[tor-messenger-build/master] Recalculate pe file checksum - tor-commits

2 Nov 2016

commit f70daf0b2759d2e7b8df2a974e6b6143d20c1023
Author: Vu Quoc Huy huyvq.c633@gmail.com
Date:   Mon Oct 31 17:27:18 2016 +0700
Recalculate pe file checksum
* trac 20062
* Closes #10
---
 ChangeLog                                 |  2 ++
 projects/tor-messenger/build              |  5 +++
 projects/tor-messenger/config             |  6 ++++
 projects/tor-messenger/pe_checksum_fix.py | 56 +++++++++++++++++++++++++++++++
 4 files changed, 69 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index b529abd..b6dc6b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,8 @@ Tor Messenger 0.3.0b1 --
  * Mac
    * Trac 20206: Avoid prompting to download font "Osaka" on macOS Sierra
    * Trac 20204: Windows don't drag on macOS Sierra
+ * Windows
+   * Trac 20062: Make stripping signatures reproducible on TM .exe files
Tor Messenger 0.2.0b2 -- September 06, 2016
  * Mac
diff --git a/projects/tor-messenger/build b/projects/tor-messenger/build
index d69c983..ad6b112 100755
--- a/projects/tor-messenger/build
+++ b/projects/tor-messenger/build
@@ -91,6 +91,11 @@ cd ..
 mv bundle tor-messenger
 [% IF c('var/windows') -%]
 makensis tor-messenger.nsi
+mv tor-messenger-install.exe tor-messenger-install-tmp.exe
+pip install --user pefile==2016.3.28
+python pe_checksum_fix.py
+mv tor-messenger-install-tmp2.exe tor-messenger-install.exe
+rm tor-messenger-install-tmp.exe
 mv tor-messenger-install.exe [% dest_dir _ '/' _ c('filename') %]
 [% ELSE -%]
 [% c('tar', {
diff --git a/projects/tor-messenger/config b/projects/tor-messenger/config
index 225977f..395a77b 100644
--- a/projects/tor-messenger/config
+++ b/projects/tor-messenger/config
@@ -26,6 +26,8 @@ input_files:
     enable: '[% c("var/osx") %]'
   - filename: tor-messenger.nsi
     enable: '[% c("var/windows") %]'
+  - filename: pe_checksum_fix.py
+    enable: '[% c("var/windows") %]'
   - filename: cert_override.txt
   - filename: tor-messenger.ico
     enable: '[% c("var/windows") %]'
@@ -48,6 +50,10 @@ targets:
       filename_ext: 'exe'
       arch_deps:
         - nsis
+        - python
+        - python-pip
+        - python-dev
+        - build-essential
   osx-x86_64:
     distribution: Ubuntu-12.04
     var:
diff --git a/projects/tor-messenger/pe_checksum_fix.py b/projects/tor-messenger/pe_checksum_fix.py
new file mode 100644
index 0000000..e3df5be
--- /dev/null
+++ b/projects/tor-messenger/pe_checksum_fix.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+
+# Copyright (c) 2015, The Tor Project, Inc.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#
+#     * Neither the names of the copyright owners nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""
+NSIS is neither padding nor calculating the PE-file checksum. But the tool
+we use for signing and the tools for stripping the signature do which leads to a
+SHA256 mismatch if one tries to check that the binary we offer is actually the
+the one we got from our reproducible builds.
+
+This small Python snippet does both things: It pads the .exe if necessary and it
+recalculates the PE-file checksum. Details of the discussion can be foun in bug
+15339: https://bugs.torproject.org/15539.
+
+Thanks to a cypherpunk for this workaround idea.
+"""
+
+import pefile;
+
+f = open('tor-messenger-install-tmp.exe')
+exe = f.read()
+f.close()
+remainder = len(exe) % 8
+if remainder > 0:
+    exe += '\0' * (8 - remainder)
+pef = pefile.PE(data=exe, fast_load=True)
+pef.OPTIONAL_HEADER.CheckSum = pef.generate_checksum()
+pef.write(filename='tor-messenger-install-tmp2.exe')

    