Skip to content

Falldog/pyconcrete

Repository files navigation

pyconcrete

Travis AppVeyor PyPI Version PyPI PyVersion PyPI License

Protect your python script, encrypt .pyc to .pye and decrypt when import it


Protect python script work flow

  • Build the execution pyconcrete and read the MAIN.pye which encrypted by your passphrase.
  • pyconcrete will decrypt the source file and then launch python interpreter to do the normal python behavior.
  • pyconcrete will hook import module
  • when your script do import MODULE, pyconcrete import hook will try to find MODULE.pye first and then decrypt MODULE.pye via _pyconcrete.pyd and execute decrypted data (as .pyc content)
  • encrypt & decrypt secret key record in _pyconcrete.pyd (like DLL or SO) the secret key would be hide in binary code, can't see it directly in HEX view

Encryption

  • only support AES 128 bit now
  • encrypt & decrypt by library OpenAES

Compatibility

Pyconcrete has transitioned to using meson-python as its build backend starting from version 1.0.0. This provides a more powerful build mechanism and supports newer Python versions.

For older Python support:

  • Pyconcrete versions prior to 0.15.2 only support up to Python 3.10.
  • If you need support for Python 3.6 or Python 2.7, please use versions before 0.15.2.
  • Pyconcrete no longer supports Python versions earlier than 3.6.

Requirements

For unix base

  • apt: pkg-config, build-essential, python{version}-dev
  • pip: 23.1+

For windows base

  • Limited, only tested for partial environment
    • Windows 11
  • Visual Studio 2022 (w/ Windows 11 SDK)
  • pip: 23.1+

Installation

Due to security considerations, you must provide a passphrase to create a secret key for encrypting Python scripts:

  • The same passphrase will generate the same secret key.
  • Pre-built packages are not provided, so users must build the package by yourself.

Build Process

  • Pyconcrete relies on Meson to compile the C extension.
  • Meson generate secret key header file which assign by user passphrase.
  • Meson build exe(pyconcrete executable) or lib(pyconcrete python module, for import only).
  • Meson build pyecli(command line tool).

pip

  • Need to config the passphrase for installation. And only pip 23.1+ support passing argument via -C or --config-settings.
  • Remember to assign --no-cache-dir to avoid use pip's cached package which already built by old passphrase.
# basic usage
$ pip install pyconcrete \
    --no-cache-dir \
    --config-settings=setup-args="-Dpassphrase=<Your_Passphrase>"

# assign multiple options
$ pip install pyconcrete \
    --no-cache-dir \
    --config-settings=setup-args="-Dpassphrase=<Your_Passphrase>" \
    --config-settings=setup-args="-Dmode=exe" \
    --config-settings=setup-args="-Dinstall-cli=true"
  • Available arguments. Setup by --config-settings=setup-args="-D<argurment_name>=<value>"
    • passphrase: (Mandatory) To generate secret key for encryption.
    • ext: Able to assign customized encrypted file extension. Which default is .pye.
    • mode: exe or lib. Which default is exe.
    • install-cli: Determine to install pyecli or not. Which default is true

Usage

Full encrypted

  • convert all of your .py to *.pye
$ pyecli compile --pye -s=<your py script>
$ pyecli compile --pye -s=<your py module dir>
$ pyecli compile --pye -s=<your py module dir> -e=<your file extension>
  • remove *.py *.pyc or copy *.pye to other folder
  • main.py encrypted as main.pye, it can't be executed by normal python. You must use pyconcrete to process the main.pye script. pyconcrete(exe) will be installed in your system path (ex: /usr/local/bin)
    • project layout as below
    pyconcrete main.pye
    src/*.pye  # your libs

Partial encrypted (pyconcrete as lib)

  • This mode is not safe enough. If you want to use pyconcrete in this way, you need to understand the potential risk.
  • Need to assign mode=lib when installation
  • Import pyconcrete in your main script
    • project layout as below
    main.py       # import pyconcrete and your lib
    pyconcrete/*  # put pyconcrete lib in project root, keep it as original files
    src/*.pye     # your libs

Test

  • test in local
$ pytest tests
  • test in docker environment
$ make test
  • test in docker environment for specific python version
$ make test 3.10

Example

Django with pyconcrete

TroubleShooting

Windows

Example environment: Windows 11, Visual Studio 2022

  • Error: ..\meson.build:1:0: ERROR: Unknown compiler(s): [['icl'], ['cl'], ['cc'], ['gcc'], ['clang'], ['clang-cl'], ['pgcc']]
    • Need to install Visual Studio
      • Choose "Desktop development with C++"
      • Must include "Windows 11 SDK"
  • Error: ..\meson.build:23:31: ERROR: Python dependency not found
    • Make sure your python arch same with your platform (such as Arm64 or Amd64 or x86)

Reference

https://mesonbuild.com/SimpleStart.html

Announcement

pyconcrete is an experimental project, there is always a way to decrypt .pye files, but pyconcrete just make it harder.

About

Protect your python script, encrypt it as .pye and decrypt when import it

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 9