Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot install v2 in Python 3.10. & Virus detected in aqt.exe #423

Closed
bitbacchus opened this issue Oct 8, 2021 · 13 comments
Closed

Cannot install v2 in Python 3.10. & Virus detected in aqt.exe #423

bitbacchus opened this issue Oct 8, 2021 · 13 comments

Comments

@bitbacchus
Copy link

First thanks so much for your work! It might save my C++ course this semester for which I have to install Qt Creator in our computer lab.

I ran, however, into some issues on Win 10:

Best,
Sebastian
@ddalcino
Copy link
Contributor

ddalcino commented Oct 8, 2021

  • pip install aqtinstall installed version 1.1.4 on Windows (Linux worked fine and installed v 2.0.0). Is there a way to install v 2.0.0 with pip on Windows?

This sounds like an issue with pip. Pip is supposed to pull packages directly from Pypi, which should have an up-to-date version available. Maybe someone in the computer lab installed aqtinstall several months ago, when v1.1.4 was current?

You can try using pip to upgrade packages that are currently installed:

pip install --upgrade aqtinstall

You can use pip to install directly from a git repository, instead of Pypi:

pip install git+https://github.com/miurahr/aqtinstall.git

These are false positives: this is a very common problem with python programs packaged as executables: https://www.google.com/search?hl=en&q=virustotal%20flags%20python%20executable%20as%20malware

aqt.exe is not signed: in order to sign an executable, you need to purchase a code-signing certificate. Certificates are not cheap and often incur an annual/semi-annual fee. Windows and MacOS always complain about unsigned executable files; the only way to satisfy them is to pay a lot of money.

Code signing alone isn't enough to fix the problem. Apparently, there is a process where you can petition antivirus software companies to teach their software not to flag your executable as malware; this process must be repeated for every antivirus vendor, every time you release a new binary. I don't think that it's realistic for us to start doing this.

aqt.exe is provided for your convenience; if you have any security concerns about it at all, please don't use it. It's good that you're concerned about security, and I don't want to teach you that you can safely ignore Windows and virustotal.

Everything in this project is open source. If you have security concerns, please read the source code, and if anything looks suspicious, please tell us so we can fix it. We use this program too, and none of us want it to install malware on our machines!

@bitbacchus
Copy link
Author

Thanks a lot for your reply!

First the important: I surely didn't want to suggest that the aqt.exe actually contains malware, sorry I should have communicated that clearly. But thanks for your explanation about Windows and macOS code signing, as a long-term Linux user I was just irritated (which happens a lot when I have to tinker on Windows machines...).

About my installation problems: I had a closer look and the issue and it seems to be that pip can't install certain dependencies and solves this by reverting to an older version of aqt. In particular it seems, it fails to install cffi-1.14.6 because: Microsoft Visual C++ 14.0 or greater is required.. Is msvc required for aqt? This might be kinda related to #230 but I haven't figured out how...

I also attached the CLI output of my failed installation.

aqt.txt

@pzhlkj6612
Copy link
Contributor

Hi @bitbacchus . I have 2 questions:

@ddalcino
Copy link
Contributor

I am a little out of my depth here, so perhaps someone can correct me if I'm wrong:

  1. aqtinstall uses py7zr to extract .7z archive files. There is a command line option to use an alternate extractor utility, like 7zip, but there is no option to install aqtinstall without also installing py7zr.
  2. py7zr has a dependency called bcj-cffi, which includes helper utilities written in C. Note the "cffi", or "C Foreign Function Interface" in the name. In order to install this dependency, it needs to compile those utilities with a C compiler. I am not sure why pip is looking for MSVC 14 in your case. I suspect that if pip was able to find a working compiler, it would not have this problem.
  3. It looks like pip is attempting to install older versions of aqt, in an attempt to find one that has a set of dependencies that it can satisfy. I speculate version 1.1.4 requires an older version of py7zr that doesn't use the C foreign function interface, and that's why it chose that particular version.

