Planning and executing a new release

[k9ert]

Context

This issue should coordinate the different acitivities for a new release. The v1.9.0 release is now 20 month old. So let's do a v1.10.0.
It's a bit special as want to change release-keys and therefore the new release's upgrade binary needs to contain the bootloader inclusing the (new) keys.

Steps

• change the keys so that ben get removed and k9ert included
  • in bootloader: update signing keys, add xpubconvert tool for convenience specter-bootloader#22 (and fix: syntax specter-bootloader#23)
  • in specter-diy: feat: Removed ben and added k9ert keys for releasing #306
  • Modify boot/main/boot.py release: prepare release #340
• include bootloader in upgrade binary: Add bootloader to upgrade binary #323
• Agree roughly on the steps here and which commit exactly will contain the release: @stepansnigirev , @miketlk , @k9ert
• create tag for release https://github.com/cryptoadvance/specter-diy/tree/v1.10.0
• Stepan to build/sign

# something like 
docker run --platform linux/amd64 -ti -v $(pwd):/app -e HOST_UID=$(id -u) -e HOST_GID=$(id -g) stepansnigirev/diy-firmware ./build_firmware.sh main bootloader assemble

docker run --rm -it -v $(pwd):/specter-diy -w /specter-diy stepansnigirev/diy-firmware  python3 ./bootloader/tools/upgrade-generator.py import-sig -s  "sigHere="  ./release/specter_upgrade.bin

• introspect with introspection tool:

Details

(.env) ➜  specter-diy_old git:(master) ✗ bootloader/tools/.env/bin/python3.9 bootloader/tools/introspect-binary.py release/specter_upgrade.bin
📋 Loaded keys from: /home/kim/src/specter-diy_old/bootloader/tools/../keys/production/pubkeys.c
   Vendor keys: 4
   Maintainer keys: 4

📦 Upgrade file analysis:
   Payload sections: 2
   Type: Bootloader
   Required signatures: 2
   Message hash: b1.0.1-1.10.0-1984mrfplq705g8qw85sguw728cves4vl9hmhfefwwywnh86ajglqyvc7dc

🔐 Signature analysis:
   Found 2 signature(s)

🔐 Signature verification:
   ✅ maintainer (Backup_m/99h): 7c5de6a71d2abae563945e05d767626a
   ✅ maintainer (Stepan): 33793141d1557bc6b4249e0be8ef6b46

✅ Threshold verification:
   Valid signatures: 2/2
   Signed by: Backup_m/99h(maintainer), Stepan(maintainer)
   Result: Upgrade file is valid and can be installed

🔑 Public key analysis:
   Searching for embedded keys in payload sections...
   Found 4 embedded public key(s):
   ✅ k9ert (maintainer/vendor): c8638d869d056ce1b18677e2b0bfaa60
   ✅ Mike (maintainer/vendor): cf0239e7708148c0fe2bc1ff485d950e
   ✅ Stepan (maintainer/vendor): 33793141d1557bc6b4249e0be8ef6b46
   ✅ Backup_m/99h (maintainer/vendor): 7c5de6a71d2abae563945e05d767626a

✅ Key verification:
   Result: Upgrade contains the public keys needed for future upgrade verification
(.env) ➜  specter-diy_old git:(master) ✗ 

• signed binaries published on this ticket
• Merging yet another PR
• creating another tag v1.10.1
• agree on the build architecture, the docker-image: maybe https://hub.docker.com/r/stepansnigirev/diy-firmware
• build the firmware on Mike/k9erts laptop and share the hash here: b1.0.1-1.10.1-19j32lx39tm4l5h06nwz5q5jhhuqv0j3e24g96rcglk499uh8fafszmerfd
• check whether the hashes do not differ
• Create signatures:
  • Mike: Iw60/b3N60Ng9rsWmSmF4Cz1XHsHK4s/s4sUob4eJlSMGVumrWhr7ZNcvPLpfCvox+J3guMRr4j99KjC+1z3og0=
  • k9ert: H9kO/gE5gQJ36FiXaIOIzgXARlMtUDc1JALRgKA6HYpdba8U2D36J7ToS3ZVe2mlL5qBHFFbJ5Rv8RAN8YQRAXM=
• k9ert to combine the different pieces to the upgrade binary:

docker run --rm -it -v $(pwd):/specter-diy -w /specter-diy stepansnigirev/diy-firmware  python3 ./bootloader/tools/upgrade-generator.py import-sig -s  "Iw60/b3N60Ng9rsWmSmF4Cz1XHsHK4s/s4sUob4eJlSMGVumrWhr7ZNcvPLpfCvox+J3guMRr4j99KjC+1z3og0="  ./release/specter_upgrade.bin
docker run --rm -it -v $(pwd):/specter-diy -w /specter-diy stepansnigirev/diy-firmware  python3 ./bootloader/tools/upgrade-generator.py import-sig -s  "H9kO/gE5gQJ36FiXaIOIzgXARlMtUDc1JALRgKA6HYpdba8U2D36J7ToS3ZVe2mlL5qBHFFbJ5Rv8RAN8YQRAXM="  ./release/specter_upgrade.bin

