Add script to strip signature from signed binary
This commit is contained in:
root
ThomasV
parent
95bbd9593b
commit
240dc888ec
@ -61,3 +61,21 @@ certificate/key) and one or multiple trusted verifiers:
|
||||
|
||||
`sign.sh` will check if the signatures match the signer's files. This ensures that the signer's
|
||||
build environment is not compromised and that the binaries can be reproduced by anyone.
|
||||
|
||||
|
||||
Verify Integrity of signed binary
|
||||
=================================
|
||||
|
||||
Every user can verify that the official binary was created from the source code in this
|
||||
repository. To do so, the Authenticode signature needs to be stripped since the signature
|
||||
is not reproducible.
|
||||
|
||||
This procedure removes the differences between the signed and unsigned binary:
|
||||
|
||||
1. Remove the signature from the signed binary using osslsigncode or signtool.
|
||||
2. Set the COFF image checksum for the signed binary to 0x0. This is necessary
|
||||
because pyinstaller doesn't generate a checksum.
|
||||
3. Append null bytes to the _unsigned_ binary until the byte count is a multiple
|
||||
of 8.
|
||||
|
||||
The script `unsign.sh` performs these steps.
|
||||
|
||||
45
contrib/build-wine/unsign.sh
Normal file
45
contrib/build-wine/unsign.sh
Normal file
@ -0,0 +1,45 @@
|
||||
#!/bin/bash
|
||||
here=$(dirname "$0")
|
||||
test -n "$here" -a -d "$here" || exit
|
||||
cd $here
|
||||
|
||||
if ! which osslsigncode > /dev/null 2>&1; then
|
||||
echo "Please install osslsigncode"
|
||||
fi
|
||||
|
||||
if [ $# -neq 2 ]; then
|
||||
echo "Usage: $0 signed_binary unsigned_binary"
|
||||
fi
|
||||
|
||||
out="$1-stripped.exe"
|
||||
|
||||
set -ex
|
||||
|
||||
echo "Step 1: Remove PE signature from signed binary"
|
||||
osslsigncode remove-signature -in $1 -out $out
|
||||
|
||||
echo "Step 2: Remove checksum from signed binary"
|
||||
python3 <<EOF
|
||||
pe_file = "$out"
|
||||
with open(pe_file, "rb") as f:
|
||||
binary = bytearray(f.read())
|
||||
|
||||
pe_offset = int.from_bytes(binary[0x3c:0x3c+4], byteorder="little")
|
||||
checksum_offset = pe_offset + 88
|
||||
|
||||
for b in range(4):
|
||||
binary[checksum_offset + b] = 0
|
||||
|
||||
with open(pe_file, "wb") as f:
|
||||
f.write(binary)
|
||||
EOF
|
||||
|
||||
bytes=$( wc -c < $2 )
|
||||
bytes=$((8 - ($bytes%8)))
|
||||
bytes=$(($bytes % 8))
|
||||
|
||||
echo "Step 3: Appending $bytes null bytes to unsigned binary"
|
||||
|
||||
truncate -s +$bytes $2
|
||||
|
||||
diff $out $2 && echo "Success!"
|
||||
Loading…
Reference in New Issue
Block a user