We’re excited to share that Nunchuk for Android now supports reproducible builds! This is a significant step forward in our commitment to transparency and security in the Bitcoin ecosystem.

What are Reproducible Builds?

Reproducible builds are a set of software development practices that create an independently-verifiable path from source code to the binary code used by your device. This allows users to verify that the application they’re running on their device matches exactly with the open-source code we’ve published.

Why is this Important?

1. Trust Minimization: In the spirit of Bitcoin’s “Don’t trust, verify” ethos, you no longer have to trust that our published code matches the application you’re using. You can verify it yourself.
2. Security: Reproducible builds make it much harder for malicious code to be inserted into the build process without detection.
3. Transparency: This process provides a clear link between our open-source code and the application you use, enhancing our commitment to transparency.

Nunchuk’s Unique Position

We’re proud to announce that with this update, Nunchuk joins a select group of Bitcoin wallets that support reproducible builds. This puts Nunchuk at the forefront of transparency and security in the Bitcoin wallet space, particularly for mobile users.

Moreover, Nunchuk stands out as the only Bitcoin wallet that directly reuses Bitcoin Core code. Bitcoin Core is the protocol code of Bitcoin and is widely recognized as the most peer-reviewed and battle-tested code in the entire Bitcoin ecosystem. Our decision to reuse Bitcoin Core code from day one was driven by our commitment to minimize dependencies and maximize security.

To achieve this, we developed libnunchuk, a cross-platform library at the heart of Nunchuk. This library encapsulates the reused Bitcoin Core code, allowing us to maintain a high level of security and consistency across different platforms while leveraging the robustness of Bitcoin Core.

With our new reproducible build process, you can now verify for yourself that libnunchuk indeed reuses Bitcoin Core code. This means you can confirm that your Nunchuk wallet is running genuine Bitcoin Core code internally for Bitcoin-related tasks, providing an unprecedented level of transparency and trust in your wallet’s operations.

How Can You Verify?

We’ve published detailed instructions on our GitHub repository that walk you through the process of building the application from source and comparing it to the version from the Google Play Store. This includes:

• Obtaining the source code
• Building the application
• Generating Android Package Kit (APK) files from the bundle
• Pulling Android Package Kit (APK) files from your device
• Comparing the built Android Package Kit (APK) files with the ones on your device

Looking Forward

We’re continuously exploring ways to enhance transparency and security across our platform. We encourage our security-conscious users to try out the verification process and let us know your feedback. Your input is invaluable as we continue to improve and refine this process.

Thank you for your continued support and trust in Nunchuk. Together, we’re building a more transparent and secure future for Bitcoin multi-signature technology!

For full instructions on how to verify your Nunchuk Android application, please visit our GitHub repository: https://github.com/nunchuk-io/nunchuk-android/tree/master/reproducible-builds

If you have any questions or feedback, don’t hesitate to reach out to our team.