Skip to content

Retest ColdCard Review

ColdCard accounts (COLDCARDwallet & nvk) on twitter say that it's reproducible & review is incorrect:

https://twitter.com/nvk/status/1432653976529367043

That website is incorrect, just try yourself.

https://twitter.com/COLDCARDwallet/status/1432681712941735939

Yes he did, every single question he had was answered via email.

https://twitter.com/COLDCARDwallet/status/1432653510621872136

It is reproducible, just check GitHub. This researcher just didn’t know how. Many do it, including http://bitcoin.org

https://twitter.com/COLDCARDwallet/status/1432653169058738180

It is reproducible, this researcher just didn’t know how. It was addressed, you can try it yourself. Even folks from http://bitcoin.org have done it.

Can you publish the related email contents? as this should be public in github issues! but their repo don't have issues open 😠

Also worth to ask other rebuilders like bitcoin.org or others to publish some write-ups or signed messages/buildinfo files, etc to attest reproducibility of some version.

started writing container to compile below but it require running container in container (such as podman in podman): https://www.redhat.com/sysadmin/podman-inside-container

build: podman build --pull --rm -t coldcard -f ContainerFile

FROM docker.io/alpine:edge

RUN set -ex; \
    apk update; \
    apk add --no-cache \
        podman \
        git \
        make; \
    adduser -D appuser; \
    ln -s /usr/bin/podman /usr/bin/docker
    
USER appuser

RUN set -ex; \
    cd /home/appuser/; \
    git clone https://github.com/Coldcard/firmware.git;
    
WORKDIR /home/appuser/firmware/stm32

which cause some issues (running the make repro in the container run by podman run --rm -uroot --cap-add=sys_admin,mknod --security-opt seccomp=unconfined --security-opt label=disable --device /dev/fuse -ti coldcard).

probably easier will be to write Vagrantfile instead that will install docker (thus reproducible/repeatable running in VM)

also probably checking latest tag should be done after the clone (tags are not signed... https://github.com/Coldcard/firmware/tags)

But checking coldcard is very low priority for me (not OSS product, only source-available, no open issues in github 😠 , from 14 repos in their github account only 5 of them have issues opened, not the firmware repo...).

currently working on fdroid related stuff&apps.