contrib/build-wine/README.md

# Windows binaries

✓ _These binaries should be reproducible, meaning you should be able to generate
   binaries that match the official releases._

- _Minimum supported target system (i.e. what end-users need): x86_64, Windows 10 (1809)_

This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another
similar system.

1. Install Docker

    See [`contrib/docker_notes.md`](../docker_notes.md).

    (worth reading even if you already have docker)

    Note: older versions of Docker might not work well
    (see [#6971](https://github.com/spesmilo/electrum/issues/6971)).
    If having problems, try to upgrade to at least `docker 20.10`.

2. Build Windows binaries

    ```
    $ ./build.sh
    ```
    If you want reproducibility, try instead e.g.:
    ```
    $ ELECBUILD_COMMIT=HEAD ./build.sh
    ```

3. The generated binaries are in `./contrib/build-wine/dist`.


## Code Signing

Electrum Windows builds are signed with a Microsoft Authenticode™ code signing
certificate in addition to the GPG-based signatures.

The advantage of using Authenticode is that Electrum users won't receive a
Windows SmartScreen warning when starting it.

The release signing procedure involves a signer (the holder of the
certificate/key) and one or multiple trusted verifiers:


| Signer                                                    | Verifier                             |
|-----------------------------------------------------------|--------------------------------------|
| Build .exe files using `make_win.sh`                      |                                      |
| Sign .exe with `./sign.sh`                                |                                      |
| Upload signed files to download server                    |                                      |
|                                                           | Build .exe files using `make_win.sh` |
|                                                           | Compare files using `unsign.sh`      |
|                                                           | Sign .exe file using `gpg -b`        |

| Signer and verifiers:                                                                            |
|--------------------------------------------------------------------------------------------------|
| Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc`            |


## Verify Integrity of signed binary

Every user can verify that the official binary was created from the source code in this
repository. To do so, the Authenticode signature needs to be stripped since the signature
is not reproducible.

This procedure removes the differences between the signed and unsigned binary:

1. Remove the signature from the signed binary using osslsigncode or signtool.
2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
   because pyinstaller doesn't generate a checksum.
3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
   of 8.

The script `unsign.sh` performs these steps.

## FAQ

### How to investigate diff between binaries if reproducibility fails?
`pyi-archive_viewer` is needed, for that run `$ pip install pyinstaller`.
As a first pass overview, run:
```
pyi-archive_viewer -l electrum-*.exe1 > f1
pyi-archive_viewer -l electrum-*.exe2 > f2
diff f1 f2 > d
cat d
```
Then investigate manually:
```
$ pyi-archive_viewer electrum-*.exe1
? help
```
win build: add instructions to investigate reproducibility failure 2022-03-25 21:26:10 +01:00			`# Windows binaries`
Add script for deterministic builds 2017-11-28 00:30:06 +01:00
build: note whether binary is reproducible in each case 2019-06-26 04:18:24 +02:00			`✓ _These binaries should be reproducible, meaning you should be able to generate`
			`binaries that match the official releases._`
wine-build: clarify to use docker for reproducible builds. move parts of readme. 2018-08-15 13:22:24 +02:00
binaries: document min requirements for target systems 2024-10-04 14:02:51 +00:00			`- _Minimum supported target system (i.e. what end-users need): x86_64, Windows 10 (1809)_`

build: note whether binary is reproducible in each case 2019-06-26 04:18:24 +02:00			`This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another`
build: try to consolidate instructions and decr codedupe in release.sh 2021-06-17 19:41:37 +02:00			`similar system.`
Add script for deterministic builds 2017-11-28 00:30:06 +01:00
wine build: rm old README 2019-05-06 17:10:36 +02:00			`1. Install Docker`
Add instruction to install dirmngr to Wine README Closes #3454 2017-12-06 18:12:02 +01:00
contrib/docker_notes.md: add notes re debian apt mirror, and envvars related https://github.com/spesmilo/electrum/issues/8496 2023-06-22 15:45:30 +00:00			See [`contrib/docker_notes.md`](../docker_notes.md).

			`(worth reading even if you already have docker)`
Add instruction to install dirmngr to Wine README Closes #3454 2017-12-06 18:12:02 +01:00
build-wine/README.md: add comment about needing recent docker version related: https://github.com/spesmilo/electrum/issues/6971 https://github.com/spesmilo/electrum/pull/6981 2021-02-01 22:30:54 +01:00			`Note: older versions of Docker might not work well`
			`(see [#6971](https://github.com/spesmilo/electrum/issues/6971)).`
			If having problems, try to upgrade to at least `docker 20.10`.

