint computed via the command above with fingerprint in releases.json
Like Trezor? Get one here!