• text with introspection tool:

Details

(.env) ➜  specter-diy_old git:(master) ✗ bootloader/tools/.env/bin/python3.9 bootloader/tools/introspect-binary.py release/specter_upgrade.bin
📋 Loaded keys from: /home/kim/src/specter-diy_old/bootloader/tools/../keys/production/pubkeys.c
   Vendor keys: 4
   Maintainer keys: 4

📦 Upgrade file analysis:
   Payload sections: 2
   Type: Bootloader
   Required signatures: 2
   Message hash: b1.0.1-1.10.1-19j32lx39tm4l5h06nwz5q5jhhuqv0j3e24g96rcglk499uh8fafszmerfd

🔐 Signature analysis:
   Found 2 signature(s)

🔐 Signature verification:
   ✅ maintainer (Mike): cf0239e7708148c0fe2bc1ff485d950e
   ✅ maintainer (k9ert): c8638d869d056ce1b18677e2b0bfaa60

✅ Threshold verification:
   Valid signatures: 2/2
   Signed by: Mike(maintainer), k9ert(maintainer)
   Result: Upgrade file is valid and can be installed

🔑 Public key analysis:
   Searching for embedded keys in payload sections...
   Found 4 embedded public key(s):
   ✅ k9ert (maintainer/vendor): c8638d869d056ce1b18677e2b0bfaa60
   ✅ Mike (maintainer/vendor): cf0239e7708148c0fe2bc1ff485d950e
   ✅ Stepan (maintainer/vendor): 33793141d1557bc6b4249e0be8ef6b46
   ✅ Backup_m/99h (maintainer/vendor): 7c5de6a71d2abae563945e05d767626a

✅ Key verification:
   Result: Upgrade contains the public keys needed for future upgrade verification

- [x] zip and [upload](https://github.com//issues/330#issuecomment-4099615783) `zip v1.10.1_signed.zip release release/*` - [ ] Test the release upgrade (@Schnuartz ) - [ ] Create release-changelog for v1.10.0 ([here](https://github.com//issues/330#issuecomment-4099840826)) - [ ] Review changelog - [ ] Create release page in github, upload binaries, hashes and signatures

Planned Release notes (for `v1.10.0`):

Release notes

• show transaction version, locktime and input sequences when signing Show Transaction Version, Locktime and inputs' sequences when signing transactions! #321
• full M3Y scanner support, fix QR scanning issues for GM65 and M3Y Add M3Y scanner #335
• fix for newer GM65 scanners scanning CompactSeedQR Fix for newer GM65 Scanners scanning CompactSeedQR + Add "About Screen" #299
• expand multisig descriptor detection for Liana compatibility Expand detection of possible multisig descriptors & Add data input parsing CI tests #301
• hide disabled QR scanner in recovery phrase import menu Fix #329: Hide disabled QR scanner in recovery phrase import menu #338
• add "About" screen Fix for newer GM65 Scanners scanning CompactSeedQR + Add "About Screen" #299
• bootloader included in upgrade binary for signing key rotation Add bootloader to upgrade binary #323
• updated signing keys: removed ben, added k9ert feat: Removed ben and added k9ert keys for releasing #306
• add Specter Shield-Lite documentation Add shield lite #310
• other improvements and bugfixes

Important: This release includes a bootloader update with new signing keys. The upgrade binary contains the updated bootloader, which will be applied automatically during the upgrade process.

Upgrade process

Copy specter_upgrade_v1.10.0.bin to the SD card and insert it into the device. The bootloader will check the signatures of the upgrade file and update the firmware.

Flashing on empty board

If your discovery board is empty or you have a very old firmware (below 1.4.0) - connect your board over miniUSB with power jumper set to STLK and copy-paste initial_firmware_v1.10.0.bin file to the mounted drive.

If you have problems flashing initial firmware consider using stlink-tools. A command to flash firmware:

st-flash write path/to/initial_firmware.bin 0x8000000

If you want to use self-signed bootloader and firmware check out the instructions in the bootloader repo

sha256.signed.txt file contains sha256 hashes of the firmware binary files and signed with the "Specter Signer 2026" GPG key.

You can get the public key from here.
Fingerprint of the key is 9DC3 3CA8 3058 9DE3 B322 5C26 EEF5 756B 2EA4 2349

Reproducible build

You can build binaries identical to the ones in this release yourself. Follow this instruction, when the build is almost complete the script will output a message for signing and ask you for the signatures.

