This post is about Turnkey's journey with reproducible builds. We don't have a choice: our builds must be reproducible to secure TEE deployments and use remote attestations meaningfully. Unfortunately reproducible builds aren't easy out-of-the-box. We'll survey the landscape of existing options available to us, show our first attempt at reproducible builds, and explain why and how we've arrived at StageX: a new container-based, full-source-bootstrapped, reproducible, multi-party signed distro which simplifies reproducible builds considerably.

Turnkey has always supported Bitcoin because our signer enclave has supported bare Secp256k1 signing operations since day one. We now offer Bitcoin address derivation. This might seem easy: aren't Bitcoin addresses simply derived from Secp256k1 public keys? Turns out supporting Taproot required an entirely new signature scheme and support for cryptographic tweaks.

Turnkey spends a lot of time thinking about software builds, and has invested a lot of resources to make them reproducible. Do you really need your software to yield byte-for-byte identical artifacts? My hope is to convince you that the answer is a resounding YES if you're planning to use remote attestations.