653a24a49b
The "setup" Windows binary we distribute allows users to "install" Electrum on their system. The distributable is created by NSIS. During installation a bunch of files will get unpacked in %programfiles(x86)%/Electrum, including an "inner" exe that will be the entrypoint for the user to start the application. A shortcut is also created for the inner exe. With this change, there will now be two inner EXEs. One the same as before, the other with a "-debug" suffix in its name. The debug exe is built as a "console" application (as opposed to a "windowed" application), so when launched via double-click a black console window would appear; and also importantly stdin/stdout are handled properly for it (unlike for "windowed" programs). (see #2592) There will not be a shortcut or similar for the debug exe; it would just be there as a debugging option we can instruct users to use when needed. In particular early crashes during startup are hard to debug without stdout/stderr. (see e.g. #6601) |
||
|---|---|---|
| .. | ||
| gpg_keys | ||
| build-electrum-git.sh | ||
| build.sh | ||
| deterministic.spec | ||
| Dockerfile | ||
| electrum.nsi | ||
| prepare-wine.sh | ||
| README.md | ||
| sign.sh | ||
| unsign.sh | ||
Windows binaries
✓ These binaries should be reproducible, meaning you should be able to generate binaries that match the official releases.
This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another similar system. The docker commands should be executed in the project's root folder.
-
Install Docker
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" $ sudo apt-get update $ sudo apt-get install -y docker-ce -
Build image
$ sudo docker build -t electrum-wine-builder-img contrib/build-wineNote: see this if having dns problems
-
Build Windows binaries
It's recommended to build from a fresh clone (but you can skip this if reproducibility is not necessary).
$ FRESH_CLONE=contrib/build-wine/fresh_clone && \ sudo rm -rf $FRESH_CLONE && \ mkdir -p $FRESH_CLONE && \ cd $FRESH_CLONE && \ git clone https://github.com/spesmilo/electrum.git && \ cd electrumAnd then build from this directory:
$ git checkout $REV $ sudo docker run -it \ --name electrum-wine-builder-cont \ -v $PWD:/opt/wine64/drive_c/electrum \ --rm \ --workdir /opt/wine64/drive_c/electrum/contrib/build-wine \ electrum-wine-builder-img \ ./build.sh -
The generated binaries are in
./contrib/build-wine/dist.
Code Signing
Electrum Windows builds are signed with a Microsoft Authenticode™ code signing certificate in addition to the GPG-based signatures.
The advantage of using Authenticode is that Electrum users won't receive a Windows SmartScreen warning when starting it.
The release signing procedure involves a signer (the holder of the certificate/key) and one or multiple trusted verifiers:
| Signer | Verifier |
|---|---|
Build .exe files using build.sh |
|
Sign .exe with ./sign.sh |
|
| Upload signed files to download server | |
Build .exe files using build.sh |
|
Compare files using unsign.sh |
|
Sign .exe file using gpg -b |
| Signer and verifiers: |
|---|
Upload signatures to 'electrum-signatures' repo, as $version/$filename.$builder.asc |
Verify Integrity of signed binary
Every user can verify that the official binary was created from the source code in this repository. To do so, the Authenticode signature needs to be stripped since the signature is not reproducible.
This procedure removes the differences between the signed and unsigned binary:
- Remove the signature from the signed binary using osslsigncode or signtool.
- Set the COFF image checksum for the signed binary to 0x0. This is necessary because pyinstaller doesn't generate a checksum.
- Append null bytes to the unsigned binary until the byte count is a multiple of 8.
The script unsign.sh performs these steps.