wine-build: clarify to use docker for reproducible builds. move parts of readme.

2018-08-15 13:22:24 +02:00
parent 3089edd3a2
commit db834800c0
2 changed files with 51 additions and 47 deletions
--- a/contrib/build-wine/README.md
+++ b/contrib/build-wine/README.md
@@ -2,7 +2,8 @@ Windows Binary Builds
 =====================
 These scripts can be used for cross-compilation of Windows Electrum executables from Linux/Wine.
-Produced binaries are deterministic, so you should be able to generate binaries that match the official releases. 
+
 For reproducible builds, see the `docker` folder.
 Usage:
@@ -34,49 +35,3 @@ The binaries are also built by Travis CI, so if you are having problems,
 2. Make sure `/opt` is writable by the current user.
 3. Run `build.sh`.
 4. The generated binaries are in `./dist`.
 Code Signing
 ============
 Electrum Windows builds are signed with a Microsoft Authenticode™ code signing
 certificate in addition to the GPG-based signatures.
 The advantage of using Authenticode is that Electrum users won't receive a 
 Windows SmartScreen warning when starting it.
 The release signing procedure involves a signer (the holder of the
 certificate/key) and one or multiple trusted verifiers:
 | Signer                                                    | Verifier                          |
 |-----------------------------------------------------------|-----------------------------------|
 | Build .exe files using `build.sh`                         |                                   |
 | Sign .exe with `./sign.sh`                                |                                   |
 | Upload signed files to download server                    |                                   |
 |                                                           | Build .exe files using `build.sh` |
 |                                                           | Compare files using `unsign.sh`   |
 |                                                           | Sign .exe file using `gpg -b`     |
 | Signer and verifiers:
 | Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc`         |
 Verify Integrity of signed binary
 =================================
 Every user can verify that the official binary was created from the source code in this 
 repository. To do so, the Authenticode signature needs to be stripped since the signature
 is not reproducible.
 This procedure removes the differences between the signed and unsigned binary:
 1. Remove the signature from the signed binary using osslsigncode or signtool.
 2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
   because pyinstaller doesn't generate a checksum.
 3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
   of 8.
 The script `unsign.sh` performs these steps.
--- a/contrib/build-wine/docker/README.md
+++ b/contrib/build-wine/docker/README.md
@@ -1,6 +1,9 @@
 Deterministic Windows binaries with Docker
 ==========================================
 Produced binaries are deterministic, so you should be able to generate
 binaries that match the official releases.
 This assumes an Ubuntu host, but it should not be too hard to adapt to another
 similar system. The docker commands should be executed in the project's root
 folder.
@@ -39,3 +42,49 @@ folder.
 Note: the `setup` binary (NSIS installer) is not deterministic yet.
 Code Signing
 ============
 Electrum Windows builds are signed with a Microsoft Authenticode™ code signing
 certificate in addition to the GPG-based signatures.
 The advantage of using Authenticode is that Electrum users won't receive a 
 Windows SmartScreen warning when starting it.
 The release signing procedure involves a signer (the holder of the
 certificate/key) and one or multiple trusted verifiers:
 | Signer                                                    | Verifier                          |
 |-----------------------------------------------------------|-----------------------------------|
 | Build .exe files using `build.sh`                         |                                   |
 | Sign .exe with `./sign.sh`                                |                                   |
 | Upload signed files to download server                    |                                   |
 |                                                           | Build .exe files using `build.sh` |
 |                                                           | Compare files using `unsign.sh`   |
 |                                                           | Sign .exe file using `gpg -b`     |
 | Signer and verifiers:                                                                         |
 |-----------------------------------------------------------------------------------------------|
 | Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc`         |
 Verify Integrity of signed binary
 =================================
 Every user can verify that the official binary was created from the source code in this 
 repository. To do so, the Authenticode signature needs to be stripped since the signature
 is not reproducible.
 This procedure removes the differences between the signed and unsigned binary:
 1. Remove the signature from the signed binary using osslsigncode or signtool.
 2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
   because pyinstaller doesn't generate a checksum.
 3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
   of 8.
 The script `unsign.sh` performs these steps.