Verifying KeepKey Firmware

Reproducible builds, and Authenticating

Verifying KeepKey Firmware

“Don’t trust, Verify”

How do you know you can “trust” that what is displayed on your KeepKey’s screen is truly what is being signed?

How do you know if the device is actually signing a transaction to your intended target and not just sweeping everything to an address injected by the KeepKey developers?

How do you know that your private keys will remain on the device and not be shared with third parties without your consent?

“It takes a Village”

The only way to be sure of these things is to review the code closely with large groups of dedicated security researchers. It takes years of peer review to harden open-source firmware. I delve more into this history with KeepKey in this article.

Today, I’m going to review the process to compile the KeepKey firmware and show you how to verify that the code on your device is indeed the code available publicly from KeepKey. This will highlight the importance of maintaining open source firmware and will demonstrate how a transparent and reproducible build process is the foundation of what makes a KeepKey a KeepKey.

Overview:

• Compile KeepKey Firmware
• Create hash of compiled firmware
• Compare with hash of released and signed firmware

Compile KeepKey Firmware

Pre-Reqs:

• Docker
• Git

git clone https://github.com/keepkey/keepkey-firmware

Checkout commit of the release

You can find the git commit hash of the release tagged on the releases page.

Releases · keepkey/keepkey-firmware

Checkout the version

git checkout 39db6942e62c5f63c3e6cf3a0cd35155bae62914

Install submodules

git submodule update --init --recursive

Build firmware

./scripts/build/docker/device/release.sh

Get hash of unsigned firmware you built locally

tail -c +257 ./bin/firmware.keepkey.bin | shasum -a 256

f83934f0bb88515712d98448c3ff91989d9ff28c1658245ca01ae45c2bd0a599  -

Get the hash of the firmware binary downloaded from the KeepKey releases page.

tail -c +257 'firmware.keepkey (23).bin' | shasum -a 256

f83934f0bb88515712d98448c3ff91989d9ff28c1658245ca01ae45c2bd0a599  -

These Hash’s should match! If they don’t, you will need to review the process and attempt again.

What did I just do?

In this guide, you validated that the signed firmware released by KeepKey matches the source code. By doing this, you can be sure that the behavior of the firmware on your device will match the peer-reviewed code on the local repository.

---