Developers guide:Deterministic firmware build
From Trezor Wiki
We want to invite the wider community to participate in the verification of the firmware built by SatoshiLabs. To do this, one has to check the source code of the particular tag and compare the fingerprints of the built firmware with the fingerprints of the official firmware.
Trezor One firmware[edit]
- install Docker
- clone the firmware repository:
git clone https://github.com/trezor/trezor-firmware.git
- go into the firmware folder:
cd trezor-firmware
- checkout the release tag:
git checkout legacy/v1.9.4
(where 1.9.4 is the firmware version you want to build) - run
bash build-docker.sh legacy/v1.9.4
(where 1.9.4 is the firmware version you want to build) - download the official firmware from https://data.trezor.io/firmware/1/trezor-1.9.4.bin (where 1.9.4 is the firmware version you want to check against)
The firmware headers have changed in firmware 1.8.0, so if you are building firmware >= 1.8.0 you need to strip those. You can download the official firmware and then run:
# the following two lines print out the hashes of the firmwares tail -c +1281 trezor-1.9.4.bin | shasum -a 256 tail -c +1025 build/legacy/firmware/firmware/bin | shasum -a 256
Those two hashes should be equal. See this issue for more details.
Trezor Model T firmware[edit]
- install Docker
- clone the firmware repository:
git clone https://github.com/trezor/trezor-firmware.git
- go into the firmware folder:
cd trezor-firmware
- checkout the release tag:
git checkout core/v2.3.6
(where 2.3.6 is the firmware version you want to build) - run
bash build-docker.sh core/v2.3.6
(where 2.3.6 is the firmware version you want to build) - download the official firmware from https://data.trezor.io/firmware/2/trezor-2.3.6.bin (where 2.3.6 is the firmware version you want to check against)
# the following line removes 65 bytes of signature data from the official firmware dd if=/dev/zero of=trezor-2.3.6.bin bs=1 seek=5567 count=65 conv=notrunc # the following two lines print out the hashes of the firmwares shasum -a 256 trezor-2.3.6.bin shasum -a 256 build/core/firmware/firmware.bin
Those two hashes should be equal.