How can i verify that the firmware on my Trezor is the same as on Github?

Security
,
1

How can i verify that the code on my Trezor is the same as on the Github repository?

2

Is the following procedure possible?

  1. Download the Trezor Suite binary
  2. Download the Trezor Suite source code
  3. Compile the source code and check that the hash matches the hash of the binary.
  4. Download the Trezor firmware binary
  5. Download the Trezor firmware source
  6. Compile the firmware source code and check that its hash matches the hash of the Trezor firmware binary.
  7. Install the verified binary on the Trezor device (I want the firmware installed on the device to be available for verification before or at least after the installation process).
  8. Let the Trezor device verify that the installed firmware is signed by the Trezor developers.
3

I’m not a developer, but builds should be reproducible. Despite of that, hashes must differ - in other words you can’t compare it strictly by hashes. Code compiled by you, will NOT be signed by Trezor.

If you would install custom firmware, you would break the seal = you loose attestation key. This is irreversible process and you can’t fix it (you need to buy a new device to have non-tampered level of trust).

4

I am not an expert on cryptography, but i think that signatures are always for a specific string, and if the string is the same the signature should be valid.

5

Maybe you mix here signature vs hash. Yes, same hash is produced if the content (string as you say) is exactly the same. In case of signature, you sign such hash by your private key. The point is, you don’t have Trezor’s private keys, so you can’t produce the signatures (i think i read somewhere, it is being signed by two different keys… ummm MultiSig :thinking:).

I guess, on Trezor github you can find a page describing the steps how to rip off the signature from official trezor release. Than you can compare it with your own unsigned reproducible firmware build.

6

If the signature for something (like an app) is public, the signature for this specific thing can be repreduced by copying it. Like you can copy the signature of every signed transaction on the blockchain. You just can’t create a new signature.
Or do i get this wrong?