windows builds: sign the windows-signed files with gpg

6 years ago · fa6c213d5f
2 changed files with 38 additions and 55 deletions
--- a/contrib/build-wine/sign.sh
+++ b/contrib/build-wine/sign.sh
@ -4,7 +4,6 @@ here=$(dirname "$0")
 test -n "$here" -a -d "$here" || exit
 cd $here

-
 CERT_FILE=${CERT_FILE:-~/codesigning/cert.pem}
 KEY_FILE=${KEY_FILE:-~/codesigning/key.pem}
 if [[ ! -f "$CERT_FILE" ]]; then
@ -16,32 +15,11 @@ if ! which osslsigncode > /dev/null 2>&1; then
    echo "Please install osslsigncode"
 fi

-mkdir -p ./signed/dist >/dev/null 2>&1
+mkdir -p signed >/dev/null 2>&1

-echo "Found $(ls dist/*.exe | wc -w) files to sign."
-for f in $(ls dist/*.exe); do
-    echo "Checking GPG signatures for $f..."
-    bad=0
-    good=0
-    for sig in $(ls $f.*.asc); do
-        if gpg --verify $sig $f > /dev/null 2>&1; then
-            (( good++ ))
-        else
-            (( bad++ ))
-        fi
-    done
-    echo "$good good signature(s) for $f".
-    if (( bad > 0 )); then
-        echo "WARNING: $bad bad signature(s)"
-        for sig in $(ls $f.*.asc); do
-            gpg --verify $sig $f
-            gpg --list-packets --verbose $sig
-        done
-        read -p "Do you want to continue (y/n)? " answer
-        if [ "$answer" != "y" ]; then
-            exit
-        fi
-    fi
+cd dist
+echo "Found $(ls *.exe | wc -w) files to sign."
+for f in $(ls *.exe); do
    echo "Signing $f..."
    osslsigncode sign \
      -certs "$CERT_FILE" \
@ -50,6 +28,6 @@ for f in $(ls dist/*.exe); do
      -i "https://electrum.org/" \
      -t "http://timestamp.digicert.com/" \
      -in "$f" \
-      -out "signed/$f"
-    ls signed/$f -lah      
+      -out "../signed/$f"
+    ls ../signed/$f -lah
 done
--- a/contrib/build-wine/unsign.sh
+++ b/contrib/build-wine/unsign.sh
@ -8,40 +8,45 @@ if ! which osslsigncode > /dev/null 2>&1; then
    exit
 fi

-if [ $# -ne 2 ]; then
-    echo "Usage: $0 signed_binary unsigned_binary"
-    exit
-fi
-
-out="$1-stripped.exe"
-
-set -ex
-
-echo "Step 1: Remove PE signature from signed binary"
-osslsigncode remove-signature -in $1 -out $out
-
-echo "Step 2: Remove checksum from signed binary"
-python3 <<EOF
+# exit if command fails
+set -e
+
+mkdir -p stripped >/dev/null 2>&1
+
+cd signed
+
+echo "Found $(ls *.exe | wc -w) files to verify."
+for signed in $(ls *.exe); do
+    echo $signed
+    mine="../dist/$signed"
+    out="../stripped/$signed"
+    size=$( wc -c < $mine )
+    # Step 1: Remove PE signature from signed binary
+    osslsigncode remove-signature -in $signed -out $out
+    # Step 2: Remove checksum and padding from signed binary
+    python3 <<EOF
 pe_file = "$out"
+size= $size
 with open(pe_file, "rb") as f:
    binary = bytearray(f.read())
-
 pe_offset = int.from_bytes(binary[0x3c:0x3c+4], byteorder="little")
 checksum_offset = pe_offset + 88
-
 for b in range(4):
    binary[checksum_offset + b] = 0
-
+l = len(binary)
+n = l - size
+if n > 0:
+   assert binary[-n:] == bytearray(n)
+   print("removing %d null bytes"% n)
+   binary = binary[:size]
 with open(pe_file, "wb") as f:
    f.write(binary)
 EOF
-
-bytes=$( wc -c < $2 )
-bytes=$((8 - ($bytes%8)))
-bytes=$(($bytes % 8))
-
-echo "Step 3: Appending $bytes null bytes to unsigned binary"
-
-truncate -s +$bytes $2
-
-diff $out $2 && echo "Success!"
+    chmod +x $out
+    if [ ! $(diff $out $mine) ]; then
+	echo "Success!"
+	gpg --sign --armor --detach $signed
+    else
+	echo "failure"
+    fi
+done