History

SomberNight a4cb69d1b5 win build: update debian base (11->12), and wine		2 years ago
..
gpg_keys	build-wine: don't use gpg keyservers	7 years ago
.dockerignore	build: fix repro builds where host userid != 1000	3 years ago
Dockerfile	win build: update debian base (11->12), and wine	2 years ago
README.md	contrib/docker_notes.md: add notes re debian apt mirror, and envvars	3 years ago
README_windows.md	windows README: update reference to libsecp256k1-0.dll to incl newer	3 years ago
apt.preferences	wine build: build win-iconv-mingw-w64-dev, instead of using debian sid	3 years ago
apt.sources.list	win build: update debian base (11->12), and wine	2 years ago
build-electrum-git.sh	win/mac build: bump pyinstaller (5.13.2->6.6.0)	2 years ago
build.sh	build: fix repro builds where host userid != 1000	3 years ago
deterministic.spec	pyinstaller build: (trivial) format so that win/osx look more similar	2 years ago
electrum.nsi	use debian makensis instead of windows makensis executable through wine (#8057 )	3 years ago
make_win.sh	win build: bump pyinstaller (4.10->5.11)	3 years ago
prepare-wine.sh	win/mac build: bump pyinstaller (5.13.2->6.6.0)	2 years ago
sign.sh	build scripts: (trivial) add quotes around some shell variables	2 years ago
unsign.sh	contrib/build-wine/unsign.sh: small improvements/fixes	3 years ago

README.md

Windows binaries

✓ These binaries should be reproducible, meaning you should be able to generate binaries that match the official releases.

This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another similar system.

Install Docker

See contrib/docker_notes.md.

(worth reading even if you already have docker)

Note: older versions of Docker might not work well (see #6971). If having problems, try to upgrade to at least docker 20.10.
Build Windows binaries
```
$ ./build.sh
```
If you want reproducibility, try instead e.g.:
```
$ ELECBUILD_COMMIT=HEAD ./build.sh
```
The generated binaries are in ./contrib/build-wine/dist.

Code Signing

Electrum Windows builds are signed with a Microsoft Authenticode™ code signing certificate in addition to the GPG-based signatures.

The advantage of using Authenticode is that Electrum users won't receive a Windows SmartScreen warning when starting it.

The release signing procedure involves a signer (the holder of the certificate/key) and one or multiple trusted verifiers:

Signer	Verifier
Build .exe files using `make_win.sh`
Sign .exe with `./sign.sh`
Upload signed files to download server
	Build .exe files using `make_win.sh`
	Compare files using `unsign.sh`
	Sign .exe file using `gpg -b`

Signer and verifiers:
Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc`

Verify Integrity of signed binary

Every user can verify that the official binary was created from the source code in this repository. To do so, the Authenticode signature needs to be stripped since the signature is not reproducible.

This procedure removes the differences between the signed and unsigned binary:

Remove the signature from the signed binary using osslsigncode or signtool.
Set the COFF image checksum for the signed binary to 0x0. This is necessary because pyinstaller doesn't generate a checksum.
Append null bytes to the unsigned binary until the byte count is a multiple of 8.

The script unsign.sh performs these steps.

FAQ

How to investigate diff between binaries if reproducibility fails?

pyi-archive_viewer is needed, for that run $ pip install pyinstaller. As a first pass overview, run:

pyi-archive_viewer -l electrum-*.exe1 > f1
pyi-archive_viewer -l electrum-*.exe2 > f2
diff f1 f2 > d
cat d

Then investigate manually:

$ pyi-archive_viewer electrum-*.exe1
? help