diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md index 2ad55f91c..8f4bb0d13 100644 --- a/contrib/build-wine/README.md +++ b/contrib/build-wine/README.md @@ -61,3 +61,21 @@ certificate/key) and one or multiple trusted verifiers: `sign.sh` will check if the signatures match the signer's files. This ensures that the signer's build environment is not compromised and that the binaries can be reproduced by anyone. + + +Verify Integrity of signed binary +================================= + +Every user can verify that the official binary was created from the source code in this +repository. To do so, the Authenticode signature needs to be stripped since the signature +is not reproducible. + +This procedure removes the differences between the signed and unsigned binary: + +1. Remove the signature from the signed binary using osslsigncode or signtool. +2. Set the COFF image checksum for the signed binary to 0x0. This is necessary + because pyinstaller doesn't generate a checksum. +3. Append null bytes to the _unsigned_ binary until the byte count is a multiple + of 8. + +The script `unsign.sh` performs these steps. diff --git a/contrib/build-wine/unsign.sh b/contrib/build-wine/unsign.sh new file mode 100644 index 000000000..b3ba9e8c0 --- /dev/null +++ b/contrib/build-wine/unsign.sh @@ -0,0 +1,45 @@ +#!/bin/bash +here=$(dirname "$0") +test -n "$here" -a -d "$here" || exit +cd $here + +if ! which osslsigncode > /dev/null 2>&1; then + echo "Please install osslsigncode" +fi + +if [ $# -neq 2 ]; then + echo "Usage: $0 signed_binary unsigned_binary" +fi + +out="$1-stripped.exe" + +set -ex + +echo "Step 1: Remove PE signature from signed binary" +osslsigncode remove-signature -in $1 -out $out + +echo "Step 2: Remove checksum from signed binary" +python3 <