Verify that upgrade message is:

b1.0.1-1.10.0-1984mrfplq705g8qw85sguw728cves4vl9hmhfefwwywnh86ajglqyvc7dc

Add first signature:

ID2rAxeSFrfCmPcHt57XCMHZSFyp2fB+52vix8iAqDooLwd1sBRMW1j59AGqamgsTQ0CUj5eZ3ky0XpY/+rXlkY=

Add second signature:

H9mlVmjGnyRddlfbD8CMwQpq7D0m/9OWSd44q5J6OcHVcMj9OoALFSsdgXnvb0GL7PlwLBUoePC06ExLhSvcpnw=

Then hit enter and check that sha256.txt has the same hashes as in sha256.signed.txt file.

[k9ert]

v1.10.0_tosign.zip

[k9ert]

v1.10.0_signed.zip

[Schnuartz]

v1.10.0_signed.zip

Tested the upgrading process.

For some reason, it says "ware" instead of Firmware. But eveything else looked good.

Tested initial flashing as well as upgrading.

[tadeubas]

tACK, confirm the same as @Schnuartz
Initial flash or upgrade from 1.9.0 to 1.10.0 working, just the msg while updating that is missing some letters: "WARE UPGRADE"

[k9ert]

v1.10.1_signed.zip

This is the fake release to test the upgrade process. @Schnuartz please test an upgrade from v1.10.0 to v1.10.1

[Schnuartz]

So I did it wrong the first time.

At first I only tried installing the 1.10.1 BUT then I found out that you need to install 1.10.0 before.

c.f..: #330 (comment)

So I did that and tried to install 1.10.1 but here I received the same error message (tried it on 2 different Specter HWWs)

c.f.: #330 (comment)

[Schnuartz]

Ok, now tried another time.

This time I flashed the 1.10.0 directly from the initial_firmware.bin after that I installed the new 1.10.1 via SD-Card.

This time everything worked like expected.

So I assume there is some difference between the version you install between the specter_upgrade.bin and the initial_firmare.bin

[k9ert]

Root cause of v1.10.1 upgrade failure ("Not enough signatures")

TL;DR

The v1.10.0 bootloader binary has the same version (1.0.1) as the already-installed bootloader, so the startup code never swaps to the new copy. The old bootloader (with old keys) keeps running and rejects v1.10.1's signatures.

Analysis

Investigated the upgrade binaries and the specter-bootloader source code.

The bootloader has two copy slots (sectors 22+23 at 0x081C0000 and 0x081E0000). The non-upgradable startup code selects which copy to run based on the ICR version — highest version wins, ties go to copy 1 (startup.c:209-224):

if (-1 == selected || version[idx] > version[selected]) {
    selected = idx;  // strictly greater — ties keep first copy
}

The upgrade always writes to the inactive copy (bootloader.c:468-472).

Signature verification uses the keys compiled into the currently running bootloader (bootloader.c:1007-1017). When a boot section is present, only vendor keys are accepted:

const bl_pubkey_t* pubkeys_boot[] = {p_keyset->vendor_pubkeys, NULL};
// ...
p_md->boot_section.loaded ? pubkeys_boot : pubkeys_main

What happens on the v1.9.0 → v1.10.0 → v1.10.1 path:

1. Device runs old bootloader from copy 1 (version 1.0.1, old keys)
2. v1.10.0 upgrade writes new bootloader (new keys) to copy 2, with version... also 1.0.1
3. Reboot: startup code reads ICRs — copy 1 = 1.0.1, copy 2 = 1.0.1 → copy 1 wins (tie)
4. Old bootloader (old keys) is still running
5. v1.10.1 arrives, signed by Mike + k9ert. Boot section present → only vendor keys checked
6. Old bootloader's vendor keys: Mike, Stepan, Ben(?), unknown, Backup_m — k9ert is not in the list
7. Only Mike's signature validates → 1 valid sig < threshold 2 → "Not enough signatures"

Why JTAG flash path works: Flashing initial_firmware.bin via JTAG overwrites both bootloader copies with the new keys, so there's no copy selection issue.

The fix

The bootloader version tag in platforms/stm32f469disco/bootloader/main.c:29 is:

"<version:tag10>0100000199</version:tag10>"  // 1.0.1

This needs to be bumped (e.g. to 0100000299 = 1.0.2) so the startup code selects the new copy after upgrade. PR: https://github.com/cryptoadvance/specter-bootloader/pull/TBD (will update)

The bootloader then needs to be rebuilt and the v1.10.0 (and v1.10.1) upgrade binaries regenerated with the new bootloader.