Protection Python Applications Using Script Envelope
Python applications can be protected using the Script Envelope command-line tool (scriptenv). This tool uses automated processes to apply advanced Sentinel LDK Envelope protection to a Python application.
NOTE Script Envelope supports model file protection for Pytorch and TensorFlow models. For details, click here.
You can perform the protection process under Windows (x64) or Linux (Intel). The protected application can run under Windows (x64) or Linux (Intel 64 or ARM 64). The corresponding runtime library needs to be present under output_root\sntlruntime.
Using Script Envelope consists of the following steps:
1. Prepare a project file that contains all the required information for protecting your Python application, including the location of the source files and the target location for the protected files.
2.Run Script Envelope, passing the project file path as a parameter to the tool.
NOTE You must connect a
Prepare the Project File
Perform the following steps on a machine where Sentinel LDK Vendor Tools are installed.
1.Create or select a project folder to contain the project file for the Python application to be protected.
2.Copy the project file
3.Open your project file in a text editor.
4.Modify the parameters in your project file as described in the table below.
| Property | Description | ||||||
|---|---|---|---|---|---|---|---|
| "file_entries"Section of the Project File | |||||||
| input_root |
Absolute path of the directory that contains the Python application to protect. |
||||||
| output_root |
Absolute path of the directory to which the protected Python application will be written. No additional manual steps are required before you execute the application. |
||||||
| to_be_protected |
Parameter that contains one or more sets of sub-parameters input_glob and (optionally) ignore_glob and feature_id (described later). The sub-parameters in each set identify a subset of files in the application to be protected with a specific Feature ID. For example: "to_be_protected": [
{
"input_glob": "*.*",
"ignore_glob": "moduleC.py",
"feature_id": 4
},
{
"input_glob": "CD/*.py",
"feature_id": 14
},
{
"input_glob": ["EF/*.py", "GH/*.py"]
}
],
The parameters in the example state that: > All files in the root folder (excluding moduleC.py), will be protected with Feature ID 4. > All Python files in the CD folder will be protected with Feature ID 14. > All Python files in the EF and GH folders will be protected by default with the global_feature_id described later. Run-time stub modules will be created for .py files. All other files are handled as data files that are to be used at run time. The following files are copied from the input_root location to the output_root location with no change: >Files that are not included in any input_glob parameter. >Files included in an input_glob parameter but excluded using the ignore_glob parameter. >To apply model file protection for TensorFlow, the to_be_protected parameter must include the TensorFlow model files. For example: {
"input_glob": "model.keras",
"ignore_glob": "",
"feature_id": 0
}
>To apply model file protection for Pytorch, the to_be_protected parameter must include the Pytorch model files. For example: {
"input_glob": "model.pt",
"ignore_glob": "",
"feature_id": 0
}
|
||||||
| input_glob |
Glob pattern that identifies the files under the input root to be protected by Envelope using the associated Feature ID (see feature_id below). For example:
You can specify multiple patterns. For example:
For details, see https://docs.python.org/3/library/glob.html. |
||||||
| ignore_glob |
(Optional) Files to exclude from the input glob. For example: "input_glob": "**/*.py" "ignore_glob": "fileA.py" This example indicates that Script Envelope should recursively protect all .py files under the root folder, excluding fileA.py. |
||||||
| feature_id |
(Optional) |
||||||
| "settings"Section of the Project File | |||||||
| vendor_code_file | Absolute path of your vendor code file on the machine. | ||||||
| custom_scope |
If provided, the protected program will only search for a Sentinel protection key according to the custom login scope that you specify. For information on the syntax for login scope parameters, see the topic "Scope Input XML Tags" in Sentinel Licensing API Reference. You can also paste a login scope that was created using Sentinel LDK ToolBox in this field. Note: If the custom scope contains the following: custom_scope: "<haspscope><hasp type="HASP-HL" /></haspscope>", the hasp type="HASP-HL" must be escaped by the "\" as follows: "custom_scope": "<haspscope>hasp type=\"HASP-HL\" /></haspscope>", |
||||||
| global_feature_id |
(Optional) Global Default: 0 |
||||||
| background_check |
(Optional) Specify a time interval (in seconds) of 0-65535 for periodic background checks for a Sentinel protection key with the required licenses. Default: 300 seconds. If you specify a value of 0, a periodic background check is not performed. Regardless of the setting for this parameter, the License Manager checks for the required license when the application is started. |
||||||
| message_output_mode |
(Optional) Specifies how run-time user messages are delivered. Available output modes are: >windows – If assigned the value true, messages are displayed in a message box. >stderr – If assigned the value true, messages are written to the console. Default: If no output modes are specified, windows mode is set to true and stderr mode is set to false. |
||||||
| message_sets |
You can customize the run-time messages that are displayed during execution of the protected application. Sentinel LDK Envelope provides a comprehensive set of error codes, each mapped to a corresponding end-user message. message_sets is an array, in which each message set contains the following parameters:: >language – The language identifier for each message set. >caption – Text to appear in the title bar for the message box. >messages – An array in which each element contains the following: •id – Predefined ID for each message. •text– Default text for each message. You can modify this text as required. For details, see the provided sample project file. |
||||||
5.Save the project file.
Run Script Envelope
Perform the following steps on the machine where your project file is located and Sentinel LDK Vendor Tools are installed.
1.Open a
2.In the command line prompt, change to the following path:
%Sentinel-LDK%/VendorTools/Envelope/
3.Enter the following command:
scriptenv projectFile [-q]
where:
projectFile
|
The relative or absolute path and name for the project file that you prepared earlier. |
-q (or --quiet) |
If specified, only error and warning messages are displayed. Default: Verbose messages are displayed. |
NOTE You can enter scriptenv -h or scriptenv --help to display help for scriptenv.
The Python application that you specified in the input_root parameter is protected using Envelope and is written to the path specified in the output_root parameter.
Related Topics
Protecting Python Applications
Protecting Python Applications With Cython