{"id":26633506,"url":"https://github.com/chains-project/btc-supply-chain","last_synced_at":"2026-04-29T08:09:32.890Z","repository":{"id":55609690,"uuid":"300845519","full_name":"chains-project/btc-supply-chain","owner":"chains-project","description":"Securing the Bitcoin software supply chain with an immutable database of SHA256","archived":false,"fork":false,"pushed_at":"2024-08-08T19:59:13.000Z","size":145,"stargazers_count":1,"open_issues_count":3,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-08-08T22:28:12.738Z","etag":null,"topics":["bitcoin","supply-chain"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chains-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-03T09:40:53.000Z","updated_at":"2024-08-08T19:59:16.000Z","dependencies_parsed_at":"2024-03-07T09:46:36.091Z","dependency_job_id":"510efc7d-c09b-435c-adce-9377561c4747","html_url":"https://github.com/chains-project/btc-supply-chain","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fbtc-supply-chain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fbtc-supply-chain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fbtc-supply-chain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fbtc-supply-chain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chains-project","download_url":"https://codeload.github.com/chains-project/btc-supply-chain/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245294720,"owners_count":20591909,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitcoin","supply-chain"],"created_at":"2025-03-24T15:15:11.223Z","updated_at":"2026-04-29T08:09:32.855Z","avatar_url":"https://github.com/chains-project.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# btc-supply-chain: the Bitcoin software supply chain database\n\n`btc-supply-chain` is a database about the Bitcoin software supply chain. The goal of this database is to help the world use Bitcoin safely. It contains the key information required to trust bitcoin software components, starting with SHA256 of code for wallets, nodes and bitcoin libraries. This database is valuable:\n\n- for Bitcoin users, because they have an external source of information to verify the authenticity of the software they use (through verifying the SHA256 hash)\n- for Bitcoin developers of wallet/nodes, in order to submit their hash to a third party database\n\nContributions are welcome as pull-requests.\n\nIf you need professional support about the Bitcoin software supply chain, please contact [Martin Monperrus](https://www.monperrus.net/martin/contact) by email. \n\n* auditing a bitcoin software supply chain\n* set up a verifiable reproducible build pipeline\n* reproduce a particular build\n* checking the validity of a file / developer key / organization.\n## Related work\n\n* \u003chttps://bitcoinissafe.com/\u003e is a related project, with a focus on antivirus software adoption for Bitcoin tools.\n* \u003chttps://BinaryWatch.org\u003e Checksum Checker, scheduled checks on Bitcoin project binaries,  by Coinkite.\n\n## Web page\n\n\u003chttps://github.com/monperrus/btc-supply-chain/wiki\u003e contains the SHA256 of the latest version. It is meant to be indexed by the major search engines, starting with Google.\n\n## Bitcoin Full Nodes\n\nIf you run a full node, you absolutely want to verify the integrity of the code you're running.\nFor instance, the SHA256 of [Bitcoin Core v0.17.2](https://bitcoin.org/bin/bitcoin-core-0.17.2/bitcoin-0.17.2-aarch64-linux-gnu.tar.gz) is 5a6b35d1a348a402f2d2d6ab5aed653a1a1f13bc63aaaf51605e3501b0733b7a.\n\nSee folder `db/full-nodes`\n\n## Wallets\n\nThe wallet supply chain information is in folder `wallets`. \n\nTo verify that you use a safe wallet program:\n\n1. Compute the SHA256 sum of the wallet binary or installation file you've just downloaded\n    * Do it in the browser at \u003chttps://sprin.github.io/TrustyHash/\u003e\n    * For advanced users, see https://help.ubuntu.com/community/HowToSHA256SUM\n2. Check that is known by Google, eg \u003chttps://encrypted.google.com?q=6b98b367acdee51961118f57d0ba40e57f369d031a43c673ad76cda97cf61db1\u003e. If there is 0 results on Google **STOP AND DELETE THE FILE**, it can be a malware trying to steal your bitcoin.\n3. If Google knows it, check the reliability of the websites where this SHA256 appears\n3. If Google knows it, check whether the SHA256 sum appears in folder `db/wallets` (see section \"Meta-trust\" below)\n\nDONT:\n\n* Do NOT download wallet programs from arbitrary websites\n* Do NOT install a wallet app through the Google Play Store / Apple App Store because you cannot verify the APK signatures beforehand, you have to entirely trust Google / Apple.\n\nAdvanced users want to [verify the cryptographic GPG signature](https://www.wikihow.com/Verify-a-GPG-Signature) of the wallet binary, and verify that it comes from a trusted source.\n\n\n## Software Dependencies\n\nNow we're talking. Verifying the software supply chain at the developer level is much harder than verifying a single wallet or node software. One needs to verify the provenance of all libraries and tools (eg compiler) used to create the final executable (see the excellent talk by [Carl Dong](https://github.com/dongcarl) at \u003chttps://youtu.be/I2iShmUTEl8\u003e). \n\nThere is excellent tool support for verifying a supply chain:\n\n* [Guix](https://guix.gnu.org/):  Guix is a package manager with secure and deterministic packaging. [See the Bitcoin-core pipeline](https://github.com/bitcoin/bitcoin/blob/master/contrib/guix/README.md)\n* [Gitian](https://gitian.org/): Gitian enables one to set up secure and deterministic build process. See the [Gitian process of bitcoin-core](https://github.com/bitcoin-core/docs/blob/master/gitian-building.md)\n\n## Checking btc-supply-chain\n\nTo verify that the data contained in this repo is consistent, see script `check-btc-supply-chain.py`.\n\n## Meta-trust\n\nWait! Maybe this website has been compromised? That's entirely correct! You should make your own research about this website as well. Mitigation:\n\n* We use double-factor authentication\n* All commits are signed with Martin Monperrus' GPG key.\n* Public keys of repositories and package managers\n\n\n\n## License\n\nThe content of this repository is licensed under the MIT license.\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fbtc-supply-chain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchains-project%2Fbtc-supply-chain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fbtc-supply-chain/lists"}