pyinstaller icon indicating copy to clipboard operation
pyinstaller copied to clipboard

Published 20 hours ago verified publisher icon pyinstaller

Windows: Sign files for Smart App Control

Open bwoodsend opened this issue 2 years ago • 16 comments

Discussed in https://github.com/pyinstaller/pyinstaller/discussions/6746

Originally posted by Evernow April 15, 2022 Windows is introducing a new features in Windows 11 called Smart App Control later this year, it enforces code signing much more strictly than SmartScreen.

A major issue I encountered is that files Pyinstaller extracts for modules needed, such as pywintypes310.dll in my case may not be code signed, which would result in warnings such as these:

image

Is there a way to potentially sign these files the same way we can sign already made pyinstaller executables? A way is to do --onedir, however it is not practical to send end users a folder zipped and have to instruct them on how to launch the application.

Note: To currently test Smart App Control you need the latest W11 Insider ISO and then enable it in Windows Defender. You CANNOT simply update an older insider install or even less go from stable to insider, using Smart App Control requires a clean install of a build that comes with the feature.

bwoodsend avatar Apr 15 '22 08:04 bwoodsend

Ughh, not Windows as well. I literally woke up about 10 minutes ago and my day is already ruined. We'll need to implement built in codesigning like we did for macOS (docs for which are here). According to this page and that page, we should be able to create a to create dummy certificates for testing with - i.e. PyInstaller devs don't need to buy a certificate just to test this feature.

bwoodsend avatar Apr 15 '22 08:04 bwoodsend

We should take this opportunity and rework the macOS signing as well, to perform signing on all collected files instead of just binaries. Often, shared libs end up collected as datas due to brute-force hooks, and those files will slip past the codesinging and end up breaking the application...

rokm avatar Apr 15 '22 08:04 rokm

I'm happy to work on this at some point.

Legorooj avatar Apr 17 '22 07:04 Legorooj

By the way, if you're running pyupdater, you don't get a chance to sign the executable, as it runs pyinstaller and the exe goes straight into the .zip file. Here's what I did in myfile.spec after the EXE finishes:

import subprocess subprocess.run("signtool -f cert.pfx -p PASSWORD -fd sha256 myfile.exe".split(" "))

RussNelson avatar Aug 23 '22 19:08 RussNelson

Any progress on this? We are happy to pay for a Microsoft certificate and then use signtool.

  1. Does anybody have a 3d party company to buy a certificate from? For example, we can buy a certificate from digicert.

  2. Does anybody have a detailed recipe for the process of signing the final exe with signtool?

We got our macOS app to be properly signed (as long as it is run from the Applications folder?). We really need to get our Windows exe signed. This is all for an NIH funded open-source software project SanPy.

It is rather depressing that all the devs of pyinstaller put some much work and expertise into making exe/app from Python to have them blocked by "virus protection". :(

cudmore avatar Dec 17 '23 22:12 cudmore

Does anybody have a detailed recipe for the process of signing the final exe with signtool?

I can point you at a github search with examples in it. Nothing more though. We've never done this. I did have a go at this when I opened this issue but after some terrible error messages and discovering just how badly Microsoft's documentation correlated with reality, I ran out of enthusiasm.

It is rather depressing that all the devs of pyinstaller put some much work and expertise into making exe/app from Python to have them blocked by "virus protection". :(

We've never really confirmed that signing will do any good against dumb antiviruses – just vague heresy on the internet.

bwoodsend avatar Dec 18 '23 22:12 bwoodsend