This monorepo contains all core components for the KeepKey Bitcoin-only ecosystem:
- firmware/: Bitcoin-only firmware for KeepKey hardware wallets.
- kkcli/: Command-line interface for Bitcoin-only KeepKey operations.
- vault/: Tauri desktop app for KeepKey.
- Rust (latest stable)
- Tauri prerequisites (see docs/tauri.md)
- GNU Make
make allmake firmware
make kkcli
make rest
make vault- Single-source REST API: All business logic and endpoints live in
keepkey-rest. - Unified UI: One Vite UI bundle for both web and desktop.
- Easy builds: One command to build everything.
The project uses a Makefile-based release workflow for versioning and branch management:
# Create release branch with specific version
make release-branch VERSION=2.2.7
# Auto-increment versions and create branch
make release-patch-branch # Bumps X.Y.Z -> X.Y.(Z+1)
make release-minor-branch # Bumps X.Y.Z -> X.(Y+1).0
make release-major-branch # Bumps X.Y.Z -> (X+1).0.0-
Create release branch and update version:
make release-branch VERSION=2.2.7
-
Build and test locally with signing:
cd projects/vault-v2 ./build-signed.sh -
Commit changes:
git add . git commit -m "chore: release v2.2.7"
-
Push branch:
git push -u origin release-2.2.7
-
Create Pull Request to master
-
After merge, create and push tag:
git tag -a v2.2.7 -m "Release v2.2.7" git push --tags
The GitHub Actions workflow automatically signs and notarizes macOS builds when the following repository secrets are configured:
APPLE_ID- Apple developer account emailAPPLE_ID_PASSWORD- App-specific password for notarizationAPPLE_TEAM_ID- Apple developer team ID (e.g., DR57X8Z394)APPLE_CERTIFICATE- Base64-encoded Developer ID certificateCERT_PW- Certificate password
For local signed builds:
cd projects/vault-v2
# Build and sign
./build-signed.sh
# Notarize (requires Apple credentials)
APPLE_ID="your-email@example.com" \
APPLE_PASSWORD="app-specific-password" \
./notarize.shSee docs/contributing.md.
See docs/architecture.md.