electrum

Electrum Bitcoin wallet
git clone https://git.parazyd.org/electrum
Log | Files | Refs | Submodules
commit 240dc888ec0a533cc5f4e5180afd2fc797ea994a
parent 95bbd9593bd67d222e0a7f109d9f2d32ba9eb956
Author: root <bauerj@bauerj.eu>
Date:   Thu, 28 Jun 2018 22:25:57 +0200

Add script to strip signature from signed binary

Diffstat:

Mcontrib/build-wine/README.md | 18++++++++++++++++++


Acontrib/build-wine/unsign.sh | 45+++++++++++++++++++++++++++++++++++++++++++++


2 files changed, 63 insertions(+), 0 deletions(-)

diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md
@@ -61,3 +61,21 @@ certificate/key) and one or multiple trusted verifiers:
 
 `sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
 build environment is not compromised and that the binaries can be reproduced by anyone.
+
+
+Verify Integrity of signed binary
+=================================
+
+Every user can verify that the official binary was created from the source code in this 
+repository. To do so, the Authenticode signature needs to be stripped since the signature
+is not reproducible.
+
+This procedure removes the differences between the signed and unsigned binary:
+
+1. Remove the signature from the signed binary using osslsigncode or signtool.
+2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
+   because pyinstaller doesn't generate a checksum.
+3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
+   of 8.
+
+The script `unsign.sh` performs these steps.
diff --git a/contrib/build-wine/unsign.sh b/contrib/build-wine/unsign.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+here=$(dirname "$0")
+test -n "$here" -a -d "$here" || exit
+cd $here
+
+if ! which osslsigncode > /dev/null 2>&1; then
+    echo "Please install osslsigncode"
+fi
+
+if [ $# -neq 2 ]; then
+    echo "Usage: $0 signed_binary unsigned_binary"
+fi
+
+out="$1-stripped.exe"
+
+set -ex
+
+echo "Step 1: Remove PE signature from signed binary"
+osslsigncode remove-signature -in $1 -out $out
+
+echo "Step 2: Remove checksum from signed binary"
+python3 <<EOF
+pe_file = "$out"
+with open(pe_file, "rb") as f:
+    binary = bytearray(f.read())
+
+pe_offset = int.from_bytes(binary[0x3c:0x3c+4], byteorder="little")
+checksum_offset = pe_offset + 88
+
+for b in range(4):
+    binary[checksum_offset + b] = 0
+
+with open(pe_file, "wb") as f:
+    f.write(binary)
+EOF
+
+bytes=$( wc -c < $2 )
+bytes=$((8 - ($bytes%8)))
+bytes=$(($bytes % 8))
+
+echo "Step 3: Appending $bytes null bytes to unsigned binary"
+
+truncate -s +$bytes $2
+
+diff $out $2 && echo "Success!"