CVE-2025-59042

@@ -15,6 +15,305 @@ Changelog for PyInstaller
 
 .. towncrier release notes start
 
+6.0.0 (2023-09-22)
+------------------
+
+Features
+~~~~~~~~
+
+* (macOS) PyInstaller now attempts to preserve the ``.framework`` bundles when
+  collecting shared libraries from them. If a shared library is to be collected
+  from a ``.framework`` bundle, the ``Info.plist`` is also automatically
+  collected. The ``.framework`` bundle collection code also attempts to fix the
+  bundles' structure to conform to code-signing requirements (i.e., creation of
+  the ``Current`` symbolic link in the ``Versions`` directory, and top-level
+  contents being symbolic links that point to counterparts in the
+  ``Versions/Current`` directory). Note that other resources (for example from
+  ``Resources`` or ``Helpers`` directories) still need to be explicitly
+  collected by hooks. (:issue:`7619`)
+* (macOS) The file relocation mechanism in ``BUNDLE`` that generates macOS .app
+  bundles has been completely redesigned. All data files are now placed into
+  directory structure rooted in ``Contents/Resources``, all shared libraries (as
+  well as nested .framework bundles) are placed into directory structure rooted
+  in ``Contents/Frameworks``, and only the the program executable is placed into
+  the ``Contents/MacOS`` directory. The contents of ``Contents/Resources`` and
+  ``Contents/Frameworks`` directories are cross-linked via symlinks between the
+  two directory trees in order to maintain illusion of mixed-content directories
+  (in both directory trees). The cross-linking is done at either file level or
+  (sub)directory level, depending on the content type of a (sub)directory. For
+  directories in ``Contents/Frameworks`` that contain a dot in the name, a
+  work-around is automatically applied: the directory is created with a modified
+  name that does not include the dot, and next to it, a symbolic link is created
+  under the original name and pointing to the directory with modified name.
+  (:issue:`7619`)
+* (non-Windows) PyInstaller now attempts to preserve the parent directory
+  structure for shared libraries discovered and collected by the binary
+  dependency analysis, instead of automatically collecting them into the
+  top-level application directory. Due to library search path assumptions
+  made in various places, symbolic links to collected libraries are created
+  in the top-level application directory. This complements earlier work
+  (:issue:`7028`) that implemented DLL parent directory structure
+  preservation on Windows. (:issue:`7619`)
+* (Windows) Add an option to hide or minimize the console window in
+  console-enabled applications, but only if the program's process owns
+  the console window (i.e., the program was not launched from an existing
+  console window). (:issue:`7729`)
+* (Windows) The :option:`--add-data` and :option:`--add-binary` options accept
+  the POSIX syntax of ``--add-data=source:dest`` rather than
+  ``--add-data=source;dest``. The latter will continue to work on Windows to
+  avoid breaking backwards compatibility but is discouraged in favour of the now
+  cross platform format. (:issue:`6724`)
+* Add automatic binary vs. data file (re)classification step to the analysis
+  process. PyInstaller now inspects all files passed to ``Analysis`` via
+  ``datas`` and ``binaries`` arguments, as well as all files returned by hooks
+  via ``datas`` and ``binaries`` hook global variables. The inspection mechanism
+  is platform-specific, and currently implemented for Windows, Linux, and macOS.
+  Proper file classification ensures that all collected binary files undergo
+  binary dependency analysis and any other platform-specific binary processing.
+  On macOS, it also helps ensuring that the collected files are placed in the
+  proper directory in the generated .app bundles. (:issue:`7619`)
+* Add support for specifying hash randomization seed via ``hash_seed=<value>``
+  :ref:`run-time option <specifying python interpreter options>` when building
+  the application. This allows the application to use a fixed seed value or
+  disable hash randomization altogether by using seed value of 0.
+  (:issue:`7847`)
+* Allow spec files to take custom command line parameters. See :ref:`adding
+  parameters to spec files <spec_parameters>`. (:issue:`4482`)
+* Extend the operation retry mechanism that was initially introduced by
+  :issue:`7840` to cover all processing steps that are performed during
+  assembly of a Windows executable. This attempts to mitigate the interference
+  from anti-virus programs and other security tools, which may temporarily block
+  write access to the executable for a scan between individual processing steps.
+  (:issue:`7871`)
+* Implement pass-through for `Python's X-options
+  <https://docs.python.org/3/using/cmdline.html#cmdoption-X>`_ via PyInstaller's
+  :ref:`run-time options mechanism <specifying python interpreter options>`.
+  (:issue:`7847`)
+* Implement support for creating symbolic links from special ``'SYMLINK'``
+  TOC entries, either at build-time (``onedir`` mode) or at run-time
+  (``onefile`` mode). Implement symbolic link preservation support in the
+  analysis process; if a file and a symbolic link pointing to it are both to be
+  collected, and if their relative relationship is preserved in the frozen
+  application, the symbolic link is collected as a ``'SYMLINK'`` entry.
+  (:issue:`7619`)
+* Implement :func:`PyInstaller.utils.hooks.check_requirement` hook utility
+  function as an :mod:`importlib.metadata`-based replacement for
+  :func:`PyInstaller.utils.hooks.is_module_satisfies`; the latter is now
+  just an alias for the former, kept for compatibility with existing hooks.
+  (:issue:`7943`)
+* Restructure onedir mode builds so that everything except the executable (and
+  ``.pkg`` if you're using external PYZ archive mode) are hidden inside a
+  sub-directory. This sub-directory's name defaults to ``_internal`` but may be
+  configured with a new :option:`--contents-directory` option. Onefile
+  applications and macOS ``.app`` bundles are unaffected. (:issue:`7713`)
+* The :func:`PyInstaller.utils.hooks.collect_all` hook utility function now
+  attempts to translate the given importable package name into distribution name
+  before attempting to collect metadata. This allows the function to handle
+  cases when the distribution name does not match the importable package name.
+  (:issue:`7943`)
+
+
+Bugfix
+~~~~~~
+
+* (macOS) ``QtWebEngine`` now works in ``onefile`` builds (previously available
+  only in ``onedir`` builds). (:issue:`4361`)
+* (macOS) Fix the shared library duplication problem where a shared library that
+  is also referred to via its symbolic links (e.g., a shared library
+  ``libwx_baseu-3.1.5.0.0.dylib`` with symbolic links
+  ``libwx_baseu-3.1.5.dylib`` and ``libwx_baseu-3.0.dylib``) ends up collected
+  as duplicates and consequently crashes the program. The symbolic links should
+  now be preserved, thus avoiding the problem. (:issue:`5710`)
+* (macOS) In generated .app bundles, the data files from ``PySide2``,
+  ``PySide6``, ``PyQt5``, or ``PyQt6`` directory are now relocated to the
+  directory structure rooted in ``Contents/Resources`` to ensure compliance with
+  code-signing requirements. The content cross-linking between
+  ``Contents/Resources`` and ``Contents/Frameworks`` should ensure that ``QML``
+  components in the ``qml`` sub-directory continue to work in spite of plugins
+  (shared libraries) being technically separated from their corresponding
+  metadata files. The automatic work-around for directories with dots in names
+  should prevent code-signing issues due to some ``QML`` components in Qt5
+  having dot in their names (e.g. ``QtQuick.2`` and ``QtQuick/Controls.2``.
+  (:issue:`7619`)
+* (macOS) In generated .app bundles, the source .py files are now again
+  relocated to ``Contents/Resources`` directory (and cross-linked into
+  ``Contents/Frameworks``), which ensures that code-signing does not store
+  signatures into the files' extended attributes. This reverts the exemption
+  made in :issue:`7180` to accommodate the ``cv2`` loader script; the problem is
+  now solved by cross-linking binaries from ``Contents/Frameworks`` to
+  ``Contents/Resources``, which allows the loader to find the extension binary
+  (or rather, a symbolic link to it) next to the .py file. (:issue:`7619`)
+* (macOS) Sandboxing for ``QtWebEngine`` in ``PySide6`` and ``PyQt6`` is not
+  disabled anymore by the corresponding run-time hooks (see :issue:`6903`), as
+  it should work out-of-the-box thanks to PyInstaller now preserving the
+  structure of the ``QtWebEngineCore.framework`` bundle. (:issue:`7619`)
+* (macOS) The main process in a program that uses ``QtWebEngine`` is not
+  mis-identified as ``QtWebEngineCore`` anymore in the application's menu bar.
+  This applies to ``onedir`` POSIX program builds (i.e. the .app bundles were
+  not affected by this). (:issue:`5409`)
+* (Windows) Avoid aborting the build process if machine type (architecture)
+  cannot be determined for a DLL in a candidate search path; instead, skip over
