Authenticate the consistency of firmware files with the open source code released by OneKey

The OneKey hardware wallet features fully open source firmware. You can view the open source firmware code for relevant products on OneKey's GitHub repository. Before the firmware files intended for mass production are officially released, the OneKey team uses GitHub's Build Automation tools (GitHub CI) to compile and build the firmware source code from the respective firmware repositories. The files are then signed by the OneKey team before being officially released.

This article provides a self-verification method, by comparing the checksums of files before and after the official team's multi-sig, to verify the consistency between the firmware files and the open source code.

For methods on how to verify the consistency of different files' source data using the SHA-256 cryptographic hash function (comparing Checksums), refer to this article.

Open Source Firmware Repositories

OneKey Touch
OneKey Mini

Firmware Release Process

When the official standard firmware or the Bluetooth firmware is ready for release, the OneKey team will execute the corresponding repository's Action to compile the open source code. After successful compilation, the files are uploaded to GitHub Artifacts storage, awaiting the team's completion of the internal multi-sig before being placed on OneKey's CDN. After updating the config.json file, update notifications are pushed through the OneKey App and the OneKey firmware update website, prompting users to upgrade their firmware. Refer to the diagram below for the specific process.

onekey github verifiy.png

Targets

  1. Verify that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open source repository.
  2. Verify the consistency between the "OneKey Team Signed Firmware File" and the "OneKey Official CDN Stored Firmware File."

Prerequisites

✔  Download GitHub CI Pre-Signed Firmware File (Unsigned)

github action.png

  • Click on the firmware name under Artifacts to download (login to GitHub required).

2.png

✔  Download OneKey Team Signed Firmware File (Signed)

github release bin.png

✔  Download OneKey Official CDN Stored Firmware File (Signed)
  • Navigate to the OneKey CDN file: https://data.onekey.so/config.json
  • Find the firmware version you want to verify. 
  • Copy the link under the "url" field.
  • Open in a new browser window for automatic download of the bin file.

3.png

Steps

Below are the verification steps for the two targets set previously:

Verification Process for Target 1
  • Open the Terminal.
  • Run the command below (OneKey Team Signed Firmware File):
    • tail -c +1024 /path/to/(file path) | shasum -a 256
  • Run the command below (GitHub CI Pre-Signed Firmware File):
    • tail -c +1024 /path/to/(file path) | shasum -a 256
  • Compare the Checksums generated by the two commands. If the results match, it can be confirmed that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open-source repository.

7.png

For standard firmware, a 1024-byte signature result is added to the CI version of the firmware, which is verified by the bootloader at device startup.

Verification Process for Target 2
  • Open the Terminal.
  • Run the command below (OneKey Team Signed Firmware File):
    • shasum -a 256 (file path)
  • Run the command below (OneKey Official CDN Stored Firmware File):
    • shasum -a 256 (file path)
  • Compare the Checksums generated by the two commands. If the results match, the code consistency of the two firmware files is confirmed.

6.png

Was this article helpful?
1 out of 1 found this helpful