Merge pull request #881 from micahflee/862_circumvent_antivirus

Add instructions to build PyInstaller from source, to avoid AV false positives
2024-12-28 08:49:30 -05:00 · 2019-01-26 23:11:22 -08:00 · 2019-01-26 23:11:22 -08:00 · eb121770a4
commit eb121770a4
parent 921e4e40b8 6ed63143df
2 changed files with 77 additions and 7 deletions
--- a/BUILD.md
+++ b/BUILD.md
@ -56,16 +56,17 @@ Now install some python dependencies with pip (note, there's issues building a .

 ```sh
 pip3 install -r install/requirements.txt
+pip3 install PyInstaller==3.4
 ```

-You can run both the CLI and GUI versions of OnionShare without building an bundle:
+#### You can run both the CLI and GUI versions of OnionShare without building an bundle

 ```sh
 ./dev_scripts/onionshare
 ./dev_scripts/onionshare-gui
 ```

-To build the app bundle:
+#### To build the app bundle

 ```sh
 install/build_osx.sh
@ -73,7 +74,7 @@ install/build_osx.sh

 Now you should have `dist/OnionShare.app`.

-To codesign and build a pkg for distribution:
+#### To codesign and build a pkg for distribution

 ```sh
 install/build_osx.sh --release
@ -102,7 +103,7 @@ python dev_scripts\onionshare
 python dev_scripts\onionshare-gui
 ```

-If you want to build a .exe:
+#### If you want to build a .exe

 These instructions include adding folders to the path in Windows. To do this, go to Start and type "advanced system settings", and open "View advanced system settings" in the Control Panel. Click Environment Variables. Under "System variables" double-click on Path. From there you can add and remove folders that are available in the PATH.

@ -119,12 +120,82 @@ Add the following directories to the path:
 * `C:\Users\user\AppData\Local\Programs\Python\Python37-32\Lib\site-packages\PyQt5\Qt\bin`
 * `C:\Program Files (x86)\7-Zip`

-If you want to build the installer:
+#### If you want the .exe to not get falsely flagged as malicious by anti-virus software
+
+OnionShare uses PyInstaller to turn the python source code into Windows executable `.exe` file. Apparently, malware developers also use PyInstaller, and some anti-virus vendors have included snippets of PyInstaller code in their virus definitions. To avoid this, you have to compile the Windows PyInstaller bootloader yourself instead of using the pre-compiled one that comes with PyInstaller.
+
+(If you don't care about this, you can install PyInstaller with `pip install PyInstaller==3.4`.)
+
+Here's how to compile the PyInstaller bootloader:
+
+Download and install [Microsoft Build Tools for Visual Studio 2017](https://www.visualstudio.com/downloads/#build-tools-for-visual-studio-2017). I downloaded `vs_buildtools.exe`. In the installer, check the box next to "Visual C++ build tools". Click "Individual components", and under "Compilers, build tools and runtimes", check "Windows Universal CRT SDK". Then click install. When installation is done, you may have to reboot your computer.
+
+Then, enable the 32-bit Visual C++ Toolset on the Command Line like this:
+
+```
+cd "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build"
+vcvars32.bat
+```
+
+Make sure you have a new enough `setuptools`:
+
+```
+pip install setuptools==40.6.3
+```
+
+Now make sure you don't have PyInstaller installed from pip:
+
+```
+pip uninstall PyInstaller
+rmdir C:\Users\user\AppData\Local\Programs\Python\Python37-32\Lib\site-packages\PyInstaller /S
+```
+
+Change to a folder where you keep source code, and clone the PyInstaller git repo:
+
+```
+git clone https://github.com/pyinstaller/pyinstaller.git
+```
+
+To verify the git tag, you first need the signing key's PGP key, which means you need `gpg`. If you installed git from git-scm.com, you can run this from Git Bash:
+
+```
+gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 0xD4AD8B9C167B757C4F08E8777B752811BF773B65
+```
+
+And now verify the tag:
+
+```
+cd pyinstaller
+git tag -v v3.4
+```
+
+It should say `Good signature from "Hartmut Goebel <h.goebel@goebel-consult.de>`. If it verified successfully, checkout the tag:
+
+```
+git checkout v3.4
+```
+
+And compile the bootloader, following [these instructions](https://pythonhosted.org/PyInstaller/bootloader-building.html). To compile, run this:
+
+```
+cd bootloader
+python waf distclean all --target-arch=32bit --msvc_targets=x86
+```
+
+Finally, install the PyInstaller module into your local site-packages:
+
+```
+pythin setup.py install
+```
+
+Now the next time you use PyInstaller to build OnionShare, the `.exe` file should not be flagged as malicious by anti-virus.
+
+#### If you want to build the installer

 * Go to http://nsis.sourceforge.net/Download and download the latest NSIS. I downloaded `nsis-3.04-setup.exe`.
 * Add `C:\Program Files (x86)\NSIS` to the path.

-If you want to sign binaries with Authenticode:
+#### If you want to sign binaries with Authenticode

 * You'll need a code signing certificate. I got an open source code signing certificate from [Certum](https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml).
 * Once you get a code signing key and certificate and covert it to a pfx file, import it into your certificate store.
--- a/install/requirements.txt
+++ b/install/requirements.txt
@ -15,7 +15,6 @@ MarkupSafe==1.1.0
 pefile==2018.8.8
 pycparser==2.19
 pycryptodome==3.7.2
-PyInstaller==3.4
 PyQt5==5.11.3
 PyQt5-sip==4.19.13
 PySocks==1.6.8