π§± Bitcoin Core Reproducible Build: Web of Trust Diagram
[1] Official Source Release (v29.0)
|
|---> Signed Git tag by maintainer (e.g., Glozow)
| |
| `---> Tag is GPG-signed by: F19F5FF2B0589EC341220045BA03F4DBE0C63FB4
|
[2] Independent Builders Clone Repo
|
|---> hebasto ---> git checkout v29.0
| ---> guix build
| ---> generate hash + .buildinfo + manifest
| ---> sign the hash with GPG
|
|---> fanquake ---> same steps
|
|---> others ---> same steps
|
[3] Submit signatures to guix.sigs
|
`---> Each signature (.sig) matches the same commit/hash
|
`---> Verified: Everyone built the exact same binary from the same source
[4] Anyone can verify:
|
|---> Compare hashes of downloaded binaries
|---> Check `.sig` files against public GPG keys of signers
|
`---> Trust is built because:
Multiple builders + identical outputs + verified GPG signatures
dannybuntu
dannybuntu@walletscrutiny.com
npub1r709...sf7d
Open Source contributor to FOSS project walletscrutiny.com and nostr.info
AHA! So this is why!!!
Ubuntu 24.04 breaks GUIX setup when trying to build Bitcoin Core Desktop


Launchpad
Bug #2064115 βConflict between apparmor and guix on Ubuntu 24.04...β : Bugs : guix package : Ubuntu
On Ubuntu 24.04 i

Bitcoin Core v29 Deterministic Build Attempt 2025-04-17.1616
```
dannybuntu@MS-7978:~/work/builds/desktop/bitcoin$ env HOSTS="x86_64-linux-gnu" ./contrib/guix/guix-build
Checking that we can connect to the guix-daemon...
Hint: If this hangs, you may want to try turning your guix-daemon off and on
again.
make: Entering directory '/home/dannybuntu/work/builds/desktop/bitcoin/depends'
make[1]: Entering directory '/home/dannybuntu/work/builds/desktop/bitcoin/depends'
make[1]: Leaving directory '/home/dannybuntu/work/builds/desktop/bitcoin/depends'
make: Leaving directory '/home/dannybuntu/work/builds/desktop/bitcoin/depends'
INFO: Building 29.0 for platform triple x86_64-linux-gnu:
...using reference timestamp: 1744384813
...running at most 4 jobs
...from worktree directory: '/home/dannybuntu/work/builds/desktop/bitcoin'
...bind-mounted in container to: '/bitcoin'
...in build directory: '/home/dannybuntu/work/builds/desktop/bitcoin/guix-build-29.0/distsrc-29.0-x86_64-linux-gnu'
...bind-mounted in container to: '/distsrc-base/distsrc-29.0-x86_64-linux-gnu'
...outputting in: '/home/dannybuntu/work/builds/desktop/bitcoin/guix-build-29.0/output/x86_64-linux-gnu'
...bind-mounted in container to: '/outdir-base/x86_64-linux-gnu'
ADDITIONAL FLAGS (if set)
ADDITIONAL_GUIX_COMMON_FLAGS:
ADDITIONAL_GUIX_ENVIRONMENT_FLAGS:
ADDITIONAL_GUIX_TIMEMACHINE_FLAGS:
guix shell: error: mount: mount "none" on "/tmp/guix-directory.oNb3QP": Permission denied
```
Verifying the reproducibility of bitcoin core is way harder than i expected. And the problem is, with multiple engineers doing it, I know that's it's my fault if it doesn't build...
```
make[1]: Leaving directory '/home/dannybuntu/home/dannybuntu/bitcoin/depends'
make: Leaving directory '/home/dannybuntu/home/dannybuntu/bitcoin/depends'
INFO: Building 29.0 for platform triple x86_64-linux-gnu:
...using reference timestamp: 1744384813
...running at most 4 jobs
...from worktree directory: '/home/dannybuntu/home/dannybuntu/bitcoin'
...bind-mounted in container to: '/bitcoin'
...in build directory: '/home/dannybuntu/home/dannybuntu/bitcoin/guix-build-29.0/distsrc-29.0-x86_64-linux-gnu'
...bind-mounted in container to: '/distsrc-base/distsrc-29.0-x86_64-linux-gnu'
...outputting in: '/home/dannybuntu/home/dannybuntu/bitcoin/guix-build-29.0/output/x86_64-linux-gnu'
...bind-mounted in container to: '/outdir-base/x86_64-linux-gnu'
ADDITIONAL FLAGS (if set)
ADDITIONAL_GUIX_COMMON_FLAGS:
ADDITIONAL_GUIX_ENVIRONMENT_FLAGS:
ADDITIONAL_GUIX_TIMEMACHINE_FLAGS:
guix shell: error: mount: mount "none" on "/home/dannybuntu/tmp/guix-directory.PeHlio": Permission denied
```
Possible solution... run as `sudo`
Doing research on how to reproducibly verify desktop bitcoin core.
So far: 

