Skip to content

Securing the Bitcoin software supply chain with an immutable database of SHA256

Notifications You must be signed in to change notification settings

chains-project/btc-supply-chain

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

btc-supply-chain: the Bitcoin software supply chain database

btc-supply-chain is a database about the Bitcoin software supply chain. The goal of this database is to help the world use Bitcoin safely. It contains the key information required to trust bitcoin software components, starting with SHA256 of code for wallets, nodes and bitcoin libraries. This database is valuable:

  • for Bitcoin users, because they have an external source of information to verify the authenticity of the software they use (through verifying the SHA256 hash)
  • for Bitcoin developers of wallet/nodes, in order to submit their hash to a third party database

Contributions are welcome as pull-requests.

If you need professional support about the Bitcoin software supply chain, please contact Martin Monperrus by email.

  • auditing a bitcoin software supply chain
  • set up a verifiable reproducible build pipeline
  • reproduce a particular build
  • checking the validity of a file / developer key / organization.

Related work

Web page

https://github.com/monperrus/btc-supply-chain/wiki contains the SHA256 of the latest version. It is meant to be indexed by the major search engines, starting with Google.

Bitcoin Full Nodes

If you run a full node, you absolutely want to verify the integrity of the code you're running. For instance, the SHA256 of Bitcoin Core v0.17.2 is 5a6b35d1a348a402f2d2d6ab5aed653a1a1f13bc63aaaf51605e3501b0733b7a.

See folder db/full-nodes

Wallets

The wallet supply chain information is in folder wallets.

To verify that you use a safe wallet program:

  1. Compute the SHA256 sum of the wallet binary or installation file you've just downloaded
  2. Check that is known by Google, eg https://encrypted.google.com?q=6b98b367acdee51961118f57d0ba40e57f369d031a43c673ad76cda97cf61db1. If there is 0 results on Google STOP AND DELETE THE FILE, it can be a malware trying to steal your bitcoin.
  3. If Google knows it, check the reliability of the websites where this SHA256 appears
  4. If Google knows it, check whether the SHA256 sum appears in folder db/wallets (see section "Meta-trust" below)

DONT:

  • Do NOT download wallet programs from arbitrary websites
  • Do NOT install a wallet app through the Google Play Store / Apple App Store because you cannot verify the APK signatures beforehand, you have to entirely trust Google / Apple.

Advanced users want to verify the cryptographic GPG signature of the wallet binary, and verify that it comes from a trusted source.

Software Dependencies

Now we're talking. Verifying the software supply chain at the developer level is much harder than verifying a single wallet or node software. One needs to verify the provenance of all libraries and tools (eg compiler) used to create the final executable (see the excellent talk by Carl Dong at https://youtu.be/I2iShmUTEl8).

There is excellent tool support for verifying a supply chain:

Checking btc-supply-chain

To verify that the data contained in this repo is consistent, see script check-btc-supply-chain.py.

Meta-trust

Wait! Maybe this website has been compromised? That's entirely correct! You should make your own research about this website as well. Mitigation:

  • We use double-factor authentication
  • All commits are signed with Martin Monperrus' GPG key.
  • Public keys of repositories and package managers

License

The content of this repository is licensed under the MIT license.

About

Securing the Bitcoin software supply chain with an immutable database of SHA256

Topics

Resources

Stars

Watchers

Forks

Languages