Pyinstaller: Cryptographic Dependencies

Not a bug ... or feature request

Please note that this is not a bug in the conventional sense, my playing with PyInstaller so far seems to work just fine. It's also not a feature request in the sense that I'm not asking it to do anything it doesn't already do.

Deprecated cryptographic module

That said, one of the PyInstaller dependencies is an abandoned project and, depending on the manner in which that dependency is used, it may be necessary to replace it.

The module in question is PyCrypto, which has been abandoned for several years. Vulnerabilities with some of its implementations of some ciphers have been found since then and they will not be fixed.

Now, if you're just using PyCrypto to provide a quick and dirty code obfuscation or DRM-like option, with absolutely no guarantees of security, then this probably doesn't matter so much. If, however, PyInstaller needs a means of creating securely encrypted files or performing other cryptographic functions with any degree of assurance regarding quality then switching from PyCrypto to something else will probably be a needed.

The current options that I'm aware of and which are actively maintained are:

1. cryptography.py — this uses CFFI and the OpenSSL libraries to provide the functions available in OpenSSL. It supports Python 2.6, 2.7, 3.3 and above (plus PyPy). It is dual-licensed under the Apache 2.0 license and the BSD license.
2. PyNaCl — this provides bindings to libsodium, which is essentially just providing access to Daniel Bernstein's curve25519 algorithms and little else. It supports Python 2.7, 3.4 and above. PyNaCl is released under the Apache 2.0 license.
3. One of the other PyCA projects — There might be other better fits from projects related to either of the two listed here.
4. GPGME's Python bindings — this uses SWIG to provide bindings to GPGME, the C API for the GnuPG project (which is a dependency). So this will provide full access to everything in the GPG implementation of OpenPGP and the S/MIME implementation (i.e. gpgsm). It supports Python 2.6, 2.7, 3.4 and above. The GPGME Python bindings are an official part of the GnuPG Project and released under the same terms; dual licensed as GPL 2.0 (or any later version and LGPL 2.1 (or any later version).

Disclaimers

Full disclosure

I am the maintainer of the GPGME Python bindings, so that could be considered a vested interest. If you did use GPGME then you'd want to include it under the LGPL 2.1+ and for the same reason that the entire GnuPG project is dual licensed with that license.

Recommendations

I haven't looked too deeply into PyInstaller's code, so I don't know which of these would fit your needs best, I just noticed the references to PyCrypto during a successful build of playing with it.

So I can't make an informed recommendation that is specific to this project, sorry.

Limited Recommendation

That said, if your purpose is basically just quick DRM or you only need, for instance, a single symmetric cipher (e.g. AES), even I'd say use cryptography.py for just that.