Giovanni Bajo <[EMAIL PROTECTED]> wrote: > I'm going to work on implementing crypting support for the packaged > executable. The idea is that the .pyc files will be crypted with a simmetric > cipher (say, Rijndael/AES) and the bootloader will use an external key to > decrypt and run the executable. Fair warning: I'm *no* crypt expert.
I have created the "crypt" branch and doing some work there. This is what it's done till now: 1) A C implementation of AES (aka Rijndael) is now built by Configure.py (using distutils). 2) A new program Crypt.py is added, which will help generating and managing keys and key files. Currently it has one command (Crypt.py genkey) to generate a keyfile with a random encryption key. 3) A key file is a file in Python format which defines several names. Right now, "Crypt.py genkey" creates a keyfile with just a name, "key", of type string (containing the random encryption key). Users of PyInstaller can add whatever names they want for carry information (licensee name, license type, ecc.). 4) Makespec.py gains -Y/--crypt to specify to crypt all the .pyc/.pyo files packaged by PyInstaller. The argument for the -Y option must be a valid keyfile, specifying the encryption key to use. 5) Build.py encrypts .pyc/.pyo using AES with the specified encryption key. 6) At run-time, the bootstrap modules look for a keyfile with the same name of the executable (and extension ".key"), and extract the encryption key from it. At runtime, the contents of the keyfile will be available as attributes of 'sys.key'. 7) If decryption fails (wrong/missing key), the import of the .pyc files fail (with ImportError) and the program is thus aborted. What's missing: - The bootstrap modules (iu.py, archive.py) are currently packaged in plain-text within the final executable (not even compressed with zlib). This makes modifying them a little too easy... I will probably fix them by compressing and encrypting them using a random-generated key (which is regenerated at each build and is encoded in the bootloader itself). This makes harder to produce generic cracks as the contents of the bootloader are scrambled differently at each build. - The keyfile is currently plaintext too. My current plan is to have it encrypted with a public key system, with one key stored within the executable, and the other being kept secret by the vendor. This way, the vendor will be the only one able to produce valid keyfiles for an uncracked version of the program (that is, key generators are impossible to write). If anybody is interested in this work, feel free to download and test the crypt branch, and let me know about your comments. -- Giovanni Bajo _______________________________________________ PyInstaller mailing list PyInstaller@lists.hpcf.upr.edu http://lists.hpcf.upr.edu/mailman/listinfo/pyinstaller
