Windows Defender code signing

[RussNelson]

I have a frozen application (updated using esky) which needs to be signed so it can run on Windows 10 without Windows Defender having a cow. I can successfully sign the executable and Windows Defender ceases objecting to it. When I run it, I get a cx_Freeze fatal error: "Cannot find zipimporter instance". I speculate that it's trying to look inside the file for something that got overwritten [update: it isn't]. I presume this is because the signed executable has extra data at the end, as well as a few values in the header modified:
00000141 C7 79
00000142 66 CE
00000143 13 14
00000181 00 10
00000182 00 D2
00000183 00 13
00000185 00 F8
00000186 00 11

0141 - 0144 is the checksum of the Microsoft Portable Executable header.
0181 - 0184 is the offset to the signing data.
0185 - 0186 is the length of the signing data.

I still haven't found how cx writes the .exe and why signing it screws up something. Still working on that. All hints gladly appreciated.

[RussNelson]

My speculation is that cx is looking past the end of the executable (or what it thinks is the end), and is trying to parse it.

[marcelotduarte]

Does the app run without the code signing?
The executable for the app is a basic executable for any app, modified at build time to include some resources (icon, version, etc). But at run time it does not depend on this to run. Maybe the code signing is corrupting some files. Check #203.

[RussNelson]

Yes, runs without code signing. I've since found out why the signing is causing a problem. The bootstrap executable appends a .zip file, which it expects to be at the very end (unlike, say, unzip, which searches). The code signing block interferes with that check. Not sure how to fix it, yet. I tried setting detached_bootstrap_library in several places, but it keeps appending the .zip rather than writing a "{}.zip".format(executable_fn[:-4]+".zip") file. I blame zipimport. It may be easier to subclass it and replace _read_directory.

[RussNelson]

Yeah. This isn't a cx_Freeze problem. It's an esky problem. The fix is to set detached-bootstrap-library, then you can sign the executable and it can still find its own code.