With docker you can build the firmware yourself in the same environment as we do, and verify that binaries in github releases have the same hash. This way you can be sure that firmware upgrades signed by our public keys are actually built from the code in this repository, no backdoors included.
From the root of the repository:
- Set up bootloader to use production keys:
cp bootloader/keys/production/pubkeys.c bootloader/keys/selfsigned/
- Build a docker container:
docker build -t diy .
- Run the container in interactive mode:
docker run -ti -v `pwd`:/app diy
At the end of the build you will be presented with a base32 encoded hash of the firmware upgrade file that should be signed and asked to provide signatures.
Get signatures from the description of the github release and enter one by one in the same order as provided in the release.
After adding signatures binaries in the release
folder should be exactly the same as in github release. Hashes of the binaries will be saved to release/sha256.txt
.
For Apple M1 add a plafrom flag to the docker commands:
docker build -t diy . --platform linux/x86_64
docker run --platform linux/amd64 -ti -v `pwd`:/app diy