It's not just Apple that pulls shenanigans like this.
Try building a Python app with PyInstaller while you have Windows Defender live scanning on, which is the default setting. You won't even be able to compile a binary without Defender preventing you from doing so.
Similarly, try running the binary produced by PyInstaller with Windows Defender on. Defender will say it's malicious and won't run it.
It's a bit dystopian that both major OS platforms go out of their way to prevent you from distributing and running your Python apps.
It's not just Python apps. It's anything by small-time developers without expensive certificates. I once used MSVC to compile a C program that was little more than a "Hello, World", and Defender called it the Win32/Wacatac Trojan.
This is definitely the case and has been my experience, as well.
We live in some dark times when it comes to building and sharing anything as small developers, especially if the things you're building are free.
I stopped updating my open-source Mac apps because I can't justify the cost of jumping over artificial hurdles Apple puts in place that ensure users can't run the apps they want to use. I have other hobbies where spending money actually gives me tangible goods and benefits versus paying an arbitrary yearly tax for the privilege to build stuff that ultimately benefits Apple.
I think Homebrew is the best solution for shipping open source Mac apps if you don't want to pay the developer fee or jump through any hurdles, assuming your users are technical enough to use it.
The alternative is not signing your binaries and explaining to users that they can run them by right clicking and selecting "Open" from the menu.
Unfortunately, getting users to install Homebrew is a hurdle that's hard to pass for what I'm dealing with. It's a non-starter if users have to open a terminal to install anything, even though Homebrew has a .pkg installer now. The users typically don't know what a terminal even is.
That's what I'm doing now, and it's still an issue, unfortunately. Non-power users are not going to remember the right-click -> Open ritual when they just double-click on everything else.
And the warnings Gatekeeper shows also caused users to think their apps, and even computers, were broken or hacked.
Why aren't you just ... paying the 100$ a year to sign your app?
This was the case for our open source app as well. The only reason we're on Apple is one of our users likes the app so much, they handle the certificates.
Which is deeply ironic, if you think about it.
It is super interesting that someone who is not you can take care of proving to Apple that you are really you so that Apple can assert to all other users that they have verified that you are really you because they made you prove it.
This world is just awesome. :)
hah, that's the exact reason I stopped using os x and went full Linux on my old Mac book air about 8 years ago.
This is usually caused by their machine learning virus scanner. For some reason it determines basically anything that you compile yourself to be a virus. Can't miss a virus if you call everything a virus, I guess.
Tbf the gamedev community has seen people submit Trojans to game jams
This is not relevant to the topic.
No, it is. Running unsigned exes with no sandbox actually is risky, and game jams are a specific case where it comes up.
Running signed binaries neither is as long as the corresponding keys leak all the time [1].
Anyone can just get their malware signed by just throwing some dollars at it.
[1] https://bugs.chromium.org/p/apvi/issues/detail?id=100
Okay?
Okay :)
The code signing certificates that MS requires are ridiculously expensive. It's a cartel of certificate isseuers. It's a downright robbery. We need something similar to Let's Encrypt for code signing.
SignPath gives free certs to OSS projects:
https://signpath.org/about/
We (sqlitebrowser.org) have recently started using them for signing our Windows builds.
If it's limited to OSS projects then it's not like LetsEncrypt
Fair point. For OSS projects it's better than the alternatives though. ;)
Defender calls anything Wacatac.
Ironically I've seen tons of actual malware that doesn't even give the slightest warning.
Even when legit malware gets flagged as "Wacatac" some percentage of users are sure to google the name, see that for years (if not decades) MS has wrongly flagged a ton of legitimate software as being that virus and then whitelist the actual malware on their machine assuming that Microsoft must have just screwed up again. I'm not surprised that MS hasn't fixed the problem after all this time, just disappointed.
This is how malware propagates. Most apps you get from questionable places have instructions that say disable your antivirus. I get it....but I don't want to play a game that bad.
I made a single for loop in Go at work to show a coworker, that binary got flagged as malware.
This is not my experience but maybe I'm doing something different. I ship an electron app. I build it into an installer with electron-builder. I'm not sure I set any configuration settings. It's set to install in the user's folders, not at the system level. My understanding is that's allowed and just works.
Windows isn't a platform for developers. It's a platform for normie consoomers. Isn't that obvious?
If you want an engineering OS, use GNU/Linux.
Until you can run a Windows-free build system with WINE (there are a few reported blockers, several others and I have tried) and PyInstaller, cross-platform apps will require developers to compile their Windows ports on Windows itself.
Windows is where the users are. Not targeting it is a bad financial decision.
To hell with cross platform. Developing for windows perpetuates a harmful ecosystem. It's really no different than selling ammo to the Sineloa drug cartel.
It’s a little bit different.
Past 10 years we ship py2exe based Win32/Win64 software from WINE / Ubuntu There are no problems - we don't sign it (https://www.vintech.bg)
Thanks for the info, I was hesitant to introduce more platform-specific tools hence why I stuck with PyInstaller. I'll see if py2exe suits my needs.
Yes that's easy advice to follow when you don't have a job
What do you mean?
At my job, we build cross-platform software, but we build it on Linux. It runs on Windows, but building it on Windows is torture, so almost all our dev machines are Linux.
I hope one day I won't have a job!
The multi billion dollars company that I work for don't get this. I'm forced to do all me dev work on a virtual windows machine. They have their reasons, many of them valid, but it's still a pain
did you download your personality from /g/
I've met uncomfortably high number of Mac users who cannot navigate the file system on their Mac.
I built PyInstaller binaries on Windows a few months ago and had no trouble with Windows Defender at all.
This was my experience as of two weeks ago using a pyenv-compiled Python 3.12.4 and the latest PyInstaller on a fresh install of Windows 11.
If you used the Microsoft-signed or Python Software Foundation-signed Python binaries, maybe it doesn't trip the Defender alarm, same thing if you used older versions of Python or PyInstaller. 3.12.4 only came out on the 6th.
Yup, it works mostly but not regularly. Did it for a few years for a cross platform proprietary PyQt app with Pyinstaller. Signing helped a lot but the release process was still to submit the binary to a website that checks with most known antivirus software just to be more certain we didn't ship a dud for most windows users. Interestingly, sometimes a rebuild fixed the issue facepalm..
This is reason enough not to use either windows or macos. Calling these programs malicious is an outright lie. They have not proven this. At most, they can say the program is untrusted or unverified. But calling it malicious is a falsehood and therefore a breach of trust.
MS Defender _is_ malware. Avoid at all costs. /s
To be fair to Windows Defender, a PyInstaller binary does look like malware. If it didn’t do this out of the box, it would become a standard way for malware to be distributed very quickly. Unfortunately for every person trying compile or run a valid python program from the net on a Windows PC, there’s a 1000 malware/Trojan instances trying to infect one.
Ideally code signing / validation would be cheaper
https://www.reddit.com/r/learnpython/comments/e99bhe/comment...
This goes beyond just Python apps. The signing procedures to get past Windows SmartScreen require you to buy certificates and or deeply integrate with the golden path of Windows development. Stray from the Microsoft approved path that and all your users will get a nice scary warning. Part of it is justified by security concerns, but there is a bitter taste of major OSs pushing "the" way to develop.