Turnkey has always supported Bitcoin because our signer enclave has supported bare Secp256k1 signing operations since day one. We now offer Bitcoin address derivation. This might seem easy: aren't Bitcoin addresses simply derived from Secp256k1 public keys? Turns out supporting Taproot required an entirely new signature scheme and support for cryptographic tweaks.

Turnkey spends a lot of time thinking about software builds, and has invested a lot of resources to make them reproducible. Do you really need your software to yield byte-for-byte identical artifacts? My hope is to convince you that the answer is a resounding YES if you're planning to use remote attestations.

While building our new OAuth feature we had to solve an interesting problem: Enclaves do not have network access, yet we have to fetch a list of public keys to verify OIDC tokens securely. How did we solve this using TEEs?