Add script to check and sign executables

2018-02-05 15:22:57 +01:00
parent c4ef5bfedb
commit 95bbd9593b
2 changed files with 82 additions and 0 deletions
--- a/contrib/build-wine/README.md
+++ b/contrib/build-wine/README.md
@@ -34,3 +34,30 @@ The binaries are also built by Travis CI, so if you are having problems,
 2. Make sure `/opt` is writable by the current user.
 3. Run `build.sh`.
 4. The generated binaries are in `./dist`.
+
+
+Code Signing
+============
+
+Electrum Windows builds are signed with a Microsoft Authenticode™ code signing
+certificate in addition to the GPG-based signatures.
+
+The advantage of using Authenticode is that Electrum users won't receive a 
+Windows SmartScreen warning when starting it.
+
+The release signing procedure involves a signer (the holder of the
+certificate/key) and one or multiple trusted verifiers:
+
+
+| Signer                                                    | Verifier                          |
+|-----------------------------------------------------------|-----------------------------------|
+| Build .exe files using `build.sh`                         |                                   |
+|                                                           | Build .exe files using `build.sh` |
+|                                                           | Sign .exe files using `gpg -b`    |
+|                                                           | Send signatures to signer         |
+| Place signatures as `$filename.$builder.asc` in `./dist`  |                                   |
+| Run `./sign.sh`                                           |                                   |
+
+
+`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
+build environment is not compromised and that the binaries can be reproduced by anyone.
--- a/contrib/build-wine/sign.sh
+++ b/contrib/build-wine/sign.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+here=$(dirname "$0")
+test -n "$here" -a -d "$here" || exit
+cd $here
+
+
+CERT_FILE=${CERT_FILE:-~/codesigning/cert.pem}
+KEY_FILE=${KEY_FILE:-~/codesigning/key.pem}
+if [[ ! -f "$CERT_FILE" ]]; then
+    ls $CERT_FILE
+    echo "Make sure that $CERT_FILE and $KEY_FILE exist"
+fi
+
+if ! which osslsigncode > /dev/null 2>&1; then
+    echo "Please install osslsigncode"
+fi
+
+mkdir -p ./signed/dist >/dev/null 2>&1
+
+echo "Found $(ls dist/*.exe | wc -w) files to sign."
+for f in $(ls dist/*.exe); do
+    echo "Checking GPG signatures for $f..."
+    bad=0
+    good=0
+    for sig in $(ls $f.*.asc); do
+        if gpg --verify $sig $f > /dev/null 2>&1; then
+            (( good++ ))
+        else
+            (( bad++ ))
+        fi
+    done
+    echo "$good good signature(s) for $f".
+    if (( bad > 0 )); then
+        echo "WARNING: $bad bad signature(s)"
+        for sig in $(ls $f.*.asc); do
+            gpg --verify $sig $f
+            gpg --list-packets --verbose $sig
+        done
+        read -p "Do you want to continue (y/n)? " answer
+        if [ "$answer" != "y" ]; then
+            exit
+        fi
+    fi
+    echo "Signing $f..."
+    osslsigncode sign \
+      -certs "$CERT_FILE" \
+      -key "$KEY_FILE" \
+      -n "Electrum" \
+      -i "https://electrum.org/" \
+      -t "http://timestamp.digicert.com/" \
+      -in "$f" \
+      -out "signed/$f"
+    ls signed/$f -lah      
+done