electrum

Electrum Bitcoin wallet
git clone https://git.parazyd.org/electrum
Log | Files | Refs | Submodules

README.md (4019B)


      1 Windows binaries
      2 ================
      3 
      4 ✓ _These binaries should be reproducible, meaning you should be able to generate
      5    binaries that match the official releases._
      6 
      7 This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another
      8 similar system. The docker commands should be executed in the project's root
      9 folder.
     10 
     11 1. Install Docker
     12 
     13     ```
     14     $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
     15     $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
     16     $ sudo apt-get update
     17     $ sudo apt-get install -y docker-ce
     18     ```
     19 
     20     Note: older versions of Docker might not work well
     21     (see [#6971](https://github.com/spesmilo/electrum/issues/6971)).
     22     If having problems, try to upgrade to at least `docker 20.10`.
     23 
     24 2. Build image
     25 
     26     ```
     27     $ sudo docker build -t electrum-wine-builder-img contrib/build-wine
     28     ```
     29 
     30     Note: see [this](https://stackoverflow.com/a/40516974/7499128) if having dns problems
     31 
     32 3. Build Windows binaries
     33 
     34     It's recommended to build from a fresh clone
     35     (but you can skip this if reproducibility is not necessary).
     36 
     37     ```
     38     $ FRESH_CLONE=contrib/build-wine/fresh_clone && \
     39         sudo rm -rf $FRESH_CLONE && \
     40         mkdir -p $FRESH_CLONE && \
     41         cd $FRESH_CLONE  && \
     42         git clone https://github.com/spesmilo/electrum.git && \
     43         cd electrum
     44     ```
     45 
     46     And then build from this directory:
     47     ```
     48     $ git checkout $REV
     49     $ sudo docker run -it \
     50         --name electrum-wine-builder-cont \
     51         -v $PWD:/opt/wine64/drive_c/electrum \
     52         --rm \
     53         --workdir /opt/wine64/drive_c/electrum/contrib/build-wine \
     54         electrum-wine-builder-img \
     55         ./build.sh
     56     ```
     57 4. The generated binaries are in `./contrib/build-wine/dist`.
     58 
     59 
     60 
     61 Code Signing
     62 ============
     63 
     64 Electrum Windows builds are signed with a Microsoft Authenticode™ code signing
     65 certificate in addition to the GPG-based signatures.
     66 
     67 The advantage of using Authenticode is that Electrum users won't receive a 
     68 Windows SmartScreen warning when starting it.
     69 
     70 The release signing procedure involves a signer (the holder of the
     71 certificate/key) and one or multiple trusted verifiers:
     72 
     73 
     74 | Signer                                                    | Verifier                          |
     75 |-----------------------------------------------------------|-----------------------------------|
     76 | Build .exe files using `build.sh`                         |                                   |
     77 | Sign .exe with `./sign.sh`                                |                                   |
     78 | Upload signed files to download server                    |                                   |
     79 |                                                           | Build .exe files using `build.sh` |
     80 |                                                           | Compare files using `unsign.sh`   |
     81 |                                                           | Sign .exe file using `gpg -b`     |
     82 
     83 | Signer and verifiers:                                                                         |
     84 |-----------------------------------------------------------------------------------------------|
     85 | Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc`         |
     86 
     87 
     88 
     89 Verify Integrity of signed binary
     90 =================================
     91 
     92 Every user can verify that the official binary was created from the source code in this 
     93 repository. To do so, the Authenticode signature needs to be stripped since the signature
     94 is not reproducible.
     95 
     96 This procedure removes the differences between the signed and unsigned binary:
     97 
     98 1. Remove the signature from the signed binary using osslsigncode or signtool.
     99 2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
    100    because pyinstaller doesn't generate a checksum.
    101 3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
    102    of 8.
    103 
    104 The script `unsign.sh` performs these steps.