+  such files, and search in other candidate paths. Fixes build errors when a
+  search path contains an invalid DLL file (for example, a stub file).
+  (:issue:`7874`)
+* (Windows) Prevent PyInstaller's binary dependency analysis from looking for
+  shared libraries in all :data:`sys.path` locations. Instead, search only
+  :data:`sys.base_prefix` and ``pywin32`` directories, of available. This, for
+  example, prevents PyInstaller from picking up incompatible DLLs from
+  system-installed programs that happen to put their installation directory into
+  system-wide :envvar:`PYTHONPATH`. (:issue:`5560`)
+* (Windows) Remove the use of deprecated ``distutils.sysconfig`` module. The
+  import of this module seems to cause the python process to crash when
+  ``tensorflow`` is subsequently imported during import analysis.
+  (:issue:`7347`)
+* Fix file duplication when collecting a file and symbolic links pointing at it;
+  with new symbolic link support, the symbolic links are now properly preserved.
+  This should help reducing the size of builds made on Linux and macOS with
+  Anaconda, which provides versioned symbolic links for packaged shared
+  libraries, and PyInstaller tends to collect them all due to hook helper based
+  on the packages' metadata. (:issue:`7619`)
+* Fix incompatibility between PyInstaller's frozen importer
+  (``PyiFrozenImporter``) and :mod:`importlib.resources` when trying to look up
+  the resources of a collected namespace package via
+  :func:`importlib.resources.files()`. (:issue:`7921`)
+* When copying files into ``onedir`` application bundles, use
+  :func:`shutil.copyfile` instead of :func:`shutil.copy2` to avoid issues
+  with original permissions/metadata being too restrictive. (:issue:`7938`)
+
+
+Incompatible Changes
+~~~~~~~~~~~~~~~~~~~~
+
+* (Linux) Removed support for building LSB-compliant bootloader, due to
+  lack of support for LSB (Linux Standard Base) in contemporary linux
+  distributions. (:issue:`7807`)
+* (macOS) Due to relocation of all dynamic libraries into directory
+  structure rooted in the ``Contents/Frameworks`` directory, the
+  ``sys._MEIPASS`` variable as well as the ``os.path.dirname(__file__)``
+  in the entry-point script now point to ``Contents/Frameworks`` instead of
+  ``Contents/MacOS``, while ``os.path.dirname(sys.executable)`` continues
+  to point to the ``Contents/MacOS`` directory. The behavior change applies
+  only to ``onedir`` .app bundles (in ``onefile`` ones, ``sys._MEIPASS``
+  and ``__file__`` of the entry-point script have always pointed to the
+  temporary extraction directory and continue to do so). (:issue:`7619`)
+* (macOS) The changes made to the macOS .app bundle generation code and the
+  resulting .app bundle structure (strict relocation of binaries to
+  ``Contents/Frameworks`` and data files to ``Contents/Resources``,
+  bi-directional cross-linking between ``Contents/Frameworks`` and
+  ``Contents/Resources``, preservation of nested .framework bundles,
+  automatic work-around for dots in directory names) are likely
+  incompatible with existing (external) post-processing scripts.
+  (:issue:`7619`)
+* (Windows) Removed command-line options related to processing of the
+  WinSxS assemblies: ``--win-private-assemblies`` and
+  ``--win-no-prefer-redirects``.
+  The corresponding arguments to ``Analysis`` are deprecated and raise and
+  error if set to ``True``. (:issue:`7784`)
+* (Windows) Removed support for analyzing and collection of dependencies
+  referenced via WinSxS (side-by-side) assemblies. This affects binaries
+  compiled with Visual Studio 2008 and earlier, as VC9 run-time was the
+  last version to make use of WinSxS. If you require support for such
+  binaries and you need referenced WinSxS binaries collected with your
+  application, use older version of PyInstaller. (:issue:`7784`)
+* (Windows) Removed support for external application manifest in onedir
+  builds. Removed the ``--no-embed-manifest`` command-line option and
+  deprecated the corresponding ``embed_manifest`` argument to ``EXE``
+  to raise an error if set to ``False``. (:issue:`7784`)
+* All of onedir build's contents except for the executable are now moved into a
+  sub-directory (called ``_internal`` by default). ``sys._MEIPASS`` is adjusted
+  to
+  point to this ``_internal`` directory. The breaking implications for this
+  are:
+
+  * Assumptions that ``os.path.dirname(sys.executable) == sys._MEIPASS`` will
+    break. Code locating application resources using
+    ``os.path.dirname(sys.executable)`` should be adjusted to use ``__file__``
+    or ``sys._MEIPASS`` and any code locating the original executable using
+    ``sys._MEIPASS`` should use :data:`sys.executable` directly.
+
+  * Any custom post processing steps (either in the ``.spec`` file or
+    externally) which modify the bundle will likely need adjusting to
+    accommodate the new directory. (:issue:`7713`)
+* PyInstaller-frozen applications are not affected by the :envvar:`PYTHONUTF8`
+  environment variable anymore. To permanently enable or disable the UTF8 mode,
+  use the ``X utf8_mode=1`` or ``X utf_mode=0`` :ref:`run-time option
+  <specifying python interpreter options>` when building the application.
+  (:issue:`7847`)
+* Remove bytecode encryption (``--key`` and ``cipher`` options).
+  (:issue:`6999`)
+* Remove the ``--ascii`` command-line option, which is an effective no-op under
+  python 3; the :mod:`codecs` module is always collected due to being listed
+  among the base modules. (:issue:`7801`)
+* Remove the built-in attempt at collection of data files from packages
+  that are installed as python eggs. Collection of all non-python resources
+  from packages should be handled in the standardized way via hooks,
+  regardless of how a package is installed. (:issue:`7784`)
+* Remove support for zipped eggs. PyInstaller will not collect python code nor
+  resources from zipped eggs, nor will it collect zipped eggs as a whole.
+  (:issue:`7784`)
+* Remove the ``requirements_for_package`` hook utility function, which was
+  primarily used by :func:`~PyInstaller.utils.hooks.collect_all`; the latter
+  does not include the top-level modules of metadata-declared requirements among
+  the returned hidden imports anymore. (:issue:`7943`)
+* The :func:`PyInstaller.utils.hooks.collect_data_files` hook utility helper
+  does not collect ``.pyc`` files from ``__pycache__`` directories anymore, even
+  with ``include_py_files=True`` argument. (:issue:`7943`)
+* The :func:`PyInstaller.utils.hooks.is_module_satisfies` helper does not
+  support the ``version`` and ``version_attribute`` arguments anymore; the
+  function will raise an error if they are specified. If the distribution
+  specified in the ``requirements`` string is not found, the function will not
+  attempt to import the eponymous module and read its version attribute anymore.
+  (:issue:`7943`)
+* The collection of "py files", enabled by the ``include_py_files=True``
+  argument to the :func:`PyInstaller.utils.hooks.collect_data_files` hook
+  utility function, is now restricted to only ``.py`` and ``.pyc`` files.
+  Previously, all suffices from :func:`importlib.machinery.all_suffixes` were
+  enabled, which resulted in spurious collection of dynamic libraries and
+  extensions (due to ``.so``, ``.abi3.so``, ``.pyd``, etc. being among those
+  suffices). (:issue:`7943`)
+
+
+Bootloader
+~~~~~~~~~~
+
+* (Linux, macOS) When extracting files from ``onefile`` archive, the
+  executable bit is now set only on binaries (files whose TOC type code
+  was either ``BINARY``, ``EXECUTABLE``, or ``EXTENSION``) or data files
+  that originally had the executable bit set. Therefore, binaries are now
+  extracted with permissions bits set to ``0700``, while all other files
+  have permissions bits set to ``0600``. (:issue:`7950`)
+* Use `PEP 587 Python Initialization Configuration API
+  <https://peps.python.org/pep-0587>`_ to configure the embedded Python
+  interpreter. (:issue:`7847`)
+
+
+PyInstaller Core
+~~~~~~~~~~~~~~~~
+
+* (Windows) The temporary/intermediate executable files are not generated
+  with ``.notanexecutable`` suffix anymore, as the retry mechanism from
+  :issue:`7840` and :issue:`7871` is now the preferred way of dealing with
+  anti-virus program interference during the build. (:issue:`7871`)
+* Avoid collecting ``pathlib`` and ``tokenize`` (and their dependencies,
+  such as ``urllib``) into ``base_library.zip``. By collecting them into
+  PYZ archive, only submodules that the application really requires can
+  be collected, which helps reducing the size of applications that, for
+  example, do not require the full ``urllib`` package. (:issue:`7836`)
+* Drop support for end of life Python 3.7. (:issue:`7733`)
+
+
+Bootloader build
+~~~~~~~~~~~~~~~~
+
+* To enable the passing of extra arguments to the bootloader compiler during
+  installation via pip,
+  you can utilize the environment variable ``PYINSTALLER_BOOTLOADER_WAF_ARGS``.
+  However,
+  it is essential to ensure that the environment variable
+  ``PYINSTALLER_COMPILE_BOOTLOADER``
+  is present for this functionality to work correctly. (:issue:`7796`)
+
+
 5.13.2 (2023-08-29)
 -------------------
 
