sha256 hash does not match for 1.2.0 keystone3.bin

Question

sha256 hash does not match for 1.2.0 keystone3.bin

m-kubik opened this issue a year ago · 6 comments

FW release 1.2.0 stated hash 8fe42cfdfa80dd810acd51b1dd656cf81410373e9c892bc335d66d0e9e86ec3c
at https://github.com/KeystoneHQ/keystone3-firmware/releases/tag/1.2.0 is not correct.

When calculating hash for keystone3.bin file locally I'm getting:
SHA256 (keystone3.bin) = 8153dcf2391512ecd57a9fc1727a114d829a82f86fe8f94205616fff7920855

This does not match: 8fe42cfdfa80dd810acd51b1dd656cf81410373e9c892bc335d66d0e9e86ec3c as published

If I go into HW wallet settings and run verification from there then it shows the hash as stated for the release correctly

m-kubik commented a year ago

thank you

m-kubik commented a year ago

solved

Answer 1 · 2023-12-08T15:33:02.000Z

Hi @m-kubik thanks for question. But I think you have some misunderstanding about the sha256 hash value here. The keystone3.bin file is a compressed version of the firmware file in order to keep a small size. When installing, the file will be uncompressed and installed the device. So the sha256 of the keystone3.bin is not consistent with the value show on the device.

Answer 2 · 2023-12-08T15:34:45.000Z

In order to fully verify the integrity of the firmware, you can compile it from our source code and check the raw firmware file which is not compressed. We have provided the guide for this, checkout it here: https://github.com/KeystoneHQ/keystone3-firmware/blob/release/v1.2.0/docs/verify.md

Answer 3 · 2023-12-08T15:34:59.000Z

thank you @aaronisme that explains it. Is it possible to add in also hash of the file itself so I can verify the hash even before uploading to HW wallet?

Answer 4 · 2023-12-08T15:35:45.000Z

For sure, we will provide the value in the github release page.