Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Building: Windows: Set EXE checksums (#5579). #5580

Merged
merged 1 commit into from Feb 23, 2021
Merged

Building: Windows: Set EXE checksums (#5579). #5580

merged 1 commit into from Feb 23, 2021

Conversation

bwoodsend
Copy link
Member

#5579 explains the what/why for this PR well.

Windows executables contain an optional checksum to protect against corruption. It turns out that several of antiviral programs
raise false positives if this checksum is missing or wrong. Setting this checksum appeases McAfee and inconsistently fixes
MS Defender which are probably the most common (and also dumbest) AVs for Windows.

Sod's law says that in a few months the AV programs will notice that we've rumbled their I am not a virus metadata tag and come up with something even less effective to waste our time with but in the meantime we get to enjoy a little ironical break from the constant false-positive reports.

This PR sets the checksum for built executables. We probably should apply this directly to the bootloaders too but I can't do anything to that wafscript. I've spent several hours trying to work out how to get waf to run 3 lines of code in the right place.

Closes #5579 .

@bwoodsend bwoodsend marked this pull request as draft February 22, 2021 20:13
@bwoodsend
Copy link
Member Author

I notice gcc automatically sets the checksum for any executable or shared library it produces but MSVC doesn't.

BoboTiG
BoboTiG approved these changes Feb 22, 2021
View reviewed changes
Copy link
Contributor

@BoboTiG BoboTiG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, if it helps AVs to calm down, it is good thing!

@rokm
Copy link
Member

rokm commented Feb 22, 2021

Sod's law says that in a few months the AV programs will notice that we've rumbled their I am not a virus metadata tag and come up with something even less effective to waste our time with but in the meantime we get to enjoy a little ironical break from the constant false-positive reports.

Well, if nothing else, this adds a bit more entropy to the bootloader part of the frozen executable. So those poor AV engines will need to learn to ignore the bytes that correspond to the PE checksum. (Want to add some more entropy? Set the build timestamp of the final executable based on SOURCE_DATE_EPOCH or current time...).

We probably should apply this directly to the bootloaders too but I can't do anything to that wafscript.

Looks like this could be achieved by setting a linker flag.

E.g., add this to wscript on line 313:

        [...]
        ctx.env.append_value('CFLAGS', '/EHa')
        
        # Set the PE checksum on resulting binary
        ctx.env.append_value('LINKFLAGS', '/RELEASE')

Of course, once we append package data, this needs to be recomputed again anyway, but it might prevent AVs from deleting bootloader files during PyInstaller installation...

@bwoodsend
Copy link
Member Author

Hmph, how'd you work that out so quickly. Been scowling at it all afternoon.

/RELEASE flag has been set. This just leaves a very narrow interval between an EXE being assembled from bootloader + PYZ etc and it getting rewritten with the correct checksum. I hope this is too small an interval for AV to intercept but past issues we've seen (#5479) make me think that anything's possible.

@bwoodsend
Building: Windows: Set EXE checksums (pyinstaller#5579).
6018604 
Windows executables contain an optional checksum to protect
against corruption. It turns out that several of antiviral programs
raise false positives if this checksum is missing or wrong.
Setting this checksum appeases McAfee and inconsistently fixes
MS Defender which are probably the most common (and also dumbest)
AVs for Windows.
@bwoodsend
Copy link
Member Author

Boo yah! Long may this live.

@bwoodsend bwoodsend marked this pull request as ready for review February 23, 2021 09:22
@Legorooj Legorooj merged commit 93285ec into pyinstaller:develop Feb 23, 2021
This was referenced Feb 23, 2021
Closed
Closed
@pyinstaller pyinstaller deleted a comment from Truepc Mar 18, 2021
@rokm rokm mentioned this pull request Mar 20, 2021
Closed
@bwoodsend bwoodsend deleted the set-pe-checksum branch June 9, 2022 19:48
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rokm rokm rokm approved these changes

@BoboTiG BoboTiG BoboTiG approved these changes

@Legorooj Legorooj Legorooj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set correct PE checksum for .exe files (helps with virus false-positives)
4 participants
@bwoodsend @rokm @BoboTiG @Legorooj