1

I can use 

python -m py_compile mytest.py

And it will byte-compile the file. From reading some other documentation, it was my impression that it byte-compiled any modules imported. But if I change any of the files it imports, I see the changed functionality. Is there some way to completely compile a python script and modules it imports, so that any changes to the originals don't reflect? I want to do this for security purposes, essentially creating a "trusted" version which can't be subverted by changing the functionality of any modules that it calls.

Improve this question
5
  • Security through obscurity is not security. Even statically compiled C can be decompild and modified. Commented Jul 19, 2014 at 23:03
  • Possible duplicate of stackoverflow.com/questions/11368304/… Commented Jul 19, 2014 at 23:04
  • @JamesMills It's not exactly security through obscurity. I just need a single self-contained file which a more secure process can check before allowing it to run. Have to check an arbitrary number of files first is a bit too much. Commented Jul 19, 2014 at 23:05
  • Let the checking process verify the integrity of the source file being executed by using cryptographic hashes. (i.e: SHA1). Of course this assumes the "checking process" is also secure and cannot be tampered with. Commented Jul 19, 2014 at 23:07
  • @JamesMills yes, exactly Commented Jul 19, 2014 at 23:13

3 Answers 3

Reset to default
2

If you compile to bytecode, then delete the source files, then the bytecode can't change. But if someone has the ability to change source files on your machine, they can also change bytecode files on your machine. I don't think this will give you any actual security.

If you want a single-file Python program, you can run from a zip file.

Another option is to use cx_freeze or a similar program to compile the program into a native executable.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I need a single file, apparently deleting the bytecode file for imported modules doesn't work because it needs those files.
@Michael you should have said something about single file in the first place! I've updated my answer.
Thanks I'll look at both of those, they look promising.
"cx_Freeze does not support building a single file exe, where all of the libraries for your application are embedded in one executable file." and I can't figure out a way to re-link the executable against the given .so files...
2

We solved this problem by developing our own customer loader using signet http://jamercee.github.io/signet/. Signet will scan your python source and it's dependencies and calculate sha1 hashes, which it embeds in the loader. You deliver the loader AND your script to your users with instructions they run the loader. On invocation, it re-calculates the hashes and if they match, control is then transferred to your script. Signet also supports code signing and PE verification.

Improve this answer

Comments

1

Freeze/Bundle:

Cryptography:

Assuming your "process" for running "scripts" is secure and cannot be tampered with:

  • Create secure hashes of the scripts and record them (e.g: SHA1)
  • When executing "scripts" ensure their cryptographic hashes match (ensuring they haven't been tampered with).

A common approach to this for secure protocols and apis is to use HMAC

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.