Paul Crowley | 21 Jul 11:47 2009
Picon

Proposal for making py2exe work with authenticode

As I understand it, py2exe executables signed with authenticode fail 
because appending the authenticode signature means that the ZIP trailer 
is no longer at the end of the file.

If that's right, does that mean that fixing this issue in zipfile.py 
would make authenticode and py2exe play nicely?

http://bugs.python.org/issue774221

I know there's another workaround, by making py2exe use an external ZIP 
file rather than bundling it in as part of the exe, but that's 
undesirable because it means that an attacker can change the external 
ZIP file and the signature stays valid.

Thanks for py2exe!
--

-- 
   [][][] Paul Crowley
     [][] LShift Ltd
   []  [] www.lshift.net

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
Mark Hammond | 22 Jul 01:41 2009
Picon

Re: Proposal for making py2exe work with authenticode

On 21/07/2009 7:47 PM, Paul Crowley wrote:
> As I understand it, py2exe executables signed with authenticode fail
> because appending the authenticode signature means that the ZIP trailer
> is no longer at the end of the file.
>
> If that's right, does that mean that fixing this issue in zipfile.py
> would make authenticode and py2exe play nicely?

I've no idea - maybe you can try, find out, then let us know?

Cheers,

Mark

------------------------------------------------------------------------------
Paul Crowley | 23 Jul 13:23 2009
Picon

Re: Proposal for making py2exe work with authenticode

Mark Hammond wrote:
> On 21/07/2009 7:47 PM, Paul Crowley wrote:
>> As I understand it, py2exe executables signed with authenticode fail
>> because appending the authenticode signature means that the ZIP trailer
>> is no longer at the end of the file.
>>
>> If that's right, does that mean that fixing this issue in zipfile.py
>> would make authenticode and py2exe play nicely?
> 
> I've no idea - maybe you can try, find out, then let us know?

My colleague Martin Eden just tried it, and it works!  It was simply a 
matter of applying the patch and putting the patched zipfile.py in the 
same directory so that it is found before the system zipfile.py. 
Unfortunately the resulting EXE has a couple of dependencies on DLLs, 
and as far as I can tell Authenticode provides no way to ensure that 
those DLLs haven't been tampered with.

Is there a way to force py2exe to build an EXE that has no DLL dependencies?

Failing that, can we somehow delay loading the DLLs until the Python 
code is running, so it can checksum them first?
--

-- 
   [][][] Paul Crowley
     [][] LShift Ltd
   []  [] www.lshift.net

------------------------------------------------------------------------------

Gmane