Avatar
Nick Klockenga 11mo ago 💬 3

SeedSigner v0.8.5 has reproducible builds from source. This means sole trust in SeedSigner the person (or any other SeedSigner contributors) isn’t needed for the image that most people run on thier SeedSigner. This trust can be distributed through others attesting they to can produce the same image byte for byte.

If you have docker installed, a few hours of CPU cycles available, then you too can contribute and attest that all 4 device images built from source match the released binaries.

```

git clone --recursive https://github.com/SeedSigner/seedsigner-os.git

cd seedsigner-os

export DOCKER_DEFAULT_PLATFORM=linux/amd64

export RELEASE_TAG=0.8.5

git checkout $RELEASE_TAG

git submodule init

git submodule update

for device in pi0 pi02w pi2 pi4

do

SS_ARGS="--$device --app-branch=$RELEASE_TAG" docker compose up --force-recreate --build

done

cd images

shasum -a 256 seedsigner_os.0.8.5*

```

My personal attestation:

bcb901e27d309d85f086dc80b49b153d6b1caab2247eba2811731384d58f2f3e seedsigner_os.0.8.5.pi0.img

398d9bf9cda0858fe97c0788b353194c1c902335a858b7dbf5d7b213bda75d96 seedsigner_os.0.8.5.pi02w.img

1e93a82e62d4a1defbdc777a6762a813f4cb5c3ef9090da0bd07542dfd6f62bf seedsigner_os.0.8.5.pi2.img

d298ffad3c765e11e48873efc6d1c65e4230528fde4d5bd4701bb507acbf493c seedsigner_os.0.8.5.pi4.img

matching https://github.com/SeedSigner/seedsigner/releases/download/0.8.5/seedsigner.0.8.5.sha256.txt nostr:note1pv8saw5dt6chv93amaj4a5kp3x5ha5v2ycgnnhx32dgw3lp9hvks7q5s4q

Reply to this note

Please Login to reply.

Discussion

ed
ede3d957... 11mo ago

Great!

Avatar
Dennis 11mo ago

Awesome. Can confirm that mine for the Pi Zero matches too:

```

bcb901e27d309d85f086dc80b49b153d6b1caab2247eba2811731384d58f2f3e /opt/../images/seedsigner_os.0.8.5.pi0.img

```

Avatar
Jean Do 11mo ago

SeedSigner v0.8.5, released on the evening of February 4th 2025, brings multi-language internationalization to the entire code-base with an initial localization in Spanish.

Since v0.7.0 SeedSigner has supported binary reproducibility which effectively obsoletes the need for verifying a signed release-manifest from somebody that most of us cannot know, because it enables anyone to rebuild the same release-image, byte-for-byte, directly from the open-source code repository.

I hereby attest that:

* I've been following the SeedSigner project since October 2022,

* I take great pride in helping out however I can as part of that team -- following and testing code changes as it evolves, exchanging ideas with the wonderful SeedSigner Community,

* and that I was able to reproduce ALL of the release images for v0.8.5, matching the sha256 hashes that Nick mentions in nostr event "nevent1qvzqqqqqqypzqxj6lwv69s9n5z9y52h0c9r2ec8fuak2pe9nuarj6dy3eqp4hta3qqsxu2zt9v9004u8ndn7ggxeem98u0fqrn372ku3c6v4u3dpst265ag8vykap" and also contained in the release-manifest "seedsigner.0.8.5.sha256.txt" signed by SeedSigner-the-man having rsa fingerprint ~ "4673 9B74 ... 0726 0119".

-jdlcdl

nostr:nevent1qvzqqqqqqypzqxj6lwv69s9n5z9y52h0c9r2ec8fuak2pe9nuarj6dy3eqp4hta3qqsxu2zt9v9004u8ndn7ggxeem98u0fqrn372ku3c6v4u3dpst265ag8vykap