@@ -151,7 +450,7 @@ Bugfix
   ``PySide6`` run-time hooks. These paths, set via ``QT_PLUGIN_PATH`` and
   ``QML2_IMPORT_PATH`` environment variables, are used with ``PySide2``
   and ``PySide6`` builds that that use system-wide Qt installation and
-  are not portable by default (e.g., Homebrew). (:issue:`7649`)
+  are not portable by default (e.g. Homebrew). (:issue:`7649`)
 * (macOS) When rewriting the dylib identifier and paths to linked
   libraries in a collected binary, instead of directly using
   ``@loader_path``-based path, use ``@rpath``-based path and replace

@@ -5,6 +5,21 @@ Thanks goes to all the kind PyInstaller contributors who have contributed
 new code, bug reports, fixes, comments and ideas. A brief list follows,
 please let us know if your name is omitted by accident:
 
+Contributions to PyInstaller 6.0.0
+----------------------------------
+
+* Rok Mandeljc
+* Brénainn Woodsend
+* Benedikt Würkner
+* Blank
+* Brandon
+* James Gerity
+* Lorenzo Villani
+* axoroll7
+* byehack
+* coolcatco888
+* gentlegiantJGC
+
 Contributions to PyInstaller 5.13.2
 -----------------------------------
 

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "PYI-MAKESPEC" "1" "2023-08-29" "5.13.2" "PyInstaller"
+.TH "PYI-MAKESPEC" "1" "2023-09-22" "6.0.0" "PyInstaller"
 .SH NAME
 pyi-makespec \- Create a spec file for your PyInstaller project
 .
@@ -90,20 +90,36 @@ Folder to store the generated spec file (default: current directory)
 .BI \-n \ NAME\fR,\fB \ \-\-name \ NAME
 Name to assign to the bundled app and spec file (default: first script\(aqs
 basename)
+.TP
+.BI \-\-contents\-directory \ CONTENTS_DIRECTORY
+For onedir builds only, specify the name of the directory in which all
+supporting files (i.e. everything except the executable itself) will be
+placed in.
 .UNINDENT
 .SS What To Bundle, Where To Search
+.sp
+\-\-add\-data SOURCE:DEST
 .INDENT 0.0
-.TP
-.BI \-\-add\-data \ <SRC;DEST or SRC:DEST>
-Additional non\-binary files or folders to be added to the executable. The
-path separator is platform specific, \fBos.pathsep\fP (which is \fB;\fP on
-Windows and \fB:\fP on most unix systems) is used. This option can be used
-multiple times.
-.TP
-.BI \-\-add\-binary \ <SRC;DEST or SRC:DEST>
+.INDENT 3.5
+Additional data files or directories containing data files to be added to
+the application. The argument value should be in form of "source:dest_dir",
+where source is the path to file (or directory) to be collected, dest_dir
+is the destination directory relative to the top\-level application
+directory, and both paths are separated by a colon (:). To put a file in
+the top\-level application directory, use . as a dest_dir. This option can
+be used multiple times.
+.UNINDENT
+.UNINDENT
+.sp
+\-\-add\-binary SOURCE:DEST
+.INDENT 0.0
+.INDENT 3.5
 Additional binary files to be added to the executable. See the
-\fB\-\-add\-data\fP option for more details. This option can be used multiple
+\fB\-\-add\-data\fP option for the format. This option can be used multiple
 times.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
 .TP
 .BI \-p \ DIR\fR,\fB \ \-\-paths \ DIR
 A path to search for imports (like using PYTHONPATH). Multiple paths are
@@ -210,6 +226,17 @@ Windows and Mac OS X: do not provide a console window for standard i/o. On
 Mac OS this also triggers building a Mac OS .app bundle. On Windows this
 option is automatically set if the first script is a \(aq.pyw\(aq file. This
 option is ignored on *NIX systems.
+.UNINDENT
+.sp
+\-\-hide\-console {hide\-early,minimize\-early,hide\-late,minimize\-late}
+.INDENT 0.0
+.INDENT 3.5
+Windows only: in console\-enabled executable, have bootloader automatically
+hide or minimize the console window if the program owns the console window
+(i.e., was not launched from an existing console window).
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
 .TP
 .BI \-i \ <FILE.ico or FILE.exe,ID or FILE.icns or Image or "NONE">\fR,\fB \ \-\-icon \ <FILE.ico or FILE.exe,ID or FILE.icns or Image or "NONE">
 FILE.ico: apply the icon to a Windows executable. FILE.exe,ID: extract the
@@ -234,11 +261,6 @@ Add a version resource from FILE to the exe.
 .BI \-m \ <FILE or XML>\fR,\fB \ \-\-manifest \ <FILE or XML>
 Add manifest FILE or XML to the exe.
 .TP
-.B \-\-no\-embed\-manifest
-Generate an external .exe.manifest file instead of embedding the manifest
-into the exe. Applicable only to onedir mode; in onefile mode, the manifest
-is always embedded, regardless of this option.
-.TP
 .BI \-r \ RESOURCE\fR,\fB \ \-\-resource \ RESOURCE
 Add or update a resource to a Windows executable. The RESOURCE is one to
 four items, FILE[,TYPE[,NAME[,LANGUAGE]]]. FILE can be a data file or an
@@ -257,21 +279,6 @@ application start.
 Using this option allows an elevated application to work with Remote
 Desktop.
 .UNINDENT
-.SS Windows Side\-By\-Side Assembly Searching Options (Advanced)
-.INDENT 0.0
-.TP
-.B \-\-win\-private\-assemblies
-Any Shared Assemblies bundled into the application will be changed into
-Private Assemblies. This means the exact versions of these assemblies will
-always be used, and any newer versions installed on user machines at the
-system level will be ignored.
-.TP
-.B \-\-win\-no\-prefer\-redirects
-While searching for Shared or Private Assemblies to bundle into the
-application, PyInstaller will prefer not to follow policies that redirect
-to newer versions, and will try to bundle the exact versions of the
-assembly.
-.UNINDENT
 .SS Mac Os Specific Options
 .INDENT 0.0
 .TP