build: try to consolidate instructions and decr codedupe in release.sh 2021-06-17 19:41:37 +02:00			`2. Build Windows binaries`
Add instruction to install dirmngr to Wine README Closes #3454 2017-12-06 18:12:02 +01:00
wine build: rm old README 2019-05-06 17:10:36 +02:00			```
build: try to consolidate instructions and decr codedupe in release.sh 2021-06-17 19:41:37 +02:00			`$ ./build.sh`
wine build: rm old README 2019-05-06 17:10:36 +02:00			```
build: try to consolidate instructions and decr codedupe in release.sh 2021-06-17 19:41:37 +02:00			`If you want reproducibility, try instead e.g.:`
wine build: rm old README 2019-05-06 17:10:36 +02:00			```
contrib/docker_notes.md: add notes re debian apt mirror, and envvars related https://github.com/spesmilo/electrum/issues/8496 2023-06-22 15:45:30 +00:00			`$ ELECBUILD_COMMIT=HEAD ./build.sh`
wine build: rm old README 2019-05-06 17:10:36 +02:00			```
Add script for deterministic builds 2017-11-28 00:30:06 +01:00
build: try to consolidate instructions and decr codedupe in release.sh 2021-06-17 19:41:37 +02:00			3. The generated binaries are in `./contrib/build-wine/dist`.
Add script for deterministic builds 2017-11-28 00:30:06 +01:00
wine build: rm old README 2019-05-06 17:10:36 +02:00

win build: add instructions to investigate reproducibility failure 2022-03-25 21:26:10 +01:00			`## Code Signing`
wine build: rm old README 2019-05-06 17:10:36 +02:00
			`Electrum Windows builds are signed with a Microsoft Authenticode™ code signing`
			`certificate in addition to the GPG-based signatures.`

contrib/docker_notes.md: add notes re debian apt mirror, and envvars related https://github.com/spesmilo/electrum/issues/8496 2023-06-22 15:45:30 +00:00			`The advantage of using Authenticode is that Electrum users won't receive a`
wine build: rm old README 2019-05-06 17:10:36 +02:00			`Windows SmartScreen warning when starting it.`

			`The release signing procedure involves a signer (the holder of the`
			`certificate/key) and one or multiple trusted verifiers:`


build: rename some scripts also, merge sdist/build.sh and sdist/make_tgz into sdist/make_sdist.sh 2021-06-17 19:03:23 +02:00			`\| Signer \| Verifier \|`
			`\|-----------------------------------------------------------\|--------------------------------------\|`
			\| Build .exe files using `make_win.sh` \| \|
			\| Sign .exe with `./sign.sh` \| \|
			`\| Upload signed files to download server \| \|`
			\| \| Build .exe files using `make_win.sh` \|
			\| \| Compare files using `unsign.sh` \|
			\| \| Sign .exe file using `gpg -b` \|
wine build: rm old README 2019-05-06 17:10:36 +02:00
build: rename some scripts also, merge sdist/build.sh and sdist/make_tgz into sdist/make_sdist.sh 2021-06-17 19:03:23 +02:00			`\| Signer and verifiers: \|`
			`\|--------------------------------------------------------------------------------------------------\|`
			\| Upload signatures to 'electrum-signatures' repo, as `$version/$filename.$builder.asc` \|
wine build: rm old README 2019-05-06 17:10:36 +02:00


win build: add instructions to investigate reproducibility failure 2022-03-25 21:26:10 +01:00			`## Verify Integrity of signed binary`
wine build: rm old README 2019-05-06 17:10:36 +02:00
contrib/docker_notes.md: add notes re debian apt mirror, and envvars related https://github.com/spesmilo/electrum/issues/8496 2023-06-22 15:45:30 +00:00			`Every user can verify that the official binary was created from the source code in this`
wine build: rm old README 2019-05-06 17:10:36 +02:00			`repository. To do so, the Authenticode signature needs to be stripped since the signature`
			`is not reproducible.`

			`This procedure removes the differences between the signed and unsigned binary:`

			`1. Remove the signature from the signed binary using osslsigncode or signtool.`
			`2. Set the COFF image checksum for the signed binary to 0x0. This is necessary`
			`because pyinstaller doesn't generate a checksum.`
			`3. Append null bytes to the _unsigned_ binary until the byte count is a multiple`
			`of 8.`

			The script `unsign.sh` performs these steps.
win build: add instructions to investigate reproducibility failure 2022-03-25 21:26:10 +01:00
			`## FAQ`

			`### How to investigate diff between binaries if reproducibility fails?`
			`pyi-archive_viewer` is needed, for that run `$ pip install pyinstaller`.
			`As a first pass overview, run:`
			```
			`pyi-archive_viewer -l electrum-*.exe1 > f1`
			`pyi-archive_viewer -l electrum-*.exe2 > f2`
			`diff f1 f2 > d`
			`cat d`
			```
			`Then investigate manually:`
			```
			`$ pyi-archive_viewer electrum-*.exe1`
			`? help`
			```