New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Building: Windows: Set EXE checksums (#5579). #5580
Conversation
I notice gcc automatically sets the checksum for any executable or shared library it produces but MSVC doesn't. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, if it helps AVs to calm down, it is good thing!
Well, if nothing else, this adds a bit more entropy to the bootloader part of the frozen executable. So those poor AV engines will need to learn to ignore the bytes that correspond to the PE checksum. (Want to add some more entropy? Set the build timestamp of the final executable based on
Looks like this could be achieved by setting a linker flag. E.g., add this to
Of course, once we append package data, this needs to be recomputed again anyway, but it might prevent AVs from deleting bootloader files during PyInstaller installation... |
fcc87d5
to
c0d4e3f
Compare
Hmph, how'd you work that out so quickly. Been scowling at it all afternoon.
|
Windows executables contain an optional checksum to protect against corruption. It turns out that several of antiviral programs raise false positives if this checksum is missing or wrong. Setting this checksum appeases McAfee and inconsistently fixes MS Defender which are probably the most common (and also dumbest) AVs for Windows.
c0d4e3f
to
6018604
Compare
Boo yah! Long may this live. |
#5579 explains the what/why for this PR well.
Windows executables contain an optional checksum to protect against corruption. It turns out that several of antiviral programs
raise false positives if this checksum is missing or wrong. Setting this checksum appeases McAfee and inconsistently fixes
MS Defender which are probably the most common (and also dumbest) AVs for Windows.
Sod's law says that in a few months the AV programs will notice that we've rumbled their I am not a virus metadata tag and come up with something even less effective to waste our time with but in the meantime we get to enjoy a little ironical break from the constant false-positive reports.
This PR sets the checksum for built executables. We probably should apply this directly to the bootloaders too but I can't do anything to that wafscript. I've spent several hours trying to work out how to get waf to run 3 lines of code in the right place.
Closes #5579 .