b5951adc29
see https://github.com/spesmilo/electrum/pull/7721#issuecomment-1072669548 ----- pyinstaller 4.2 failed (during its runtime) to create exes (worked with cpython 3.9.10, but not with cpython 3.9.11): ``` 80572 INFO: Processing module hooks... 80573 INFO: Loading module hook 'hook-certifi.py' from 'C:\\python3\\lib\\site-packages\\_pyinstaller_hooks_contrib\\hooks\\stdhooks'... 80618 INFO: Loading module hook 'hook-cryptography.py' from 'C:\\python3\\lib\\site-packages\\_pyinstaller_hooks_contrib\\hooks\\stdhooks'... 82879 INFO: Loading module hook 'hook-dns.rdata.py' from 'C:\\python3\\lib\\site-packages\\_pyinstaller_hooks_contrib\\hooks\\stdhooks'... 84147 INFO: Loading module hook 'hook-mnemonic.py' from 'C:\\python3\\lib\\site-packages\\_pyinstaller_hooks_contrib\\hooks\\stdhooks'... 84207 INFO: Loading module hook 'hook-pycparser.py' from 'C:\\python3\\lib\\site-packages\\_pyinstaller_hooks_contrib\\hooks\\stdhooks'... 84212 INFO: Loading module hook 'hook-usb1.py' from 'C:\\python3\\lib\\site-packages\\usb1\\__pyinstaller'... 84215 INFO: --- libusb1 pyinstaller hook --- 84226 INFO: Added libusb binaries: [('C:\\python3\\lib\\site-packages\\usb1\\libusb-1.0.dll', 'usb1')] 84228 INFO: Loading module hook 'hook-difflib.py' from 'C:\\python3\\lib\\site-packages\\PyInstaller\\hooks'... 84237 INFO: Excluding import of doctest from module difflib 84237 INFO: Loading module hook 'hook-distutils.py' from 'C:\\python3\\lib\\site-packages\\PyInstaller\\hooks'... Unable to find "C:\python3\Include\pyconfig.h" when adding binary and data files.This would mean your Python installation doesn't come with proper library files. This usually happens by missing development package, or unsuitable build parameters of Python installation. * On Debian/Ubuntu, you would need to install Python development packages * apt-get install python3-dev * apt-get install python-dev * If you're building Python by yourself, please rebuild your Python with `--enable-shared` (or, `--enable-framework` on Darwin) 🗯 ERROR: build-electrum-git failed ``` Looks like this might be fixed in pyinstaller 4.3 (we are using 4.2): https://github.com/pyinstaller/pyinstaller/pull/5218 ----- While trying to update pyinstaller to have that fix, several issues found with versions 4.3-4.10, now reported upstream and already fixed: https://github.com/pyinstaller/pyinstaller/issues/6338 https://github.com/pyinstaller/pyinstaller/issues/6339 https://github.com/pyinstaller/pyinstaller/issues/6686 So the pyinstaller commit pinned here is from the stable "v4" branch, some commits after the 4.10 tag, which has fixes for the above issues.
Windows binaries
✓ These binaries should be reproducible, meaning you should be able to generate binaries that match the official releases.
This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another similar system.
-
Install Docker
See
contrib/docker_notes.md.Note: older versions of Docker might not work well (see #6971). If having problems, try to upgrade to at least
docker 20.10. -
Build Windows binaries
$ ./build.shIf you want reproducibility, try instead e.g.:
$ ELECBUILD_COMMIT=HEAD ELECBUILD_NOCACHE=1 ./build.sh -
The generated binaries are in
./contrib/build-wine/dist.
Code Signing
Electrum Windows builds are signed with a Microsoft Authenticode™ code signing certificate in addition to the GPG-based signatures.
The advantage of using Authenticode is that Electrum users won't receive a Windows SmartScreen warning when starting it.
The release signing procedure involves a signer (the holder of the certificate/key) and one or multiple trusted verifiers:
| Signer | Verifier |
|---|---|
Build .exe files using make_win.sh |
|
Sign .exe with ./sign.sh |
|
| Upload signed files to download server | |
Build .exe files using make_win.sh |
|
Compare files using unsign.sh |
|
Sign .exe file using gpg -b |
| Signer and verifiers: |
|---|
Upload signatures to 'electrum-signatures' repo, as $version/$filename.$builder.asc |
Verify Integrity of signed binary
Every user can verify that the official binary was created from the source code in this repository. To do so, the Authenticode signature needs to be stripped since the signature is not reproducible.
This procedure removes the differences between the signed and unsigned binary:
- Remove the signature from the signed binary using osslsigncode or signtool.
- Set the COFF image checksum for the signed binary to 0x0. This is necessary because pyinstaller doesn't generate a checksum.
- Append null bytes to the unsigned binary until the byte count is a multiple of 8.
The script unsign.sh performs these steps.