windows builds: sign the windows-signed files with gpg

contrib/build-wine/sign.sh

@@ -4,7 +4,6 @@ here=$(dirname "$0")
 test -n "$here" -a -d "$here" || exit
 cd $here
 
-
 CERT_FILE=${CERT_FILE:-~/codesigning/cert.pem}
 KEY_FILE=${KEY_FILE:-~/codesigning/key.pem}
 if [[ ! -f "$CERT_FILE" ]]; then
@@ -16,32 +15,11 @@ if ! which osslsigncode > /dev/null 2>&1; then
     echo "Please install osslsigncode"
 fi
 
-mkdir -p ./signed/dist >/dev/null 2>&1
+mkdir -p signed >/dev/null 2>&1
 
-echo "Found $(ls dist/*.exe | wc -w) files to sign."
+cd dist
-for f in $(ls dist/*.exe); do
+echo "Found $(ls *.exe | wc -w) files to sign."
-    echo "Checking GPG signatures for $f..."
+for f in $(ls *.exe); do
-    bad=0
-    good=0
-    for sig in $(ls $f.*.asc); do
-        if gpg --verify $sig $f > /dev/null 2>&1; then
-            (( good++ ))
-        else
-            (( bad++ ))
-        fi
-    done
-    echo "$good good signature(s) for $f".
-    if (( bad > 0 )); then
-        echo "WARNING: $bad bad signature(s)"
-        for sig in $(ls $f.*.asc); do
-            gpg --verify $sig $f
-            gpg --list-packets --verbose $sig
-        done
-        read -p "Do you want to continue (y/n)? " answer
-        if [ "$answer" != "y" ]; then
-            exit
-        fi
-    fi
     echo "Signing $f..."
     osslsigncode sign \
       -certs "$CERT_FILE" \
@@ -50,6 +28,6 @@ for f in $(ls dist/*.exe); do
       -i "https://electrum.org/" \
       -t "http://timestamp.digicert.com/" \
       -in "$f" \
-      -out "signed/$f"
+      -out "../signed/$f"
-    ls signed/$f -lah      
+    ls ../signed/$f -lah
 done

contrib/build-wine/unsign.sh

@@ -8,40 +8,45 @@ if ! which osslsigncode > /dev/null 2>&1; then
     exit
 fi
 
-if [ $# -ne 2 ]; then
+# exit if command fails
-    echo "Usage: $0 signed_binary unsigned_binary"
+set -e
-    exit
+
-fi
+mkdir -p stripped >/dev/null 2>&1
-
+
-out="$1-stripped.exe"
+cd signed
-
+
-set -ex
+echo "Found $(ls *.exe | wc -w) files to verify."
-
+for signed in $(ls *.exe); do
-echo "Step 1: Remove PE signature from signed binary"
+    echo $signed
-osslsigncode remove-signature -in $1 -out $out
+    mine="../dist/$signed"
-
+    out="../stripped/$signed"
-echo "Step 2: Remove checksum from signed binary"
+    size=$( wc -c < $mine )
-python3 <<EOF
+    # Step 1: Remove PE signature from signed binary
+    osslsigncode remove-signature -in $signed -out $out
+    # Step 2: Remove checksum and padding from signed binary
+    python3 <<EOF
 pe_file = "$out"
+size= $size
 with open(pe_file, "rb") as f:
     binary = bytearray(f.read())
-
 pe_offset = int.from_bytes(binary[0x3c:0x3c+4], byteorder="little")
 checksum_offset = pe_offset + 88
-
 for b in range(4):
     binary[checksum_offset + b] = 0
-
+l = len(binary)
+n = l - size
+if n > 0:
+   assert binary[-n:] == bytearray(n)
+   print("removing %d null bytes"% n)
+   binary = binary[:size]
 with open(pe_file, "wb") as f:
     f.write(binary)
 EOF
-
+    chmod +x $out
-bytes=$( wc -c < $2 )
+    if [ ! $(diff $out $mine) ]; then
-bytes=$((8 - ($bytes%8)))
+	echo "Success!"
-bytes=$(($bytes % 8))
+	gpg --sign --armor --detach $signed
-
+    else
-echo "Step 3: Appending $bytes null bytes to unsigned binary"
+	echo "failure"
-
+    fi
-truncate -s +$bytes $2
+done
-
-diff $out $2 && echo "Success!"