--key not 16/24/32 length is secured and what happens ?

[gaamaaresosa]

I know on v6x the --key is going to be removed.
Before that please let me know what happens when I set only 15/25/33 --key length on pyinstaller build ?
Do you ignore that wrong length --key or accept and build now ?
Or cryto is not done because of wrong --key length ?

Recently I am into analyzing security issues with pyinstaller to make more secured.
I tried setting wrong length --key size (15/25/33) and built.
It was success building...

Then I used "pyinstxtractor" and other tools to extract the pyinstaller protected binary.
I think I was failed to extract it because my --key length was incorrect for Crypto.Cipher.
But 'strings ' command could extract all the strings used on the code.

Whats happening exactly here ?
It is secure to use wrong length --key size (15/25/33) on pyinstaller ?

[rokm]

The given key is zero-padded or truncated to the length of 16 - see the build-time part of the code

pyinstaller/PyInstaller/archive/pyz_crypto.py

Lines 24 to 39 in 5c9f3e6

	def __init__(self, key=None):
	logger.log(
	logging.DEPRECATION,
	"Bytecode encryption will be removed in PyInstaller v6. Please remove cipher and block_cipher parameters "
	"from your spec file to avoid breakages on upgrade. For the rationale/alternatives see "
	"https://github.com/pyinstaller/pyinstaller/pull/6999"
	)
	assert type(key) is str
	if len(key) > BLOCK_SIZE:
	self.key = key[0:BLOCK_SIZE]
	else:
	self.key = key.zfill(BLOCK_SIZE)
	assert len(self.key) == BLOCK_SIZE
	import tinyaes
	self._aesmod = tinyaes

or the run-time part:

pyinstaller/PyInstaller/loader/pyimod01_archive.py

Lines 47 to 64 in 5c9f3e6

	def __init__(self):
	# At build-time the key is given to us from inside the spec file. At bootstrap-time, we must look for it
	# ourselves, by trying to import the generated 'pyi_crypto_key' module.
	import pyimod00_crypto_key
	key = pyimod00_crypto_key.key
	assert type(key) is str
	if len(key) > CRYPT_BLOCK_SIZE:
	self.key = key[0:CRYPT_BLOCK_SIZE]
	else:
	self.key = key.zfill(CRYPT_BLOCK_SIZE)
	assert len(self.key) == CRYPT_BLOCK_SIZE
	import tinyaes
	self._aesmod = tinyaes
	# Issue #1663: Remove the AES module from sys.modules list. Otherwise it interferes with using 'tinyaes' module
	# in users' code.
	del sys.modules['tinyaes']

Then I used "pyinstxtractor" and other tools to extract the pyinstaller protected binary.

I don't think pyinstxtractor supports byte-encrypted PYZ, so your "test" is likely meaningless.

But 'strings ' command could extract all the strings used on the code.

Strings from where? From byte-compiled python modules or from data files / binaries? Because bytecode-encryption is applied only to collected .pyc modules*, and nothing else...

[*] And even that covers only .pyc modules that are collected into PYZ archive, which is most of them (except modules needed at the bootstrap (which are in base_library.zip), pyinstaller's bootstrap scripts and modules, and your entry-point script).

It is secure to use wrong length --key size (15/25/33) on pyinstaller ?

It makes no difference from security viewpoint. That is, the built-in bytecode encryption is trivial to overcome no matter key size you use.

[gaamaaresosa]

Thanks for your explanation rokm !
I got it...