> From FB:
> I was just watching the new season of "HOW TO SELL DRUGS ONLINE (FAST)". I got to the bit where the startup is kidnapped by drug dealers and forced to make an encrypted messaging app for them. Managed to pause the video when Dan the CEO is pretending he knows how to write code so he doesn't get shot π€£


The Primeagen talks about Open Source
π Verified: Keystone3 Pro Firmware v2.0.4 (Cypherpunk, Modern) is reproducible β
Unsigned binary matches local build byte-for-byte.
Signed hash differs (as expected due to signature).
π Asset registered on WalletScrutiny:
#ReproducibleBuilds #FirmwareIntegrity #Bitcoin

WalletScrutiny
Asset Information
A project to improve wallet security
π Verified! Keystone3 Pro Firmware v2.0.4 (Multi-Coin, Modern) is reproducible π§ͺβ
Our build perfectly matches the unsigned official binary.
Signed binary differs (expected due to signature).
Tested with: keystone3pro.sh 2.0.4 multicoin modern
π #ReproducibleBuilds #Bitcoin #FirmwareIntegrity #WalletScrutiny


WalletScrutiny
Asset Information
A project to improve wallet security
π Verified! Keystone3 Pro Firmware v2.0.4 (Multi-Coin, Legacy) is reproducible π§ͺβ¨
Our build matches the official unsigned binary byte-for-byte β
Signed binary differs (as expected) due to cryptographic signature.
π Full test details: keystone3pro.sh 2.0.4 multicoin legacy
π https://keyst.one/contents/KeystoneFirmwareG3/v2.0.4/web3/legacy_ota/keystone3.bin
#ReproducibleBuilds #Bitcoin #FOSS
π Tried to build Nunchuk Desktop from source β but hit a wall.
β Missing submodule libnunchuk (404 GitLab link) breaks the build.
π§ͺ Tested on both local Ubuntu & remote Debian.
π Not reproducible in current state.
π¦ SHA-256: (build failed β no binary to hash)
π
#Bitcoin #ReproducibleBuilds #WalletScrutiny

WalletScrutiny
Asset Information
A project to improve wallet security
π Just verified a reproducible build of Nunchuk v1.67.0 (io.nunchuk.android)!
β
The APK from my phone matches the one built from source (tag: android.1.67)
π Signing excluded, but the code checks out byte-for-byte.
π¦ SHA-256: 41a66972d53121db4c77fd54bd79202822074fea6db35059b3049bfb5571bb73
π 

WalletScrutiny
Asset Information
A project to improve wallet security
π§ͺ Verified the BitBanana v0.9.4 Android app is functionally reproducible!
π¦ Official split APKs were compared to those built from source.
π§Ύ Only minor binary diffs in AndroidManifest.xml & resources.arsc.
π 

WalletScrutiny
Asset Information
A project to improve wallet security
π Just verified a reproducible build of Blockstream Green v4.1.8!
β
The APK from my phone matches the one built from source.
π Signing was missing, but the code checks out.
π¦ SHA-256: e2b842...50f89
π 

WalletScrutiny
Asset Information
A project to improve wallet security
up or down, we build.
Check out this asset information I registered on WalletScrutiny:


WalletScrutiny
Asset Information
A project to improve wallet security
Check out this asset information I registered on WalletScrutiny for Unstoppable Wallet 0.42.1


WalletScrutiny
Asset Information
A project to improve wallet security