electrum

Electrum Bitcoin wallet
git clone https://git.parazyd.org/electrum
Log | Files | Refs | Submodules

commit 8e32f494691f70b47d133c9caab6ff58911cb53c
parent 3e8ca80afdd8b1e7ff2e37da2bbc8f86808e3f9f
Author: SomberNight <somber.night@protonmail.com>
Date:   Mon,  6 May 2019 17:10:36 +0200

wine build: rm old README

Diffstat:
Rcontrib/build-wine/docker/Dockerfile -> contrib/build-wine/Dockerfile | 0
Mcontrib/build-wine/README.md | 116++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------------
Dcontrib/build-wine/docker/README.md | 103-------------------------------------------------------------------------------
3 files changed, 91 insertions(+), 128 deletions(-)

diff --git a/contrib/build-wine/docker/Dockerfile b/contrib/build-wine/Dockerfile diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md @@ -1,37 +1,103 @@ -Windows Binary Builds -===================== +Deterministic Windows binaries with Docker +========================================== -These scripts can be used for cross-compilation of Windows Electrum executables from Linux/Wine. +Produced binaries are deterministic, so you should be able to generate +binaries that match the official releases. -For reproducible builds, see the `docker` folder. +This assumes an Ubuntu host, but it should not be too hard to adapt to another +similar system. The docker commands should be executed in the project's root +folder. +1. Install Docker -Usage: + ``` + $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - + $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" + $ sudo apt-get update + $ sudo apt-get install -y docker-ce + ``` +2. Build image -1. Install the following dependencies: + ``` + $ sudo docker build -t electrum-wine-builder-img contrib/build-wine + ``` - - dirmngr - - gpg - - 7Zip - - Wine (>= v2) - - (and, for building libsecp256k1) - - mingw-w64 - - autotools-dev - - autoconf - - libtool + Note: see [this](https://stackoverflow.com/a/40516974/7499128) if having dns problems +3. Build Windows binaries -For example: + It's recommended to build from a fresh clone + (but you can skip this if reproducibility is not necessary). -``` -$ sudo apt-get install wine-development dirmngr gnupg2 p7zip-full -$ sudo apt-get install mingw-w64 autotools-dev autoconf libtool -``` + ``` + $ FRESH_CLONE=contrib/build-wine/fresh_clone && \ + rm -rf $FRESH_CLONE && \ + mkdir -p $FRESH_CLONE && \ + cd $FRESH_CLONE && \ + git clone https://github.com/spesmilo/electrum.git && \ + cd electrum + ``` -The binaries are also built by Travis CI, so if you are having problems, -[that script](https://github.com/spesmilo/electrum/blob/master/.travis.yml) might help. + And then build from this directory: + ``` + $ git checkout $REV + $ sudo docker run -it \ + --name electrum-wine-builder-cont \ + -v $PWD:/opt/wine64/drive_c/electrum \ + --rm \ + --workdir /opt/wine64/drive_c/electrum/contrib/build-wine \ + electrum-wine-builder-img \ + ./build.sh + ``` +4. The generated binaries are in `./contrib/build-wine/dist`. -2. Make sure `/opt` is writable by the current user. -3. Run `build.sh`. -4. The generated binaries are in `./dist`. + + +Note: the `setup` binary (NSIS installer) is not deterministic yet. + + +Code Signing +============ + +Electrum Windows builds are signed with a Microsoft Authenticodeā„¢ code signing +certificate in addition to the GPG-based signatures. + +The advantage of using Authenticode is that Electrum users won't receive a +Windows SmartScreen warning when starting it. + +The release signing procedure involves a signer (the holder of the +certificate/key) and one or multiple trusted verifiers: + + +| Signer | Verifier | +|-----------------------------------------------------------|-----------------------------------| +| Build .exe files using `build.sh` | | +| Sign .exe with `./sign.sh` | | +| Upload signed files to download server | | +| | Build .exe files using `build.sh` | +| | Compare files using `unsign.sh` | +| | Sign .exe file using `gpg -b` | + +| Signer and verifiers: | +|-----------------------------------------------------------------------------------------------| +| Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc` | + + + +Verify Integrity of signed binary +================================= + +Every user can verify that the official binary was created from the source code in this +repository. To do so, the Authenticode signature needs to be stripped since the signature +is not reproducible. + +This procedure removes the differences between the signed and unsigned binary: + +1. Remove the signature from the signed binary using osslsigncode or signtool. +2. Set the COFF image checksum for the signed binary to 0x0. This is necessary + because pyinstaller doesn't generate a checksum. +3. Append null bytes to the _unsigned_ binary until the byte count is a multiple + of 8. + +The script `unsign.sh` performs these steps. diff --git a/contrib/build-wine/docker/README.md b/contrib/build-wine/docker/README.md @@ -1,103 +0,0 @@ -Deterministic Windows binaries with Docker -========================================== - -Produced binaries are deterministic, so you should be able to generate -binaries that match the official releases. - -This assumes an Ubuntu host, but it should not be too hard to adapt to another -similar system. The docker commands should be executed in the project's root -folder. - -1. Install Docker - - ``` - $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - $ sudo apt-get update - $ sudo apt-get install -y docker-ce - ``` - -2. Build image - - ``` - $ sudo docker build -t electrum-wine-builder-img contrib/build-wine/docker - ``` - - Note: see [this](https://stackoverflow.com/a/40516974/7499128) if having dns problems - -3. Build Windows binaries - - It's recommended to build from a fresh clone - (but you can skip this if reproducibility is not necessary). - - ``` - $ FRESH_CLONE=contrib/build-wine/fresh_clone && \ - rm -rf $FRESH_CLONE && \ - mkdir -p $FRESH_CLONE && \ - cd $FRESH_CLONE && \ - git clone https://github.com/spesmilo/electrum.git && \ - cd electrum - ``` - - And then build from this directory: - ``` - $ git checkout $REV - $ sudo docker run -it \ - --name electrum-wine-builder-cont \ - -v $PWD:/opt/wine64/drive_c/electrum \ - --rm \ - --workdir /opt/wine64/drive_c/electrum/contrib/build-wine \ - electrum-wine-builder-img \ - ./build.sh - ``` -4. The generated binaries are in `./contrib/build-wine/dist`. - - - -Note: the `setup` binary (NSIS installer) is not deterministic yet. - - -Code Signing -============ - -Electrum Windows builds are signed with a Microsoft Authenticodeā„¢ code signing -certificate in addition to the GPG-based signatures. - -The advantage of using Authenticode is that Electrum users won't receive a -Windows SmartScreen warning when starting it. - -The release signing procedure involves a signer (the holder of the -certificate/key) and one or multiple trusted verifiers: - - -| Signer | Verifier | -|-----------------------------------------------------------|-----------------------------------| -| Build .exe files using `build.sh` | | -| Sign .exe with `./sign.sh` | | -| Upload signed files to download server | | -| | Build .exe files using `build.sh` | -| | Compare files using `unsign.sh` | -| | Sign .exe file using `gpg -b` | - -| Signer and verifiers: | -|-----------------------------------------------------------------------------------------------| -| Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc` | - - - -Verify Integrity of signed binary -================================= - -Every user can verify that the official binary was created from the source code in this -repository. To do so, the Authenticode signature needs to be stripped since the signature -is not reproducible. - -This procedure removes the differences between the signed and unsigned binary: - -1. Remove the signature from the signed binary using osslsigncode or signtool. -2. Set the COFF image checksum for the signed binary to 0x0. This is necessary - because pyinstaller doesn't generate a checksum. -3. Append null bytes to the _unsigned_ binary until the byte count is a multiple - of 8. - -The script `unsign.sh` performs these steps.