lukechilds
/
electrum
mirror of https://github.com/lukechilds/electrum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

winbuilds: update README. Do not sign in unsign.sh

3.2.x 3.2.0
ThomasV 7 years ago
parent
d467a5a8ec
commit
0119ab9ee1
2 changed files with 11 additions and 12 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 13
      contrib/build-wine/README.md
  2. 10
      contrib/build-wine/unsign.sh

13
contrib/build-wine/README.md
View File

@ -52,15 +52,16 @@ certificate/key) and one or multiple trusted verifiers:
| Signer | Verifier | | Signer | Verifier |
|-----------------------------------------------------------|-----------------------------------| |-----------------------------------------------------------|-----------------------------------|
| Build .exe files using `build.sh` | | | Build .exe files using `build.sh` | |
| Sign .exe with `./sign.sh` | |
| Upload signed files to download server | |
| | Build .exe files using `build.sh` | | | Build .exe files using `build.sh` |
| | Sign .exe files using `gpg -b` | | | Compare files using `unsign.sh` |
| | Send signatures to signer | | | Sign .exe file using `gpg -b` |
| Place signatures as `$filename.$builder.asc` in `./dist` | |
| Run `./sign.sh` | | | Signer and verifiers:
| Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc` |
`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
build environment is not compromised and that the binaries can be reproduced by anyone.
Verify Integrity of signed binary Verify Integrity of signed binary

10
contrib/build-wine/unsign.sh
View File

@ -17,12 +17,11 @@ cd signed
echo "Found $(ls *.exe | wc -w) files to verify." echo "Found $(ls *.exe | wc -w) files to verify."
for signed in $(ls *.exe); do for signed in $(ls *.exe); do
echo $signed
mine="../dist/$signed" mine="../dist/$signed"
out="../stripped/$signed" out="../stripped/$signed"
size=$( wc -c < $mine ) size=$( wc -c < $mine )
# Step 1: Remove PE signature from signed binary # Step 1: Remove PE signature from signed binary
osslsigncode remove-signature -in $signed -out $out osslsigncode remove-signature -in $signed -out $out > /dev/null 2>&1
# Step 2: Remove checksum and padding from signed binary # Step 2: Remove checksum and padding from signed binary
python3 <<EOF python3 <<EOF
pe_file = "$out" pe_file = "$out"
@ -37,16 +36,15 @@ l = len(binary)
n = l - size n = l - size
if n > 0: if n > 0:
assert binary[-n:] == bytearray(n) assert binary[-n:] == bytearray(n)
print("removing %d null bytes"% n)
binary = binary[:size] binary = binary[:size]
with open(pe_file, "wb") as f: with open(pe_file, "wb") as f:
f.write(binary) f.write(binary)
EOF EOF
chmod +x $out chmod +x $out
if [ ! $(diff $out $mine) ]; then if [ ! $(diff $out $mine) ]; then
echo "Success!" echo "Success: $signed"
gpg --sign --armor --detach $signed #gpg --sign --armor --detach $signed
else else
echo "failure" echo "Failure: $signed"
fi fi
done done

Write Preview
Loading…
Cancel
Save