I can think of a couple of potential ways to fix this:

  1. Just install Visual Studio. If you're developing native software on Windows, it's very likely that you'll need to install this at some point anyway. I expect that you can just install the most recent version. You might need to run pip install aqtinstall from the Visual Studio command line prompt; it will show up in the Start Menu folder for Visual Studio. Fair warning: this will consume a lot of hard disk space, in addition to the Qt installation.
  2. Try using pip install aqtinstall from within MSys2. MSys is a popular command line environment for Windows that works a lot like Linux. It uses pacman for package management, and it makes it really easy to install modern versions of GCC and mingw. I expect that pip would be able to find a C compiler very easily in this environment. Fair warning: this will also consume a lot of hard disk space.
  3. Use aqt.exe instead. aqt.exe is specifically intended for use in situations like yours, where dependency management is really difficult. Both of the previous options will consume a lot of hard disk space; this one should not.

@miurahr
Copy link
Owner

miurahr commented Oct 10, 2021

py7zr has a dependency called bcj-cffi, which includes helper utilities written in C. Note the "cffi", or "C Foreign Function Interface" in the name. In order to install this dependency, it needs to compile those utilities with a C compiler. I am not sure why pip is looking for MSVC 14 in your case. I suspect that if pip was able to find a working compiler, it would not have this problem.

Now just started a new project PyBCJ that provide a native CPython extension, as same manner as PyPPMd and PyZSTD does, that are helper libraries py7zr depends.
PyPPMd provide native extension library DLL binary for Windows, and also for Linux, macOS, M1 mac and ARM linux.
It will solve your problem, requirements for MSVC, in future.

@bitbacchus
Copy link
Author

@pzhlkj6612
It's a fairly fresh install on a Windows 10 VM, I use Python 3.10.0 (tags/v3.10.0:b494f59, Oct 4 2021, 19:00:18) [MSC v.1929 64 bit (AMD64)] and pip 21.2.4 from C:\Users\bacchus\AppData\Local\Programs\Python\Python310\lib\site-packages\pip (python 3.10)

@ddalcino
Thanks for that great summary of all options, that helps a lot. I think I'll give aqt.exe another try.

Thank you all for your help! I guess this issue is solved for me and I'll close this :-)

@miurahr
Copy link
Owner

miurahr commented Oct 10, 2021

Dependencies of aqtinstall may not provide binary extensions for 3.10, at least projects I maintained.
Could you downgrade python to 3.9.x, then behavior may be changed.

@pzhlkj6612
Copy link
Contributor

@miurahr Is the dependent library "bcj-cffi" not built the wheel for Python 3.10?

@pzhlkj6612
Copy link
Contributor

Dependencies of aqtinstall may not provide binary extensions for 3.10, at least projects I maintained. Could you downgrade python to 3.9.x, then behavior may be changed.

Oh, haha. I tested with Python 3.9.7 and pip 21.2.3 (installed by the installer downloaded from python.org) and everything works fine. aqtinstall 2.0.0 has been installed.

@bitbacchus
Copy link
Author

Oh, haha. I tested with Python 3.9.7 and pip 21.2.3 (installed by the installer downloaded from python.org) and everything works fine. aqtinstall 2.0.0 has been installed.

Yes, same here! With 3.9.7 everything installs fine!

@miurahr
Copy link
Owner

miurahr commented Oct 13, 2021

Dependency cffi is now 1.15.0rc2 which support python 3.10.0.
Please wait the release, and more dependency that use cffi release new versions.
https://pypi.org/project/cffi/1.15.0rc2/#history

@pzhlkj6612 pzhlkj6612 mentioned this issue Oct 16, 2021
Closed
@pzhlkj6612
Copy link
Contributor

Hi @bitbacchus , would you mind renaming this issue? I think we can make the title more informative. Here are my suggestions.

The first sentence could be:

  • Cannot install v2 in Python 3.10.
  • Cannot install 2.0.0 in Python 3.10.
  • No v2 in Python 3.10.
  • No 2.0.0 in Python 3.10.

The second sentence could be:

  • Virus detected in aqt.exe.
  • Malicious behavior detected in aqt.exe.

And then combine the two sentences. For example: "Cannot install v2 in Python 3.10. Virus detected in aqt.exe".

@bitbacchus bitbacchus changed the title Problems with aqt on Windows Cannot install v2 in Python 3.10. & Virus detected in aqt.exe Oct 18, 2021
@bitbacchus
Copy link
Author

@pzhlkj6612 done 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@miurahr @ddalcino @bitbacchus @pzhlkj6612