parazyd.org/1/git/electrum/commit/240dc888ec0a533cc5f4e5180afd2fc797ea994a.gph

  URI:

       tAdd script to strip signature from signed binary - electrum - Electrum Bitcoin wallet
  HTML git clone https://git.parazyd.org/electrum
   DIR Log
   DIR Files
   DIR Refs
   DIR Submodules
       ---
   DIR commit 240dc888ec0a533cc5f4e5180afd2fc797ea994a
   DIR parent 95bbd9593bd67d222e0a7f109d9f2d32ba9eb956
  HTML Author: root <bauerj@bauerj.eu>
       Date:   Thu, 28 Jun 2018 22:25:57 +0200
       
       Add script to strip signature from signed binary
       
       Diffstat:
         M contrib/build-wine/README.md        |      18 ++++++++++++++++++
         A contrib/build-wine/unsign.sh        |      45 +++++++++++++++++++++++++++++++
       
       2 files changed, 63 insertions(+), 0 deletions(-)
       ---
   DIR diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md
       t@@ -61,3 +61,21 @@ certificate/key) and one or multiple trusted verifiers:
        
        `sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
        build environment is not compromised and that the binaries can be reproduced by anyone.
       +
       +
       +Verify Integrity of signed binary
       +=================================
       +
       +Every user can verify that the official binary was created from the source code in this 
       +repository. To do so, the Authenticode signature needs to be stripped since the signature
       +is not reproducible.
       +
       +This procedure removes the differences between the signed and unsigned binary:
       +
       +1. Remove the signature from the signed binary using osslsigncode or signtool.
       +2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
       +   because pyinstaller doesn't generate a checksum.
       +3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
       +   of 8.
       +
       +The script `unsign.sh` performs these steps.
   DIR diff --git a/contrib/build-wine/unsign.sh b/contrib/build-wine/unsign.sh
       t@@ -0,0 +1,45 @@
       +#!/bin/bash
       +here=$(dirname "$0")
       +test -n "$here" -a -d "$here" || exit
       +cd $here
       +
       +if ! which osslsigncode > /dev/null 2>&1; then
       +    echo "Please install osslsigncode"
       +fi
       +
       +if [ $# -neq 2 ]; then
       +    echo "Usage: $0 signed_binary unsigned_binary"
       +fi
       +
       +out="$1-stripped.exe"
       +
       +set -ex
       +
       +echo "Step 1: Remove PE signature from signed binary"
       +osslsigncode remove-signature -in $1 -out $out
       +
       +echo "Step 2: Remove checksum from signed binary"
       +python3 <<EOF
       +pe_file = "$out"
       +with open(pe_file, "rb") as f:
       +    binary = bytearray(f.read())
       +
       +pe_offset = int.from_bytes(binary[0x3c:0x3c+4], byteorder="little")
       +checksum_offset = pe_offset + 88
       +
       +for b in range(4):
       +    binary[checksum_offset + b] = 0
       +
       +with open(pe_file, "wb") as f:
       +    f.write(binary)
       +EOF
       +
       +bytes=$( wc -c < $2 )
       +bytes=$((8 - ($bytes%8)))
       +bytes=$(($bytes % 8))
       +
       +echo "Step 3: Appending $bytes null bytes to unsigned binary"
       +
       +truncate -s +$bytes $2
       +
       +diff $out $2 && echo "Success!"