tAdd script to check and sign executables - electrum - Electrum Bitcoin wallet
HTML git clone https://git.parazyd.org/electrum
DIR Log
DIR Files
DIR Refs
DIR Submodules
---
DIR commit 95bbd9593bd67d222e0a7f109d9f2d32ba9eb956
DIR parent c4ef5bfedb26074758b4202082fa00b740cd970d
HTML Author: Johann Bauer <bauerj@bauerj.eu>
Date: Mon, 5 Feb 2018 15:22:57 +0100
Add script to check and sign executables
Diffstat:
M contrib/build-wine/README.md | 27 +++++++++++++++++++++++++++
A contrib/build-wine/sign.sh | 55 +++++++++++++++++++++++++++++++
2 files changed, 82 insertions(+), 0 deletions(-)
---
DIR diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md
t@@ -34,3 +34,30 @@ The binaries are also built by Travis CI, so if you are having problems,
2. Make sure `/opt` is writable by the current user.
3. Run `build.sh`.
4. The generated binaries are in `./dist`.
+
+
+Code Signing
+============
+
+Electrum Windows builds are signed with a Microsoft Authenticodeā¢ code signing
+certificate in addition to the GPG-based signatures.
+
+The advantage of using Authenticode is that Electrum users won't receive a
+Windows SmartScreen warning when starting it.
+
+The release signing procedure involves a signer (the holder of the
+certificate/key) and one or multiple trusted verifiers:
+
+
+| Signer | Verifier |
+|-----------------------------------------------------------|-----------------------------------|
+| Build .exe files using `build.sh` | |
+| | Build .exe files using `build.sh` |
+| | Sign .exe files using `gpg -b` |
+| | Send signatures to signer |
+| Place signatures as `$filename.$builder.asc` in `./dist` | |
+| Run `./sign.sh` | |
+
+
+`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
+build environment is not compromised and that the binaries can be reproduced by anyone.
DIR diff --git a/contrib/build-wine/sign.sh b/contrib/build-wine/sign.sh
t@@ -0,0 +1,55 @@
+#!/bin/bash
+
+here=$(dirname "$0")
+test -n "$here" -a -d "$here" || exit
+cd $here
+
+
+CERT_FILE=${CERT_FILE:-~/codesigning/cert.pem}
+KEY_FILE=${KEY_FILE:-~/codesigning/key.pem}
+if [[ ! -f "$CERT_FILE" ]]; then
+ ls $CERT_FILE
+ echo "Make sure that $CERT_FILE and $KEY_FILE exist"
+fi
+
+if ! which osslsigncode > /dev/null 2>&1; then
+ echo "Please install osslsigncode"
+fi
+
+mkdir -p ./signed/dist >/dev/null 2>&1
+
+echo "Found $(ls dist/*.exe | wc -w) files to sign."
+for f in $(ls dist/*.exe); do
+ echo "Checking GPG signatures for $f..."
+ bad=0
+ good=0
+ for sig in $(ls $f.*.asc); do
+ if gpg --verify $sig $f > /dev/null 2>&1; then
+ (( good++ ))
+ else
+ (( bad++ ))
+ fi
+ done
+ echo "$good good signature(s) for $f".
+ if (( bad > 0 )); then
+ echo "WARNING: $bad bad signature(s)"
+ for sig in $(ls $f.*.asc); do
+ gpg --verify $sig $f
+ gpg --list-packets --verbose $sig
+ done
+ read -p "Do you want to continue (y/n)? " answer
+ if [ "$answer" != "y" ]; then
+ exit
+ fi
+ fi
+ echo "Signing $f..."
+ osslsigncode sign \
+ -certs "$CERT_FILE" \
+ -key "$KEY_FILE" \
+ -n "Electrum" \
+ -i "https://electrum.org/" \
+ -t "http://timestamp.digicert.com/" \
+ -in "$f" \
+ -out "signed/$f"
+ ls signed/$f -lah
+done