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "PYINSTALLER" "1" "2023-08-29" "5.13.2" "PyInstaller"
+.TH "PYINSTALLER" "1" "2023-09-22" "6.0.0" "PyInstaller"
 .SH NAME
 pyinstaller \- Configure and build a PyInstaller project in one run
 .
@@ -43,7 +43,7 @@ PyInstaller is a program that freezes (packages) Python programs into
 stand\-alone executables, under Windows, GNU/Linux, macOS,
 FreeBSD, OpenBSD, Solaris and AIX.
 Its main advantages over similar tools are that PyInstaller works with
-Python 3.7\-3.11, it builds smaller executables thanks to transparent
+Python 3.8\-3.11, it builds smaller executables thanks to transparent
 compression, it is fully multi\-platform, and use the OS support to load the
 dynamic libraries, thus ensuring full compatibility.
 .sp
@@ -87,9 +87,6 @@ for confirmation
 .BI \-\-upx\-dir \ UPX_DIR
 Path to UPX utility (default: search the execution path)
 .TP
-.B \-a\fP,\fB  \-\-ascii
-Do not include unicode encoding support (default: included if available)
-.TP
 .B \-\-clean
 Clean PyInstaller cache and remove temporary files before building.
 .TP
@@ -113,20 +110,36 @@ Folder to store the generated spec file (default: current directory)
 .BI \-n \ NAME\fR,\fB \ \-\-name \ NAME
 Name to assign to the bundled app and spec file (default: first script\(aqs
 basename)
+.TP
+.BI \-\-contents\-directory \ CONTENTS_DIRECTORY
+For onedir builds only, specify the name of the directory in which all
+supporting files (i.e. everything except the executable itself) will be
+placed in.
 .UNINDENT
 .SS What To Bundle, Where To Search
+.sp
+\-\-add\-data SOURCE:DEST
 .INDENT 0.0
-.TP
-.BI \-\-add\-data \ <SRC;DEST or SRC:DEST>
-Additional non\-binary files or folders to be added to the executable. The
-path separator is platform specific, \fBos.pathsep\fP (which is \fB;\fP on
-Windows and \fB:\fP on most unix systems) is used. This option can be used
-multiple times.
-.TP
-.BI \-\-add\-binary \ <SRC;DEST or SRC:DEST>
+.INDENT 3.5
+Additional data files or directories containing data files to be added to
+the application. The argument value should be in form of "source:dest_dir",
+where source is the path to file (or directory) to be collected, dest_dir
+is the destination directory relative to the top\-level application
+directory, and both paths are separated by a colon (:). To put a file in
+the top\-level application directory, use . as a dest_dir. This option can
+be used multiple times.
+.UNINDENT
+.UNINDENT
+.sp
+\-\-add\-binary SOURCE:DEST
+.INDENT 0.0
+.INDENT 3.5
 Additional binary files to be added to the executable. See the
-\fB\-\-add\-data\fP option for more details. This option can be used multiple
+\fB\-\-add\-data\fP option for the format. This option can be used multiple
 times.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
 .TP
 .BI \-p \ DIR\fR,\fB \ \-\-paths \ DIR
 A path to search for imports (like using PYTHONPATH). Multiple paths are
@@ -233,6 +246,17 @@ Windows and Mac OS X: do not provide a console window for standard i/o. On
 Mac OS this also triggers building a Mac OS .app bundle. On Windows this
 option is automatically set if the first script is a \(aq.pyw\(aq file. This
 option is ignored on *NIX systems.
+.UNINDENT
+.sp
+\-\-hide\-console {hide\-early,minimize\-early,hide\-late,minimize\-late}
+.INDENT 0.0
+.INDENT 3.5
+Windows only: in console\-enabled executable, have bootloader automatically
+hide or minimize the console window if the program owns the console window
+(i.e., was not launched from an existing console window).
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
 .TP
 .BI \-i \ <FILE.ico or FILE.exe,ID or FILE.icns or Image or "NONE">\fR,\fB \ \-\-icon \ <FILE.ico or FILE.exe,ID or FILE.icns or Image or "NONE">
 FILE.ico: apply the icon to a Windows executable. FILE.exe,ID: extract the
@@ -257,11 +281,6 @@ Add a version resource from FILE to the exe.
 .BI \-m \ <FILE or XML>\fR,\fB \ \-\-manifest \ <FILE or XML>
 Add manifest FILE or XML to the exe.
 .TP
-.B \-\-no\-embed\-manifest
-Generate an external .exe.manifest file instead of embedding the manifest
-into the exe. Applicable only to onedir mode; in onefile mode, the manifest
-is always embedded, regardless of this option.
-.TP
 .BI \-r \ RESOURCE\fR,\fB \ \-\-resource \ RESOURCE
 Add or update a resource to a Windows executable. The RESOURCE is one to
 four items, FILE[,TYPE[,NAME[,LANGUAGE]]]. FILE can be a data file or an
@@ -280,21 +299,6 @@ application start.
 Using this option allows an elevated application to work with Remote
 Desktop.
 .UNINDENT
-.SS Windows Side\-By\-Side Assembly Searching Options (Advanced)
-.INDENT 0.0
-.TP
-.B \-\-win\-private\-assemblies
-Any Shared Assemblies bundled into the application will be changed into
-Private Assemblies. This means the exact versions of these assemblies will
-always be used, and any newer versions installed on user machines at the
-system level will be ignored.
-.TP
-.B \-\-win\-no\-prefer\-redirects
-While searching for Shared or Private Assemblies to bundle into the
-application, PyInstaller will prefer not to follow policies that redirect
-to newer versions, and will try to bundle the exact versions of the
-assembly.
-.UNINDENT
 .SS Mac Os Specific Options
 .INDENT 0.0
 .TP

@@ -1,2 +0,0 @@
-(macOS) ``QtWebEngine`` now works in ``onefile`` builds (previously
-available only in ``onedir`` builds).

@@ -1,2 +0,0 @@
-Allow spec files to take command line parameters. See :ref:`adding parameters to
-spec files <spec_parameters>`.

@@ -1,4 +0,0 @@
-(macOS) The main process in a program that uses ``QtWebEngine`` is
-not mis-identified as ``QtWebEngineCore`` anymore in the application's
-menu bar. This applies to ``onedir`` POSIX program builds (i.e., the
-.app bundles were not affected by this).

@@ -1,6 +0,0 @@
-(Windows) Prevent PyInstaller's binary dependency analysis from looking
-for shared libraries in all ``sys.path`` locations. Instead, search
-only ``sys.base_prefix`` and ``pywin32`` directories, of available.
-This, for example,  prevents PyInstaller from picking up incompatible
-DLLs from system-installed programs that happen to put their installation
-directory into system-wide ``PYTHONPATH``.

@@ -1,6 +0,0 @@
-(macOS) Fix the shared library duplication problem where a shared library
-that is also referred to via its symbolic links (e.g., a shared library
-``libwx_baseu-3.1.5.0.0.dylib`` with symbolic links
-``libwx_baseu-3.1.5.dylib`` and ``libwx_baseu-3.0.dylib``) ends up
-collected as duplicates and consequently crashes the program.
-The symbolic links should now be preserved, thus avoiding the problem.

@@ -1,5 +0,0 @@
-(Windows) The :option:`--add-data` and :option:`--add-binary` options accept the
-POSIX syntax of ``--add-data=source:dest`` rather than
-``--add-data=source;dest``. The latter will continue to work on Windows to avoid
-breaking backwards compatibility but is discouraged in favour of the now cross
-platform format.

@@ -1 +0,0 @@
-Remove bytecode encryption (``--key`` and ``cipher`` options).

@@ -1,3 +0,0 @@
-(Windows) Remove the use of deprecated ``distutils.sysconfig`` module.
-The import of this module seems to cause the python process to crash
-when ``tensorflow`` is subsequently imported during import analysis.

@@ -1,9 +0,0 @@
-(macOS) Due to relocation of all dynamic libraries into directory
-structure rooted in the ``Contents/Frameworks`` directory, the
-``sys._MEIPASS`` variable as well as the ``os.path.dirname(__file__)``
-in the entry-point script now point to ``Contents/Frameworks`` instead of
-``Contents/MacOS``, while ``os.path.dirname(sys.executable)`` continues
-to point to the ``Contents/MacOS`` directory. The behavior change applies
-only to ``onedir`` .app bundles (in ``onefile`` ones, ``sys._MEIPASS``
-and ``__file__`` of the entry-point script have always pointed to the
-temporary extraction directory and continue to do so).

@@ -1,7 +0,0 @@
-(macOS) The changes made to the macOS .app bundle generation code and the
-resulting .app bundle structure (strict relocation of binaries to
-``Contents/Frameworks`` and data files to ``Contents/Resources``,
-bi-directional cross-linking between ``Contents/Frameworks`` and
-``Contents/Resources``, preservation of nested .framework bundles,
-automatic work-around for dots in directory names) are likely
-incompatible with existing (external) post-processing scripts.

@@ -1,4 +0,0 @@
-(macOS) Sandboxing for ``QtWebEngine`` in ``PySide6`` and ``PyQt6`` is
-not disabled anymore by the corresponding run-time hooks
-(see :issue:`6903`), as it should work out-of-the-box thanks to PyInstaller
-now preserving the structure of the ``QtWebEngineCore.framework`` bundle.

@@ -1,9 +0,0 @@
-(macOS) In generated .app bundles, the source .py files are now again
-relocated to ``Contents/Resources`` directory (and cross-linked into
-``Contents/Frameworks``), which ensures that code-signing does not
-store signatures into the files' extended attributes. This reverts the
-exemption made in :issue:`7180` to accommodate the ``cv2`` loader script;
-the problem is now solved by cross-linking binaries from
-``Contents/Frameworks`` to ``Contents/Resources``, which allows the
-loader to find the extension binary (or rather, a symbolic link to it)
-next to the .py file.

