From b85c75b79b508a6b89ab1848267aeb2a31d6fef0 Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Sat, 26 Jan 2019 23:01:13 -0800 Subject: [PATCH 1/2] Add instructions to build PyInstaller from source, to avoid AV false positives --- BUILD.md | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 72 insertions(+), 6 deletions(-) diff --git a/BUILD.md b/BUILD.md index e3d6a760..34435633 100644 --- a/BUILD.md +++ b/BUILD.md @@ -58,14 +58,14 @@ Now install some python dependencies with pip (note, there's issues building a . pip3 install -r install/requirements.txt ``` -You can run both the CLI and GUI versions of OnionShare without building an bundle: +#### You can run both the CLI and GUI versions of OnionShare without building an bundle ```sh ./dev_scripts/onionshare ./dev_scripts/onionshare-gui ``` -To build the app bundle: +#### To build the app bundle ```sh install/build_osx.sh @@ -73,7 +73,7 @@ install/build_osx.sh Now you should have `dist/OnionShare.app`. -To codesign and build a pkg for distribution: +#### To codesign and build a pkg for distribution ```sh install/build_osx.sh --release @@ -102,7 +102,7 @@ python dev_scripts\onionshare python dev_scripts\onionshare-gui ``` -If you want to build a .exe: +#### If you want to build a .exe These instructions include adding folders to the path in Windows. To do this, go to Start and type "advanced system settings", and open "View advanced system settings" in the Control Panel. Click Environment Variables. Under "System variables" double-click on Path. From there you can add and remove folders that are available in the PATH. @@ -119,12 +119,78 @@ Add the following directories to the path: * `C:\Users\user\AppData\Local\Programs\Python\Python37-32\Lib\site-packages\PyQt5\Qt\bin` * `C:\Program Files (x86)\7-Zip` -If you want to build the installer: +#### If you want the .exe to not get falsely flagged as malicious by anti-virus software + +OnionShare uses PyInstaller to turn the python source code into Windows executable `.exe` file. Apparently, malware developers also use PyInstaller, and some anti-virus vendors have included snippets of PyInstaller code in their virus definitions. To avoid this, you have to compile the Windows PyInstaller bootloader yourself instead of using the pre-compiled one that comes with PyInstaller. Here's how: + +Download and install [Microsoft Build Tools for Visual Studio 2017](https://www.visualstudio.com/downloads/#build-tools-for-visual-studio-2017). I downloaded `vs_buildtools.exe`. In the installer, check the box next to "Visual C++ build tools". Click "Individual components", and under "Compilers, build tools and runtimes", check "Windows Universal CRT SDK". Then click install. When installation is done, you may have to reboot your computer. + +Then, enable the 32-bit Visual C++ Toolset on the Command Line like this: + +``` +cd "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build" +vcvars32.bat +``` + +Make sure you have a new enough `setuptools`: + +``` +pip install setuptools==40.6.3 +``` + +Now uninstall PyInstaller from pip: + +``` +pip uninstall PyInstaller +rmdir C:\Users\user\AppData\Local\Programs\Python\Python37-32\Lib\site-packages\PyInstaller /S +``` + +Change to a folder where you keep source code, and clone the PyInstaller git repo: + +``` +git clone https://github.com/pyinstaller/pyinstaller.git +``` + +To verify the git tag, you first need the signing key's PGP key, which means you need `gpg`. If you installed git from git-scm.com, you can run this from Git Bash: + +``` +gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 0xD4AD8B9C167B757C4F08E8777B752811BF773B65 +``` + +And now verify the tag: + +``` +cd pyinstaller +git tag -v v3.4 +``` + +It should say `Good signature from "Hartmut Goebel `. If it verified successfully, checkout the tag: + +``` +git checkout v3.4 +``` + +And compile the bootloader, following [these instructions](https://pythonhosted.org/PyInstaller/bootloader-building.html). To compile, run this: + +``` +cd bootloader +python waf distclean all --target-arch=32bit --msvc_targets=x86 +``` + +Finally, install the PyInstaller module into your local site-packages: + +``` +pythin setup.py install +``` + +Now the next time you use PyInstaller to build OnionShare, the `.exe` file should not be flagged as malicious by anti-virus. + +#### If you want to build the installer * Go to http://nsis.sourceforge.net/Download and download the latest NSIS. I downloaded `nsis-3.04-setup.exe`. * Add `C:\Program Files (x86)\NSIS` to the path. -If you want to sign binaries with Authenticode: +#### If you want to sign binaries with Authenticode * You'll need a code signing certificate. I got an open source code signing certificate from [Certum](https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml). * Once you get a code signing key and certificate and covert it to a pfx file, import it into your certificate store. From 6ed63143df1aeb3aedd06a1f459f49437993816b Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Sat, 26 Jan 2019 23:06:21 -0800 Subject: [PATCH 2/2] Remove PyInstaller from requirements.txt, because it now breaks CircleCI --- BUILD.md | 9 +++++++-- install/requirements.txt | 1 - 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/BUILD.md b/BUILD.md index 34435633..b01faaf1 100644 --- a/BUILD.md +++ b/BUILD.md @@ -56,6 +56,7 @@ Now install some python dependencies with pip (note, there's issues building a . ```sh pip3 install -r install/requirements.txt +pip3 install PyInstaller==3.4 ``` #### You can run both the CLI and GUI versions of OnionShare without building an bundle @@ -121,7 +122,11 @@ Add the following directories to the path: #### If you want the .exe to not get falsely flagged as malicious by anti-virus software -OnionShare uses PyInstaller to turn the python source code into Windows executable `.exe` file. Apparently, malware developers also use PyInstaller, and some anti-virus vendors have included snippets of PyInstaller code in their virus definitions. To avoid this, you have to compile the Windows PyInstaller bootloader yourself instead of using the pre-compiled one that comes with PyInstaller. Here's how: +OnionShare uses PyInstaller to turn the python source code into Windows executable `.exe` file. Apparently, malware developers also use PyInstaller, and some anti-virus vendors have included snippets of PyInstaller code in their virus definitions. To avoid this, you have to compile the Windows PyInstaller bootloader yourself instead of using the pre-compiled one that comes with PyInstaller. + +(If you don't care about this, you can install PyInstaller with `pip install PyInstaller==3.4`.) + +Here's how to compile the PyInstaller bootloader: Download and install [Microsoft Build Tools for Visual Studio 2017](https://www.visualstudio.com/downloads/#build-tools-for-visual-studio-2017). I downloaded `vs_buildtools.exe`. In the installer, check the box next to "Visual C++ build tools". Click "Individual components", and under "Compilers, build tools and runtimes", check "Windows Universal CRT SDK". Then click install. When installation is done, you may have to reboot your computer. @@ -138,7 +143,7 @@ Make sure you have a new enough `setuptools`: pip install setuptools==40.6.3 ``` -Now uninstall PyInstaller from pip: +Now make sure you don't have PyInstaller installed from pip: ``` pip uninstall PyInstaller diff --git a/install/requirements.txt b/install/requirements.txt index 81430398..76dfb1ef 100644 --- a/install/requirements.txt +++ b/install/requirements.txt @@ -15,7 +15,6 @@ MarkupSafe==1.1.0 pefile==2018.8.8 pycparser==2.19 pycryptodome==3.7.2 -PyInstaller==3.4 PyQt5==5.11.3 PyQt5-sip==4.19.13 PySocks==1.6.8