Web Analytics Made Easy - Statcounter
Skip to content

Security

PyPI - The Home of PySimpleGUI

PySimpleGUI releases are now only hosted on PyPI. The PySimpleGUI GitHub repo no longer contains the PySimpleGUI source code. Thus....

PySimpleGUI 5 code should never be installed from GitHub

Security is why we do not distribute PySimpleGUI using GitHub. It is easy to set up a GitHub repo that masquerades as the Official PySimpleGUI Repo and add malicious code to the PySimpleGUI source code. Putting the burden on users to be extra cautious when installing PySimpleGUI does not result in a secure product.

Extra Security + PyPI

While PyPI provides a secure single-point of distribution, errors are still possible. Numerous articles have been published in past recent years about the increase of malware that's being found lurking on PyPI.

To directly combat this growing problem, the 5.0 version of PySimpleGUI has enhanced security features that ensure you are running "authentic" PySimpleGUI code that has been published by PySimpleSoft. This is an important addition given the ease of installing Python libraries.

To combat this problem, PySimpleGUI has built-in, self-authenticating code that will inform you if the code has been modified. In addition to the self-check, you have external verification tools to get the kind of peace of mind, prior to running code, that you're running authentic and unmodified PySimpleGUI code.

Additionally, there is one official repository for PySimpleGUI releases, PyPI. If you want to install Development Builds that are made available between major releases these are available through the PySimpleGUI package itself using the Home Window.

As stated above - the PySimpleGUI.py file is no longer posted in the PySimpleGUI GitHub repository.

It's easy to mistake a forked repository as being the original and thus be fooled into downloading a PySimpleGUI file that is not authentic and secure.

You should never download a PySimpleGUI.py file, claiming to be PySimpleGUI 5, from a GitHub repo.

You are not allowed to publicly post the PySimpleGUI 5 source code. After pip installing PySimpleGUI from the official PySimpleGUI repository, you have, of course, access to the Python source code on your machine. You can post it on your in-house servers, modify the code, etc, but you're not allowed to then post your modifications publicly, as per the software license agreement.

PySimpleGUI's Security Design

PySimpleGUI 5 uses public-key cryptography to ensure that your version of the PySimpleGUI.py file was created by PySimpleSoft Inc. Every release of PySimpleGUI 5 is "signed" using a private key. If any character is changed, added, deleted, the signature for a file will not match the signature of the authentic version.

Every time you import PySimpleGUI, it is first checked to ensure it has not been tampered with. If tampering has been detected, you're shown a warning, halting the import until you confirm that you would like to continue execution.

A program that has built-in security checks needs an additional, external verification tool so that you can verify that the built-in verification has not been compromised.

Verifying Security

The PySimpleGUI.com website is where you'll find this external verification tool. Visit https://Verify.PySimpleGUI.com to verify you have an authentic copy. Here you'll upload your PySimpleGUI.py file and click the Verify button.

Security

Security Passed

If the verification passes you'll see:

passed

Security Failed

If the verification fails you'll see:

passed

Self-Check Warning

Every time you import PySimpleGUI, it will run a self-check authentication to ensure it's not been modified in some manner. If the self-check fails, you will see this window:

image

No - The Safest Option

The warning is asking you if you wish to continue execution. The safest thing for you to do at this point is click "No (SAFEST OPTION)" which will abort the program and allow you to investigate why this error is happening.

Yes - Go ahead and run

If you've determined that a modified version of the software is OK and want to continue to run the code, click the "Yes" button. There is a checkbox that will disable showing you this warning in subsequent runs if the exact same changes to the code are detected.

image

A Safe Reason For A Failure

If you modify your PySimpleGUI.py file in any way, then you will see this error message. Because you have the source to the PySimpleGUI library and are allowed to make changes to the code, as long as they are not published anywhere, then you will see this warning after you modify the code. Checking the checkbox means you won't see this window again if you make no additional changes.

Thus, a normal set of operations for you making a change to the code would be:

  1. Modify your PySimpleGUI.py file to make the changes you want to make
  2. Run a program that imports PySimpleGUI
  3. The Authentication will fail and you will see the red window
  4. Click the checkbox indicating you do not want to see it in the future
  5. Click the "Yes" button to continue execution

After following these steps, your PySimpleGUI applications will execute without showing this warning.

Home Window Secure Indicator

You can check to see if you're running an original copy of PySimpleGUI, or if you've previously allowed modified code to run by opening the Home Window.

This is the normal Home Window:

image

And this is the Home Window clearly indicating that you're running "suspicious code" that is not published by PySimpleSoft.

image