winbuilds: update README. Do not sign in unsign.sh

7 years ago · 0119ab9ee1
2 changed files with 11 additions and 12 deletions
--- a/contrib/build-wine/README.md
+++ b/contrib/build-wine/README.md
@ -52,15 +52,16 @@ certificate/key) and one or multiple trusted verifiers:
 | Signer                                                    | Verifier                          |
 |-----------------------------------------------------------|-----------------------------------|
 | Build .exe files using `build.sh`                         |                                   |
+| Sign .exe with `./sign.sh`                                |                                   |
+| Upload signed files to download server                    |                                   |
 |                                                           | Build .exe files using `build.sh` |
-|                                                           | Sign .exe files using `gpg -b`    |
-|                                                           | Send signatures to signer         |
-| Place signatures as `$filename.$builder.asc` in `./dist`  |                                   |
-| Run `./sign.sh`                                           |                                   |
+|                                                           | Compare files using `unsign.sh`   |
+|                                                           | Sign .exe file using `gpg -b`     |
+
+| Signer and verifiers:
+| Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc`         |


-`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
-build environment is not compromised and that the binaries can be reproduced by anyone.


 Verify Integrity of signed binary
--- a/contrib/build-wine/unsign.sh
+++ b/contrib/build-wine/unsign.sh
@ -17,12 +17,11 @@ cd signed

 echo "Found $(ls *.exe | wc -w) files to verify."
 for signed in $(ls *.exe); do
-    echo $signed
    mine="../dist/$signed"
    out="../stripped/$signed"
    size=$( wc -c < $mine )
    # Step 1: Remove PE signature from signed binary
-    osslsigncode remove-signature -in $signed -out $out
+    osslsigncode remove-signature -in $signed -out $out > /dev/null 2>&1
    # Step 2: Remove checksum and padding from signed binary
    python3 <<EOF
 pe_file = "$out"
@ -37,16 +36,15 @@ l = len(binary)
 n = l - size
 if n > 0:
   assert binary[-n:] == bytearray(n)
-   print("removing %d null bytes"% n)
   binary = binary[:size]
 with open(pe_file, "wb") as f:
    f.write(binary)
 EOF
    chmod +x $out
    if [ ! $(diff $out $mine) ]; then
-	echo "Success!"
-	gpg --sign --armor --detach $signed
+	echo "Success: $signed"
+	#gpg --sign --armor --detach $signed
    else
-	echo "failure"
+	echo "Failure: $signed"
    fi
 done