@@ -1,11 +0,0 @@
-(macOS) In generated .app bundles, the data files from ``PySide2``,
-``PySide6``, ``PyQt5``, or ``PyQt6`` directory are now relocated to
-the directory structure rooted in ``Contents/Resources`` to ensure
-compliance with code-signing requirements. The content cross-linking
-between ``Contents/Resources`` and ``Contents/Frameworks`` should ensure
-that ``QML`` components in the ``qml`` sub-directory continue to work in
-spite of plugins (shared libraries) being technically separated from
-their corresponding metadata files. The automatic-work around for directories
-with dots in names should prevent code-signing issues due to some ``QML``
-components in Qt5 having dot in their names (e.g., ``QtQuick.2`` and
-``QtQuick/Controls.2``.

@@ -1,6 +0,0 @@
-Fix file duplication when collecting a file and symbolic links pointing
-at it; with new symbolic link support, the symbolic links are now
-properly preserved. This should help reducing the size of builds made
-on Linux and macOS with Anaconda, which provides versioned symbolic
-links for packaged shared libraries, and PyInstaller tends to collect
-them all due to hook helper based on the packages' metadata.

@@ -1,8 +0,0 @@
-(non-Windows) PyInstaller now attempts to preserve the parent directory
-structure for shared libraries discovered and collected by the binary
-dependency analysis, instead of automatically collecting them into the
-top-level application directory. Due to library search path assumptions
-made in various places, symbolic links to collected libraries are created
-in the top-level application directory. This complements earlier work
-(:issue:`7028`) that implemented DLL parent directory structure
-preservation on Windows.

@@ -1,10 +0,0 @@
-(macOS) PyInstaller now attempts to preserve the .framework bundles when
-collecting shared libraries from them. If a shared library is to be
-collected from a .framework bundle, the ``Info.plist`` is also
-automatically collected. The .framework bundle collection code also
-attempts to fix the bundles' structure to conform to code-signing
-requirements (i.e., creation of the ``Current`` symbolic link in the
-``Versions`` directory, and top-level contents being symbolic links that
-point to counterparts in the ``Versions/Current`` directory). Note that
-other resources (for example from ``Resources`` or ``Helpers`` directories)
-still need to be explicitly collected by hooks.

@@ -1,16 +0,0 @@
-(macOS) The file relocation mechanism in ``BUNDLE`` that generates
-macOS .app bundles has been completely redesigned. All data files are
-now placed into directory structure rooted in ``Contents/Resources``,
-all shared libraries (as well as nested .framework bundles) are placed
-into directory structure rooted in ``Contents/Frameworks``, and only
-the the program executable is placed into the ``Contents/MacOS``
-directory. The contents of ``Contents/Resources`` and ``Contents/Frameworks``
-directories are cross-linked between the two directory trees in
-order to maintain illusion of mixed-content directories (in both
-directory trees). The cross-linking is done at either file level or
-(sub)directory level, depending on the content type of a (sub)directory.
-For directories in ``Contents/Frameworks`` that contain a dot in the name,
-a work-around is automatically applied: the directory is created with a
-modified name that does not include the dot, and next to it, a symbolic
-link is created under the original name and pointing to the directory
-with modified name.

@@ -1,10 +0,0 @@
-Add automatic binary vs. data file (re)classification step to the
-analysis process. PyInstaller now inspects all files passed to ``Analysis``
-via ``datas`` and ``binaries`` arguments, as well as all files returned
-by hooks via ``datas`` and ``binaries`` hook global variables. The
-inspection mechanism is platform-specific, and currently implemented for
-Windows, Linux, and macOS. Proper file classification ensures that all
-collected binary files undergo binary dependency analysis and any other
-platform-specific binary processing. On macOS, it also helps ensuring
-that the collected files are placed in the proper directory in the
-generated .app bundles.

@@ -1,7 +0,0 @@
-Implement support for creating symbolic links from special ``'SYMLINK'``
-TOC entries, either at build-time (``onedir`` mode) or at run-time
-(``onefile`` mode). Implement symbolic link preservation support in
-the analysis process; if a file and a symbolic link pointing to it are
-both to be collected, and if their relative relationship is preserved
-in the frozen application, the symbolic link is collected as a ``'SYMLINK'``
-entry.

@@ -1,13 +0,0 @@
-All of onedir build's contents except for the executable are now moved into a
-sub-directory (called ``_internal`` by default). ``sys._MEIPASS`` is adjusted to
-point to this ``_internal`` directory. The breaking implications for this are:
-
-* Assumptions that ``os.path.dirname(sys.executable) == sys._MEIPASS`` will
-  break. Code locating application resources using
-  ``os.path.dirname(sys.executable)`` should be adjusted to use ``__file__``
-  or ``sys._MEIPASS`` and any code locating the original executable using
-  ``sys._MEIPASS`` should use :data:`sys.executable` directly.
-
-* Any custom post processing steps (either in the ``.spec`` file or
-  externally) which modify the bundle will likely need adjusting to
-  accommodate the new directory.

@@ -1,5 +0,0 @@
-Restructure onedir mode builds so that everything except the executable (and
-``.pkg`` if you're using external PYZ archive mode) are hidden inside a
-sub-directory. This sub-directory's name defaults to ``_internal`` but may be
-configured with the new :option:`--contents-directory` option. Onefile
-applications and macOS ``.app`` bundles are unaffected.

@@ -1,4 +0,0 @@
-(Windows) Add an option to hide or minimize the console window in
-console-enabled applications, but only if the program's process owns
-the console window (i.e., the program was not launched from an existing
-console window).

@@ -1 +0,0 @@
-Drop support for end of life Python 3.7.

@@ -1,6 +0,0 @@
-(Windows) Removed support for analyzing and collection of dependencies
-referenced via WinSxS (side-by-side) assemblies. This affects binaries
-compiled with Visual Studio 2008 and earlier, as VC9 run-time was the
-last version to make use of WinSxS. If you require support for such
-binaries and you need referenced WinSxS binaries collected with your
-application, use older version of PyInstaller.

@@ -1,4 +0,0 @@
-(Windows) Removed command-line options related to processing of the
-WinSxS assemblies: ``--win-private-assemblies`` and ``--win-no-prefer-redirects``.
-The corresponding arguments to ``Analysis`` are deprecated and raise and
-error if set to ``True``.

@@ -1,3 +0,0 @@
-Removed support for zipped eggs. PyInstaller will not collect python
-code nor resources from zipped eggs, nor will it collect zipped eggs
-as a whole.

@@ -1,4 +0,0 @@
-Remove the built-in attempt at collection of data files from packages
-that are installed as python eggs. Collection of all non-python resources
-from packages should be handled in the standardized way via hooks,
-regardless of how a package is installed.

@@ -1,4 +0,0 @@
-(Windows) Removed support for external application manifest in onedir
-builds. Removed the ``--no-embed-manifest`` command-line option and
-deprecated the corresponding ``embed_manifest`` argument to ``EXE``
-to raise an error if set to ``False``.

@@ -1,4 +0,0 @@
-To enable the passing of extra arguments to the bootloader compiler during installation via pip, 

-you can utilize the environment variable ``PYINSTALLER_BOOTLOADER_WAF_ARGS``. However, 

-it is essential to ensure that the environment variable ``PYINSTALLER_COMPILE_BOOTLOADER``

-is present for this functionality to work correctly.
\ No newline at end of file

@@ -1,3 +0,0 @@
-Remove the ``--ascii`` command-line option, which is an effective no-op
-under python 3; the ``codecs`` module is always collected due to being
-listed among the base modules.

@@ -1,3 +0,0 @@
-(Linux) Removed support for building LSB-compliant bootloader, due to
-lack of support for LSB (Linux Standard Base) in contemporary linux
-distributions.

@@ -1,5 +0,0 @@
-Avoid collecting ``pathlib`` and ``tokenize`` (and their dependencies,

-such as ``urllib``) into ``base_library.zip``. By collecting them into

-PYZ archive, only submodules that the application really requires can

-be collected, which helps reducing the size of applications that, for

-example, do not require the full ``urllib`` package.

@@ -1,3 +0,0 @@
-Use `PEP 587 Python Initialization Configuration API
-<https://peps.python.org/pep-0587>`_ to configure the embedded Python
-interpreter.

