Protecting Python Applications Using Script Envelope

Python applications can be protected using the Script Envelope command-line tool (scriptenv.exe). This tool uses automated processes to apply advanced Sentinel LDK Envelope protection to a Python application.

You can perform the protection process under Windows (x64) or Linux, and the protected application can run under either. (The corresponding runtime library needs to be present under output_root\sntlruntime.) For information on using Script Envelope under Linux, see Sentinel LDK Envelope for Linux.

Using Script Envelope consists of the following steps:

1. Prepare a project file that contains all the required information for protecting your Python application, including the location of the source files and the target location for the protected files.

2.Run Script Envelope, passing the project file path as a parameter to the tool.

NOTE   You must connect a Sentinel Vendor key to the machine that you use to run Script Envelope.

Prepare the Project File

Perform the following steps on a machine where Sentinel LDK Vendor Tools are installed.

1.Create or select a project folder to contain the project file for the Python application to be protected.

2.Copy the project file %ProgramFiles(x86)%\Thales\Sentinel LDK\Samples\Envelope\Python\script_envelope\sample.sprjx to the project folder. Rename the new project file to a relevant name for your application.

3.Open your project file in a text editor.

4.Modify the parameters in your project file as described in the table below.

Property Description
"file_entries"Section of the Project File
input_root

Absolute path of the directory that contains the Python application to protect.
output_root

Absolute path of the directory to which the protected Python application will be written. No additional manual steps are required before you execute the application.

to_be_protected

Parameter that contains one or more sets of sub-parameters input_glob and (optionally) ignore_glob and feature_id (described later). The sub-parameters in each set identify a subset of files in the application to be protected with a specific Feature ID.

For example:

         "to_be_protected": [
             {
                      "input_glob": "*.*",
                      "ignore_glob": "moduleC.py",
                      "feature_id": 4
             },
             {
                      "input_glob": "CD/*.py",
                      "feature_id": 14
             },
             {
                      "input_glob": ["EF/*.py", "GH/*.py"]
             }
          ],

The parameters in the example state that:

> All files in the root folder (excluding moduleC.py), will be protected with Feature ID 4.

> All Python files in the CD folder will be protected with Feature ID 14.

> All Python files in the EF and GH folders will be protected by default with the global_feature_id described later.

Run-time stub modules will be created for .py files. All other files are handled as data files that are to be used at run time.

The following files are copied from the input_root location to the output_root location with no change:

>Files that are not included in any input_glob parameter.

>Files included in an input_glob parameter but excluded using the ignore_glob parameter.
input_glob

Glob pattern that identifies the files under the input root to be protected by Envelope using the associated Feature ID (see feature_id below).

For example:

"**/*.py" Recursively protect all .py files under the root folder.
"ABC/*.py" Protect all Python files directly under the ABC folder.

You can specify multiple patterns. For example:

["EF/*.py", "GH/*.py"] Protect all .py files under the EF and GH folders.

For details, see https://docs.python.org/3/library/glob.html.
ignore_glob

(Optional) Files to exclude from the input glob.

For example:

"input_glob": "**/*.py"
"ignore_glob": "fileA.py"

This example indicates that Script Envelope should recursively protect all .py files under the root folder, excluding fileA.py.
feature_id

(Optional) Feature ID (in the range 0 - 65535) for the Python script (.py) files in the associated input_glob that you are protecting. If feature_id is not specified, the global Feature ID (described in global_feature_id below) is used.
"settings"Section of the Project File
vendor_code_file Absolute path of the your vendor code file on the machine.
custom_scope

If provided, the protected program will only search for a Sentinel protection key according to the custom login scope that you specify.

For information on the syntax for login scope parameters, see the topic "Scope Input XML Tags" in Sentinel Licensing API Reference. You can also paste a login scope that was created using Sentinel LDK ToolBox in this field.

Note: If the custom scope contains the following:

custom_scope: "<haspscope><hasp type="HASP-HL" /></haspscope>",

the hasp type="HASP-HL" must be escaped by the "\" as follows:

"custom_scope": "<haspscope>hasp type=\"HASP-HL\" /></haspscope>",
global_feature_id

(Optional) Global Feature ID (in the range 0 - 65535) for the complete application that you are protecting. This Feature ID is also applied by default for any input_glob (under to_be_protected) for which a corresponding feature_id is not specified.

Default: 0
background_check

(Optional) Specify a time interval (in seconds) of 0-65535 for periodic background checks for a Sentinel protection key with the required licenses. Default: 300 seconds.

If you specify a value of 0, a periodic background check is not performed.

Regardless of the setting for this parameter, the License Manager checks for the required license when the application is started.
message_output_mode

(Optional) Specifies how run-time user messages are delivered. Available output modes are:

>windows – If assigned the value true, messages are displayed in a message box.

>stderr – If assigned the value true, messages are written to the console.

Default: If no output modes are specified, windows mode is set to true and stderr mode is set to false.
message_sets

You can customize the run-time messages that are displayed during execution of the protected application. Sentinel LDK Envelope provides a comprehensive set of error codes, each mapped to a corresponding end-user message.

message_sets is an array, in which each message set contains the following parameters::

>language – The language identifier for each message set.

>caption – Text to appear in the title bar for the message box.

>messages – An array in which each element contains the following:

id – Predefined ID for each message.

text– Default text for each message. You can modify this text as required.

For details, see the provided sample project file.

5.Save the project file.

Run Script Envelope

Perform the following steps on the machine where your project file is located and Sentinel LDK Vendor Tools are installed.

1.Open a Windows command line prompt.

2.In the command line prompt, change to the following path:

%ProgramFiles(x86)%\Thales\Sentinel LDK\VendorTools\VendorSuite\

3.Enter the following command:

 scriptenv.exe projectFile [-q]

where:

projectFile

The relative or absolute path and name for the project file that you prepared earlier.
-q (or --quiet)

If specified, only error and warning messages are displayed.

Default: Verbose messages are displayed.

NOTE   You can enter scriptenv.exe -h or scriptenv.exe --help to display help for scriptenv.

The Python application that you specified in the input_root parameter is protected using Envelope and is written to the path specified in the output_root parameter.

Related Topics

Protecting Python Applications

Protecting Python Applications With Cython