twindows builds: sign the windows-signed files with gpg - electrum - Electrum Bitcoin wallet
HTML git clone https://git.parazyd.org/electrum
DIR Log
DIR Files
DIR Refs
DIR Submodules
---
DIR commit fa6c213d5ff02abfdfd253fa4b29da73b258054f
DIR parent 1dc7ee7ac695c2668813f03e7dc1e8dc71a5edf7
HTML Author: ThomasV <thomasv@electrum.org>
Date: Sat, 30 Jun 2018 10:38:01 +0200
windows builds: sign the windows-signed files with gpg
Diffstat:
M contrib/build-wine/sign.sh | 34 ++++++-------------------------
M contrib/build-wine/unsign.sh | 59 +++++++++++++++++--------------
2 files changed, 38 insertions(+), 55 deletions(-)
---
DIR diff --git a/contrib/build-wine/sign.sh b/contrib/build-wine/sign.sh
t@@ -4,7 +4,6 @@ here=$(dirname "$0")
test -n "$here" -a -d "$here" || exit
cd $here
-
CERT_FILE=${CERT_FILE:-~/codesigning/cert.pem}
KEY_FILE=${KEY_FILE:-~/codesigning/key.pem}
if [[ ! -f "$CERT_FILE" ]]; then
t@@ -16,32 +15,11 @@ if ! which osslsigncode > /dev/null 2>&1; then
echo "Please install osslsigncode"
fi
-mkdir -p ./signed/dist >/dev/null 2>&1
+mkdir -p signed >/dev/null 2>&1
-echo "Found $(ls dist/*.exe | wc -w) files to sign."
-for f in $(ls dist/*.exe); do
- echo "Checking GPG signatures for $f..."
- bad=0
- good=0
- for sig in $(ls $f.*.asc); do
- if gpg --verify $sig $f > /dev/null 2>&1; then
- (( good++ ))
- else
- (( bad++ ))
- fi
- done
- echo "$good good signature(s) for $f".
- if (( bad > 0 )); then
- echo "WARNING: $bad bad signature(s)"
- for sig in $(ls $f.*.asc); do
- gpg --verify $sig $f
- gpg --list-packets --verbose $sig
- done
- read -p "Do you want to continue (y/n)? " answer
- if [ "$answer" != "y" ]; then
- exit
- fi
- fi
+cd dist
+echo "Found $(ls *.exe | wc -w) files to sign."
+for f in $(ls *.exe); do
echo "Signing $f..."
osslsigncode sign \
-certs "$CERT_FILE" \
t@@ -50,6 +28,6 @@ for f in $(ls dist/*.exe); do
-i "https://electrum.org/" \
-t "http://timestamp.digicert.com/" \
-in "$f" \
- -out "signed/$f"
- ls signed/$f -lah
+ -out "../signed/$f"
+ ls ../signed/$f -lah
done
DIR diff --git a/contrib/build-wine/unsign.sh b/contrib/build-wine/unsign.sh
t@@ -8,40 +8,45 @@ if ! which osslsigncode > /dev/null 2>&1; then
exit
fi
-if [ $# -ne 2 ]; then
- echo "Usage: $0 signed_binary unsigned_binary"
- exit
-fi
-
-out="$1-stripped.exe"
-
-set -ex
-
-echo "Step 1: Remove PE signature from signed binary"
-osslsigncode remove-signature -in $1 -out $out
-
-echo "Step 2: Remove checksum from signed binary"
-python3 <<EOF
+# exit if command fails
+set -e
+
+mkdir -p stripped >/dev/null 2>&1
+
+cd signed
+
+echo "Found $(ls *.exe | wc -w) files to verify."
+for signed in $(ls *.exe); do
+ echo $signed
+ mine="../dist/$signed"
+ out="../stripped/$signed"
+ size=$( wc -c < $mine )
+ # Step 1: Remove PE signature from signed binary
+ osslsigncode remove-signature -in $signed -out $out
+ # Step 2: Remove checksum and padding from signed binary
+ python3 <<EOF
pe_file = "$out"
+size= $size
with open(pe_file, "rb") as f:
binary = bytearray(f.read())
-
pe_offset = int.from_bytes(binary[0x3c:0x3c+4], byteorder="little")
checksum_offset = pe_offset + 88
-
for b in range(4):
binary[checksum_offset + b] = 0
-
+l = len(binary)
+n = l - size
+if n > 0:
+ assert binary[-n:] == bytearray(n)
+ print("removing %d null bytes"% n)
+ binary = binary[:size]
with open(pe_file, "wb") as f:
f.write(binary)
EOF
-
-bytes=$( wc -c < $2 )
-bytes=$((8 - ($bytes%8)))
-bytes=$(($bytes % 8))
-
-echo "Step 3: Appending $bytes null bytes to unsigned binary"
-
-truncate -s +$bytes $2
-
-diff $out $2 && echo "Success!"
+ chmod +x $out
+ if [ ! $(diff $out $mine) ]; then
+ echo "Success!"
+ gpg --sign --armor --detach $signed
+ else
+ echo "failure"
+ fi
+done