@@ -1,4 +0,0 @@
-PyInstaller-frozen applications are not affected by the ``PYTHONUTF8``
-environment variable anymore. To permanently enable or disable the
-UTF8 mode, use the ``X utf8_mode=1`` or ``X utf_mode=0`` :ref:`run-time
-option <specifying python interpreter options>` when building the application.

@@ -1,4 +0,0 @@
-Add support for specifying hash randomization seed via ``hash_seed=<value>``
-:ref:`run-time option <specifying python interpreter options>` when building the
-application. This allows the application to use a fixed seed value or disable
-hash randomization altogether by using seed value of 0.

@@ -1,3 +0,0 @@
-Implement pass-through for `Python's X-options
-<https://docs.python.org/3/using/cmdline.html#cmdoption-X>`_ via
-PyInstaller's :ref:`run-time options mechanism <specifying python interpreter options>`.

@@ -1,4 +0,0 @@
-(Windows) The temporary/intermediate executable files are not generated
-with ``.notanexecutable`` suffix anymore, as the retry mechanism from
-:issue:`7840` and :issue:`7871` is now the preferred way of dealing with
-anti-virus program interference during the build.

@@ -1,6 +0,0 @@
-Extend the operation retry mechanism that was initially introduced by
-:issue:`7840` to cover all processing steps that are performed during
-assembly of a Windows executable. This attempts to mitigate the
-interference from anti-virus programs and other security tools, which
-may temporarily block write access to the executable for a scan between
-individual processing steps.

@@ -1,4 +0,0 @@
-(Windows) Avoid aborting the build process if machine type (architecture)
-cannot be determined for a DLL in a candidate search path; instead, skip
-over such files, and search in other candidate paths. Fixes build errors
-when a search path contains an invalid DLL file (for example, a stub file).
\ No newline at end of file

@@ -1,4 +0,0 @@
-Fix incompatibility between PyInstaller's frozen importer
-(``PyiFrozenImporter``) and ``importlib.resources`` when trying
-to look up the resources of a collected namespace package via
-``importlib.resources.files()``.

@@ -1,3 +0,0 @@
-When copying files into ``onedir`` application bundles, use
-:func:`shutil.copyfile` instead of :func:`shutil.copy2` to avoid issues
-with original permissions/metadata being too restrictive.

@@ -1,7 +0,0 @@
-The collection of "py files", enabled by the ``include_py_files=True``
-argument to the :func:`PyInstaller.utils.hooks.collect_data_files` hook
-utility function, is now restricted to only ``.py`` and ``.pyc`` files.
-Previously, all suffices from ``importlib.machinery.all_suffices``were
-enabled, which resulted in spurious collection of dynamic libraries and
-extensions (due to ``.so``, ``.abi3.so``, ``.pyd``, etc. being among
-those suffices).

@@ -1,3 +0,0 @@
-The :func:`PyInstaller.utils.hooks.collect_data_files` hook utility
-helper does not collect ``.pyc`` files from ``__pycache__`` directories
-anymore, even with ``include_py_files=True`` argument.

@@ -1,4 +0,0 @@
-Removed the ``requirements_for_package`` hook utility function, which
-was primarily used by :func:`collect_all`; the latter does not include
-the top-level modules of metadata-declared requirements among the
-returned hidden imports anymore.

@@ -1,6 +0,0 @@
-The :func:`PyInstaller.utils.hooks.is_module_satisfies` helper does not
-support the ``version`` and ``version_attribute`` arguments anymore; the
-function will raise an error if they are specified. If the distribution
-specified in the ``requirements`` string is not found, the function will
-not attempt to import the eponymous module and read its version attribute
-anymore.

@@ -1,5 +0,0 @@
-The :func:`PyInstaller.utils.hooks.collect_all` hook utility function
-now attempts to translate the given importable package name into
-distribution name before attempting to collect metadata. This allows
-the function to handle cases when the distribution name does not match
-the importable package name.

@@ -1,4 +0,0 @@
-Implemented :func:`PyInstaller.utils.hooks.check_requirement` hook
-utility function as an ``importlib.metadata``-based replacement for
-:func:`PyInstaller.utils.hooksis_module_satisfies`; the latter is now
-just an alias for the former, kept for compatibility with existing hooks.

@@ -1,6 +0,0 @@
-(Linux, macOS) When extracting files from ``onefile`` archive, the
-executable bit is now set only on binaries (files whose TOC type code
-was either ``BINARY``, ``EXECUTABLE``, or ``EXTENSION``) or data files
-that originally had the executable bit set. Therefore, binaries are now
-extracted with permissions bits set to ``0700``, while all other files
-have permissions bits set to ``0600``.

@@ -18,7 +18,7 @@
 from PyInstaller.utils.git import get_repo_revision
 
 # Note: Keep this variable as plain string so it could be updated automatically when doing a release.
-__version__ = '5.13.2'
+__version__ = '6.0.0'
 
 # Absolute path of this package's directory. Save this early so all submodules can use the absolute path. This is
 # required for example if the current directory changes prior to loading the hooks.

@@ -134,7 +134,7 @@ either ``gcc`` or ``clang``) and zlib's development headers already installed.
 Support
 -------
 
-- Official debugging guide: https://pyinstaller.org/en/v5.13.2/when-things-go-wrong.html
+- Official debugging guide: https://pyinstaller.org/en/v6.0.0/when-things-go-wrong.html
 - Assorted user contributed help topics: https://github.com/pyinstaller/pyinstaller/wiki
 - Web based Q&A forums: https://github.com/pyinstaller/pyinstaller/discussions
 - Email based Q&A forums: https://groups.google.com/g/pyinstaller
@@ -146,5 +146,5 @@ Changes in this Release
 You can find a detailed list of changes in this release
 in the `Changelog`_ section of the manual.
 
-.. _`manual`: https://pyinstaller.org/en/v5.13.2/
-.. _`Changelog`: https://pyinstaller.org/en/v5.13.2/CHANGES.html
+.. _`manual`: https://pyinstaller.org/en/v6.0.0/
+.. _`Changelog`: https://pyinstaller.org/en/v6.0.0/CHANGES.html

@@ -73,18 +73,15 @@ the ``pyinstaller`` command executes the spec file as code.
 Your bundled application is created by the execution of the spec file.
 The following is a shortened example of a spec file for a minimal, one-folder app::
 
-    block_cipher = None
     a = Analysis(['minimal.py'],
              pathex=['/Developer/PItests/minimal'],
              binaries=None,
              datas=None,
              hiddenimports=[],
              hookspath=None,
              runtime_hooks=None,
-             excludes=None,
-             cipher=block_cipher)
-    pyz = PYZ(a.pure, a.zipped_data,
-             cipher=block_cipher)
+             excludes=None)
+    pyz = PYZ(a.pure, a.zipped_data)
     exe = EXE(pyz,... )
     coll = COLLECT(...)
 

@@ -0,0 +1 @@
+Remove bytecode encryption (``--key`` and ``cipher`` options).

@@ -9,40 +9,8 @@
 # SPDX-License-Identifier: (GPL-2.0-or-later WITH Bootloader-exception)
 #-----------------------------------------------------------------------------
 
-import os
-
-from PyInstaller import log as logging
-
-BLOCK_SIZE = 16
-logger = logging.getLogger(__name__)
-
 
 class PyiBlockCipher:
-    """
-    This class is used only to encrypt Python modules.
-    """
     def __init__(self, key=None):
-        logger.log(
-            logging.DEPRECATION,
-            "Bytecode encryption will be removed in PyInstaller v6. Please remove cipher and block_cipher parameters "
-            "from your spec file to avoid breakages on upgrade. For the rationale/alternatives see "
-            "https://github.com/pyinstaller/pyinstaller/pull/6999"
-        )
-        assert type(key) is str
-        if len(key) > BLOCK_SIZE:
-            self.key = key[0:BLOCK_SIZE]
-        else:
-            self.key = key.zfill(BLOCK_SIZE)
-        assert len(self.key) == BLOCK_SIZE
-
-        import tinyaes
-        self._aesmod = tinyaes
-
-    def encrypt(self, data):
-        iv = os.urandom(BLOCK_SIZE)
-        return iv + self.__create_cipher(iv).CTR_xcrypt_buffer(data)
-
-    def __create_cipher(self, iv):
-        # The 'AES' class is stateful, and this factory method is used to re-initialize the block cipher class with
-        # each call to xcrypt().
-        return self._aesmod.AES(self.key.encode(), iv)
+        from PyInstaller.exceptions import RemovedCipherFeatureError
+        raise RemovedCipherFeatureError("Please remove cipher and block_cipher parameters from your spec file.")

