electrum

Electrum Bitcoin wallet
git clone https://git.parazyd.org/electrum
Log | Files | Refs | Submodules

commit 95bbd9593bd67d222e0a7f109d9f2d32ba9eb956
parent c4ef5bfedb26074758b4202082fa00b740cd970d
Author: Johann Bauer <bauerj@bauerj.eu>
Date:   Mon,  5 Feb 2018 15:22:57 +0100

Add script to check and sign executables

Diffstat:
Mcontrib/build-wine/README.md | 27+++++++++++++++++++++++++++
Acontrib/build-wine/sign.sh | 55+++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 82 insertions(+), 0 deletions(-)

diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md @@ -34,3 +34,30 @@ The binaries are also built by Travis CI, so if you are having problems, 2. Make sure `/opt` is writable by the current user. 3. Run `build.sh`. 4. The generated binaries are in `./dist`. + + +Code Signing +============ + +Electrum Windows builds are signed with a Microsoft Authenticodeā„¢ code signing +certificate in addition to the GPG-based signatures. + +The advantage of using Authenticode is that Electrum users won't receive a +Windows SmartScreen warning when starting it. + +The release signing procedure involves a signer (the holder of the +certificate/key) and one or multiple trusted verifiers: + + +| Signer | Verifier | +|-----------------------------------------------------------|-----------------------------------| +| Build .exe files using `build.sh` | | +| | Build .exe files using `build.sh` | +| | Sign .exe files using `gpg -b` | +| | Send signatures to signer | +| Place signatures as `$filename.$builder.asc` in `./dist` | | +| Run `./sign.sh` | | + + +`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's +build environment is not compromised and that the binaries can be reproduced by anyone. diff --git a/contrib/build-wine/sign.sh b/contrib/build-wine/sign.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +here=$(dirname "$0") +test -n "$here" -a -d "$here" || exit +cd $here + + +CERT_FILE=${CERT_FILE:-~/codesigning/cert.pem} +KEY_FILE=${KEY_FILE:-~/codesigning/key.pem} +if [[ ! -f "$CERT_FILE" ]]; then + ls $CERT_FILE + echo "Make sure that $CERT_FILE and $KEY_FILE exist" +fi + +if ! which osslsigncode > /dev/null 2>&1; then + echo "Please install osslsigncode" +fi + +mkdir -p ./signed/dist >/dev/null 2>&1 + +echo "Found $(ls dist/*.exe | wc -w) files to sign." +for f in $(ls dist/*.exe); do + echo "Checking GPG signatures for $f..." + bad=0 + good=0 + for sig in $(ls $f.*.asc); do + if gpg --verify $sig $f > /dev/null 2>&1; then + (( good++ )) + else + (( bad++ )) + fi + done + echo "$good good signature(s) for $f". + if (( bad > 0 )); then + echo "WARNING: $bad bad signature(s)" + for sig in $(ls $f.*.asc); do + gpg --verify $sig $f + gpg --list-packets --verbose $sig + done + read -p "Do you want to continue (y/n)? " answer + if [ "$answer" != "y" ]; then + exit + fi + fi + echo "Signing $f..." + osslsigncode sign \ + -certs "$CERT_FILE" \ + -key "$KEY_FILE" \ + -n "Electrum" \ + -i "https://electrum.org/" \ + -t "http://timestamp.digicert.com/" \ + -in "$f" \ + -out "signed/$f" + ls signed/$f -lah +done