twinbuilds: update README. Do not sign in unsign.sh - electrum - Electrum Bitcoin wallet
HTML git clone https://git.parazyd.org/electrum
DIR Log
DIR Files
DIR Refs
DIR Submodules
---
DIR commit 0119ab9ee1c4b07255442c7c91a7119ca989b64c
DIR parent d467a5a8ec9353d9ccf0fea980a4fc44eef1d475
HTML Author: ThomasV <thomasv@electrum.org>
Date: Sat, 30 Jun 2018 13:22:46 +0200
winbuilds: update README. Do not sign in unsign.sh
Diffstat:
M contrib/build-wine/README.md | 13 +++++++------
M contrib/build-wine/unsign.sh | 10 ++++------
2 files changed, 11 insertions(+), 12 deletions(-)
---
DIR diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md
t@@ -52,15 +52,16 @@ certificate/key) and one or multiple trusted verifiers:
| Signer | Verifier |
|-----------------------------------------------------------|-----------------------------------|
| Build .exe files using `build.sh` | |
+| Sign .exe with `./sign.sh` | |
+| Upload signed files to download server | |
| | Build .exe files using `build.sh` |
-| | Sign .exe files using `gpg -b` |
-| | Send signatures to signer |
-| Place signatures as `$filename.$builder.asc` in `./dist` | |
-| Run `./sign.sh` | |
+| | Compare files using `unsign.sh` |
+| | Sign .exe file using `gpg -b` |
+
+| Signer and verifiers:
+| Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc` |
-`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
-build environment is not compromised and that the binaries can be reproduced by anyone.
Verify Integrity of signed binary
DIR diff --git a/contrib/build-wine/unsign.sh b/contrib/build-wine/unsign.sh
t@@ -17,12 +17,11 @@ cd signed
echo "Found $(ls *.exe | wc -w) files to verify."
for signed in $(ls *.exe); do
- echo $signed
mine="../dist/$signed"
out="../stripped/$signed"
size=$( wc -c < $mine )
# Step 1: Remove PE signature from signed binary
- osslsigncode remove-signature -in $signed -out $out
+ osslsigncode remove-signature -in $signed -out $out > /dev/null 2>&1
# Step 2: Remove checksum and padding from signed binary
python3 <<EOF
pe_file = "$out"
t@@ -37,16 +36,15 @@ l = len(binary)
n = l - size
if n > 0:
assert binary[-n:] == bytearray(n)
- print("removing %d null bytes"% n)
binary = binary[:size]
with open(pe_file, "wb") as f:
f.write(binary)
EOF
chmod +x $out
if [ ! $(diff $out $mine) ]; then
- echo "Success!"
- gpg --sign --armor --detach $signed
+ echo "Success: $signed"
+ #gpg --sign --armor --detach $signed
else
- echo "failure"
+ echo "Failure: $signed"
fi
done