Let's talk about Reproducible Builds for Hardware Wallets firmware.
Verifiable Source wallets let you inspect code for flaws, but pre-compiled software lacks a way to verify if it matches the source. Reproducible builds ensure that anyone can recreate identical copies from source code, build environment, and instructions. That's why is important for all wallet users to learn how to build the firmware and verify it before upgrading their wallets.
If not possible for you, at least see if there are proofs of others doing that verification. One good place to find those proofs is https://bitcoinbinary.org
This week on Twitter & Nostr NVK (npub1az9…m8y8) encouraged people to learn how to verify builds. This was a success, a lot of people could learn how to build and verify the Coldcard firmware.
From http://thebitcoinhole.com we want to also collaborate. So, we added a new section "Reproducible Builds" on our website. There you can find for each wallet if they offer reproducible builds instructions and if there are proofs of verification on http://bitcoinbinary.org
We encourage all the hardware wallet manufacturers (or anyone interested) to collaborate and automate proofs of verifications on http://bitcoinbinary.org.
According to our research: Blockstream (npub1jg5…6n8n) Jade, Coldcard, BitBox (npub1tg7…cxmt), Foundation (npub1s0v…pq6j) Passport Batch 2, Trezor, KeepKey, SeedSigner (npub17ty…3mgl), and Specter DIY offers reproducible builds instructions and/or proofs of verification.
Please help us with a boost. And remember: #LearnToBuild #donttrustverify