@@ -33,7 +33,7 @@ class ZlibArchiveWriter:
     _HEADER_LENGTH = 12 + 5
     _COMPRESSION_LEVEL = 6  # zlib compression level
 
-    def __init__(self, filename, entries, code_dict=None, cipher=None):
+    def __init__(self, filename, entries, code_dict=None):
         """
         filename
             Target filename of the archive.
@@ -44,8 +44,6 @@ def __init__(self, filename, entries, code_dict=None, cipher=None):
             `DATA`).
         code_dict
             Optional code dictionary containing code objects for analyzed/collected python modules.
-        cipher
-            Optional `Cipher` object for bytecode encryption.
         """
         code_dict = code_dict or {}
 
@@ -56,7 +54,7 @@ def __init__(self, filename, entries, code_dict=None, cipher=None):
             # Write entries' data and collect TOC entries
             toc = []
             for entry in entries:
-                toc_entry = self._write_entry(fp, entry, code_dict, cipher)
+                toc_entry = self._write_entry(fp, entry, code_dict)
                 toc.append(toc_entry)
 
             # Write TOC
@@ -68,17 +66,15 @@ def __init__(self, filename, entries, code_dict=None, cipher=None):
             #  - PYZ magic pattern (4 bytes)
             #  - python bytecode magic pattern (4 bytes)
             #  - TOC offset (32-bit int, 4 bytes)
-            #  - encryption flag (1 byte)
             #  - 4 unused bytes
             fp.seek(0, os.SEEK_SET)
 
             fp.write(self._PYZ_MAGIC_PATTERN)
             fp.write(BYTECODE_MAGIC)
             fp.write(struct.pack('!i', toc_offset))
-            fp.write(struct.pack('!B', cipher is not None))
 
     @classmethod
-    def _write_entry(cls, fp, entry, code_dict, cipher):
+    def _write_entry(cls, fp, entry, code_dict):
         name, src_path, typecode = entry
 
         if typecode == 'PYMODULE':
@@ -102,8 +98,6 @@ def _write_entry(cls, fp, entry, code_dict, cipher):
 
         # First compress, then encrypt.
         obj = zlib.compress(data, cls._COMPRESSION_LEVEL)
-        if cipher:
-            obj = cipher.encrypt(obj)
 
         # Create TOC entry
         toc_entry = (name, (typecode, fp.tell(), len(obj)))

@@ -61,16 +61,18 @@ def __init__(self, *tocs, **kwargs):
 
             name
                 A filename for the .pyz. Normally not needed, as the generated name will do fine.
-            cipher
-                The block cipher that will be used to encrypt Python bytecode.
         """
+        if kwargs.get("cipher"):
+            from PyInstaller.exceptions import RemovedCipherFeatureError
+            raise RemovedCipherFeatureError(
+                "Please remove the 'cipher' arguments to PYZ() and Analysis() in your spec file."
+            )
 
         from PyInstaller.config import CONF
 
         super().__init__()
 
         name = kwargs.get('name', None)
-        cipher = kwargs.get('cipher', None)
 
         self.name = name
         if name is None:
@@ -79,14 +81,6 @@ def __init__(self, *tocs, **kwargs):
         # PyInstaller bootstrapping modules.
         bootstrap_dependencies = get_bootstrap_modules()
 
-        # Bundle the crypto key.
-        self.cipher = cipher
-        if cipher:
-            key_file = ('pyimod00_crypto_key', os.path.join(CONF['workpath'], 'pyimod00_crypto_key.py'), 'PYMODULE')
-            # Insert the key as the first module in the list. The key module contains just variables and does not depend
-            # on other modules.
-            bootstrap_dependencies.insert(0, key_file)
-
         # Compile the python modules that are part of bootstrap dependencies, so that they can be collected into the
         # CArchive and imported by the bootstrap script.
         self.dependencies = []
@@ -156,7 +150,7 @@ def assemble(self):
         self.code_dict = {name: strip_paths_in_code(code) for name, code in self.code_dict.items()}
 
         # Create the archive
-        ZlibArchiveWriter(self.name, archive_toc, code_dict=self.code_dict, cipher=self.cipher)
+        ZlibArchiveWriter(self.name, archive_toc, code_dict=self.code_dict)
         logger.info("Building PYZ (ZlibArchive) %s completed successfully.", self.name)
 
 

@@ -24,7 +24,6 @@
 
 from PyInstaller import DEFAULT_DISTPATH, DEFAULT_WORKPATH, HOMEPATH, compat
 from PyInstaller import log as logging
-from PyInstaller.archive import pyz_crypto
 from PyInstaller.building.api import COLLECT, EXE, MERGE, PYZ
 from PyInstaller.building.datastruct import TOC, Target, Tree, _check_guts_eq, normalize_toc, normalize_pyz_toc
 from PyInstaller.building.osx import BUNDLE
@@ -305,8 +304,6 @@ def __init__(
                 ignored (as though they were not found).
         runtime_hooks
                 An optional list of scripts to use as users' runtime hooks. Specified as file names.
-        cipher
-                Add optional instance of the pyz_crypto.PyiBlockCipher class (with a provided key).
         win_no_prefer_redirects
                 If True, prefer not to follow version redirects when searching for Windows SxS Assemblies.
         win_private_assemblies
@@ -317,6 +314,11 @@ def __init__(
                 An optional dict of package/module names and collection mode strings. Valid collection mode strings:
                 'pyz' (default), 'pyc', 'py', 'pyz+py' (or 'py+pyz')
         """
+        if cipher is not None:
+            from PyInstaller.exceptions import RemovedCipherFeatureError
+            raise RemovedCipherFeatureError(
+                "Please remove the 'cipher' arguments to PYZ() and Analysis() in your spec file."
+            )
         super().__init__()
         from PyInstaller.config import CONF
 
@@ -377,15 +379,6 @@ def __init__(
         # Custom runtime hook files that should be included and started before any existing PyInstaller runtime hooks.
         self.custom_runtime_hooks = runtime_hooks or []
 
-        if cipher:
-            logger.info('Will encrypt Python bytecode with provided cipher key')
-            # Create a Python module which contains the decryption key which will be used at runtime by
-            # pyi_crypto.PyiBlockCipher.
-            pyi_crypto_key_path = os.path.join(CONF['workpath'], 'pyimod00_crypto_key.py')
-            with open(pyi_crypto_key_path, 'w', encoding='utf-8') as f:
-                f.write('# -*- coding: utf-8 -*-\nkey = %r\n' % cipher.key)
-            self.hiddenimports.append('tinyaes')
-
         self._input_binaries = []
         self._input_datas = []
 
@@ -442,8 +435,6 @@ def __init__(
         ('_input_binaries', _check_guts_toc),
         ('_input_datas', _check_guts_toc),
 
-        # 'cipher': no need to check as it is implied by an additional hidden import
-
         # calculated/analysed values
         ('_python_version', _check_guts_eq),
         ('scripts', _check_guts_toc_mtime),
@@ -929,7 +920,6 @@ def build(spec, distpath, workpath, clean_build):
         'Splash': Splash,
         # Python modules available for .spec.
         'os': os,
-        'pyi_crypto': pyz_crypto,
     }
 
     # Execute the specfile. Read it as a binary file...

@@ -14,13 +14,10 @@
 
 import argparse
 import os
-import sys
 
 from PyInstaller import DEFAULT_SPECPATH, HOMEPATH
 from PyInstaller import log as logging
-from PyInstaller.building.templates import (
-    bundleexetmplt, bundletmplt, cipher_absent_template, cipher_init_template, onedirtmplt, onefiletmplt, splashtmpl
-)
+from PyInstaller.building.templates import bundleexetmplt, bundletmplt, onedirtmplt, onefiletmplt, splashtmpl
 from PyInstaller.compat import expand_path, is_darwin, is_win
 
 logger = logging.getLogger(__name__)
@@ -91,13 +88,9 @@ def make_variable_path(filename, conversions=path_conversions):
     return None, filename
 
 
-def deprecated_key_option(x):
-    logger.log(
-        logging.DEPRECATION,
-        "Bytecode encryption will be removed in PyInstaller v6. Please remove your --key=xxx argument to avoid "
-        "breakages on upgrade. For the rationale/alternatives see https://github.com/pyinstaller/pyinstaller/pull/6999"
-    )
-    return x
+def removed_key_option(x):
+    from PyInstaller.exceptions import RemovedCipherFeatureError
+    raise RemovedCipherFeatureError("Please remove your --key=xxx argument.")
 
