c1dbcab9bb
This commit ports the work of EchterAgo and cculianu from Electron-Cash, to implement a new toolchain to scan qr codes. Previously, on Linux and Win, we have been using zbar to access the camera and read qrcodes; and on macOS we used CalinsQRReader (an objective-C project by cculianu). The new toolchain added here can use QtMultimedia to access the camera, and then feed that image into zbar. When used this way, zbar needs fewer dependencies and is easier to compile, in particular it can be compiled for macOS. The new toolchain works on all three platforms, with some caveats (see code comments in related commits) -- so we also keep the end-to-end zbar toolchain; but at least we can drop CalinsQRReader. The related changes in Electron-Cash are spread over 50+ commits (several PRs and direct pushes to master), but see in particular: https://github.com/Electron-Cash/Electron-Cash/pull/1376 some other interesting links:b2b737001c163224cf1f3b31e0fcb1eda015908ehttps://github.com/Electron-Cash/Electron-Cash/pull/1545052aa06c23
Windows binaries
✓ These binaries should be reproducible, meaning you should be able to generate binaries that match the official releases.
This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another similar system.
-
Install Docker
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" $ sudo apt-get update $ sudo apt-get install -y docker-ceNote: older versions of Docker might not work well (see #6971). If having problems, try to upgrade to at least
docker 20.10. -
Build Windows binaries
$ ./build.shIf you want reproducibility, try instead e.g.:
$ ELECBUILD_COMMIT=HEAD ELECBUILD_NOCACHE=1 ./build.sh -
The generated binaries are in
./contrib/build-wine/dist.
Code Signing
Electrum Windows builds are signed with a Microsoft Authenticode™ code signing certificate in addition to the GPG-based signatures.
The advantage of using Authenticode is that Electrum users won't receive a Windows SmartScreen warning when starting it.
The release signing procedure involves a signer (the holder of the certificate/key) and one or multiple trusted verifiers:
| Signer | Verifier |
|---|---|
Build .exe files using make_win.sh |
|
Sign .exe with ./sign.sh |
|
| Upload signed files to download server | |
Build .exe files using make_win.sh |
|
Compare files using unsign.sh |
|
Sign .exe file using gpg -b |
| Signer and verifiers: |
|---|
Upload signatures to 'electrum-signatures' repo, as $version/$filename.$builder.asc |
Verify Integrity of signed binary
Every user can verify that the official binary was created from the source code in this repository. To do so, the Authenticode signature needs to be stripped since the signature is not reproducible.
This procedure removes the differences between the signed and unsigned binary:
- Remove the signature from the signed binary using osslsigncode or signtool.
- Set the COFF image checksum for the signed binary to 0x0. This is necessary because pyinstaller doesn't generate a checksum.
- Append null bytes to the unsigned binary until the byte count is a multiple of 8.
The script unsign.sh performs these steps.