AaronFiore/electrum
1
0
Fork 0
Code Activity

Add script to strip signature from signed binary

Browse Source
This commit is contained in:
root
2018-06-28 22:25:57 +02:00
committed by ThomasV
parent 95bbd9593b
commit 240dc888ec
2 changed files with 63 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
contrib/build-wine/README.md
View File

@@ -61,3 +61,21 @@ certificate/key) and one or multiple trusted verifiers:
`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's `sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
build environment is not compromised and that the binaries can be reproduced by anyone. build environment is not compromised and that the binaries can be reproduced by anyone.
Verify Integrity of signed binary
=================================
Every user can verify that the official binary was created from the source code in this
repository. To do so, the Authenticode signature needs to be stripped since the signature
is not reproducible.
This procedure removes the differences between the signed and unsigned binary:
1. Remove the signature from the signed binary using osslsigncode or signtool.
2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
because pyinstaller doesn't generate a checksum.
3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
of 8.
The script `unsign.sh` performs these steps.

45
contrib/build-wine/unsign.sh Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
here=$(dirname "$0")
test -n "$here" -a -d "$here" || exit
cd $here
if ! which osslsigncode > /dev/null 2>&1; then
echo "Please install osslsigncode"
fi
if [ $# -neq 2 ]; then
echo "Usage: $0 signed_binary unsigned_binary"
fi
out="$1-stripped.exe"
set -ex
echo "Step 1: Remove PE signature from signed binary"
osslsigncode remove-signature -in $1 -out $out
echo "Step 2: Remove checksum from signed binary"
python3 <<EOF
pe_file = "$out"
with open(pe_file, "rb") as f:
binary = bytearray(f.read())
pe_offset = int.from_bytes(binary[0x3c:0x3c+4], byteorder="little")
checksum_offset = pe_offset + 88
for b in range(4):
binary[checksum_offset + b] = 0
with open(pe_file, "wb") as f:
f.write(binary)
EOF
bytes=$( wc -c < $2 )
bytes=$((8 - ($bytes%8)))
bytes=$(($bytes % 8))
echo "Step 3: Appending $bytes null bytes to unsigned binary"
truncate -s +$bytes $2
diff $out $2 && echo "Success!"