 
 # An object used in place of a "path string", which knows how to repr() itself using variable names instead of
@@ -356,7 +349,7 @@ def __add_options(parser):
         '--key',
         dest='key',
         help=argparse.SUPPRESS,
-        type=deprecated_key_option,
+        type=removed_key_option,
     )
     g.add_argument(
         '--splash',
@@ -732,20 +725,6 @@ def main(
     # With absolute paths replace prefix with variable HOMEPATH.
     scripts = list(map(Path, scripts))
 
-    if key:
-        # Try to import tinyaes as we need it for bytecode obfuscation.
-        try:
-            import tinyaes  # noqa: F401 (test import)
-        except ImportError:
-            logger.error(
-                'We need tinyaes to use byte-code obfuscation but we could not find it. You can install it '
-                'with pip by running:\n  pip install tinyaes'
-            )
-            sys.exit(1)
-        cipher_init = cipher_init_template % {'key': key}
-    else:
-        cipher_init = cipher_absent_template
-
     # Translate the default of ``debug=None`` to an empty list.
     if debug is None:
         debug = []
@@ -788,7 +767,6 @@ def main(
         'upx_exclude': upx_exclude,
         'runtime_tmpdir': runtime_tmpdir,
         'exe_options': exe_options,
-        'cipher_init': cipher_init,
         # Directory with additional custom import hooks.
         'hookspath': hookspath,
         # List with custom runtime hook files.

@@ -14,7 +14,6 @@
 
 onefiletmplt = """# -*- mode: python ; coding: utf-8 -*-
 %(preamble)s
-%(cipher_init)s
 
 a = Analysis(
     %(scripts)s,
@@ -28,10 +27,9 @@
     excludes=%(excludes)s,
     win_no_prefer_redirects=%(win_no_prefer_redirects)s,
     win_private_assemblies=%(win_private_assemblies)s,
-    cipher=block_cipher,
     noarchive=%(noarchive)s,
 )
-pyz = PYZ(a.pure, a.zipped_data, cipher=block_cipher)
+pyz = PYZ(a.pure, a.zipped_data)
 %(splash_init)s
 exe = EXE(
     pyz,
@@ -58,7 +56,6 @@
 
 onedirtmplt = """# -*- mode: python ; coding: utf-8 -*-
 %(preamble)s
-%(cipher_init)s
 
 a = Analysis(
     %(scripts)s,
@@ -72,10 +69,9 @@
     excludes=%(excludes)s,
     win_no_prefer_redirects=%(win_no_prefer_redirects)s,
     win_private_assemblies=%(win_private_assemblies)s,
-    cipher=block_cipher,
     noarchive=%(noarchive)s,
 )
-pyz = PYZ(a.pure, a.zipped_data, cipher=block_cipher)
+pyz = PYZ(a.pure, a.zipped_data)
 %(splash_init)s
 exe = EXE(
     pyz,
@@ -106,14 +102,6 @@
 )
 """
 
-cipher_absent_template = """
-block_cipher = None
-"""
-
-cipher_init_template = """
-block_cipher = pyi_crypto.PyiBlockCipher(key=%(key)r)
-"""
-
 bundleexetmplt = """app = BUNDLE(
     exe,
     name='%(name)s.app',

@@ -28,3 +28,9 @@ def __str__(self):
             "exists and whether the hook is compatible with your version of {1}: You might want to read more about "
             "hooks in the manual and provide a pull-request to improve PyInstaller.".format(self.args[0], self.args[1])
         )
+
+
+class RemovedCipherFeatureError(SystemExit):
+    def __str__(self):
+        return f"Bytecode encryption was removed in PyInstaller v6.0. {self.args[0]}" \
+               " For the rationale and alternatives see https://github.com/pyinstaller/pyinstaller/pull/6999"

@@ -14,7 +14,6 @@
 # List of built-in modules: sys.builtin_module_names
 # List of modules collected into base_library.zip: PyInstaller.compat.PY3_BASE_MODULES
 
-import sys
 import os
 import struct
 import marshal
@@ -40,39 +39,6 @@ class ArchiveReadError(RuntimeError):
     pass
 
 
-class Cipher:
-    """
-    This class is used only to decrypt Python modules.
-    """
-    def __init__(self):
-        # At build-time the key is given to us from inside the spec file. At bootstrap-time, we must look for it
-        # ourselves, by trying to import the generated 'pyi_crypto_key' module.
-        import pyimod00_crypto_key
-        key = pyimod00_crypto_key.key
-
-        assert type(key) is str
-        if len(key) > CRYPT_BLOCK_SIZE:
-            self.key = key[0:CRYPT_BLOCK_SIZE]
-        else:
-            self.key = key.zfill(CRYPT_BLOCK_SIZE)
-        assert len(self.key) == CRYPT_BLOCK_SIZE
-
-        import tinyaes
-        self._aesmod = tinyaes
-        # Issue #1663: Remove the AES module from sys.modules list. Otherwise it interferes with using 'tinyaes' module
-        # in users' code.
-        del sys.modules['tinyaes']
-
-    def __create_cipher(self, iv):
-        # The 'AES' class is stateful, and this factory method is used to re-initialize the block cipher class with
-        # each call to xcrypt().
-        return self._aesmod.AES(self.key.encode(), iv)
-
-    def decrypt(self, data):
-        cipher = self.__create_cipher(data[:CRYPT_BLOCK_SIZE])
-        return cipher.CTR_xcrypt_buffer(data[CRYPT_BLOCK_SIZE:])
-
-
 class ZlibArchiveReader:
     """
     Reader for PyInstaller's PYZ (ZlibArchive) archive. The archive is used to store collected byte-compiled Python
@@ -86,15 +52,6 @@ def __init__(self, filename, start_offset=None, check_pymagic=False):
 
         self.toc = {}
 
-        self.cipher = None
-
-        # Try to create Cipher() instance; if encryption is not enabled, pyimod00_crypto_key is not available, and
-        # instantiation fails with ImportError.
-        try:
-            self.cipher = Cipher()
-        except ImportError:
-            pass
-
         # If no offset is given, try inferring it from filename
         if start_offset is None:
             self._filename, self._start_offset = self._parse_offset_from_filename(filename)
@@ -192,8 +149,6 @@ def extract(self, name, raw=False):
             )
 
         try:
-            if self.cipher:
-                obj = self.cipher.decrypt(obj)
             obj = zlib.decompress(obj)
             if typecode in (PYZ_ITEM_MODULE, PYZ_ITEM_PKG, PYZ_ITEM_NSPKG) and not raw:
                 obj = marshal.loads(obj)

@@ -87,8 +87,6 @@ hook_testing =
     pytest >= 2.7.3
     execnet >= 1.5.0
     psutil
-encryption =
-    tinyaes>=1.0.0
 
 [options.entry_points]
 console_scripts =

@@ -157,38 +157,6 @@ def test_email(pyi_builder):
     )
 
 
-@importorskip('tinyaes')
-def test_feature_crypto(pyi_builder):
-    pyi_builder.test_source(
-        """
-        from pyimod00_crypto_key import key
-        from pyimod01_archive import CRYPT_BLOCK_SIZE
-
-        # Test against issue #1663: importing a package in the bootstrap
-        # phase should not interfere with subsequent imports.
-        import tinyaes
-
-        assert type(key) is str
-        # The test runner uses 'test_key' as key.
-        assert key == 'test_key'.zfill(CRYPT_BLOCK_SIZE)
-        """,
-        pyi_args=['--key=test_key']
-    )
-
-
-def test_feature_nocrypto(pyi_builder):
-    pyi_builder.test_source(
-        """
-        try:
-            import pyimod00_crypto_key
-
-            raise AssertionError('The pyimod00_crypto_key module must NOT be there if crypto is disabled.')
-        except ImportError:
-            pass
-        """
-    )
-
-
 def test_filename(pyi_builder):
     pyi_builder.test_script('pyi_filename.py')
 

@@ -37,6 +37,3 @@ ruff
 pywin32; sys_platform == 'win32'
 
 lxml; python_version < '3.11'
-
-# crypto support (`--key` option)
-tinyaes ~= 1.0; python_version < '3.11'