refactor(uv-trampoline): use PE resources to store trampoline type + path to python binary

paveldikov · paveldikov · commit 1934b98022dd · 2025-08-05T00:05:14.000+01:00
`.rsrc` is the idiomatic way of storing metadata and non-code resources in PE binaries. This should make the resulting binaries more robust as they are no longer dependent on the exact location of a certain magic number. Addresses: #15022
diff --git a/crates/uv-trampoline-builder/src/lib.rs b/crates/uv-trampoline-builder/src/lib.rs
@@ -578,6 +578,50 @@ if __name__ == "__main__":
         assert!(launcher.kind == LauncherKind::Python);
         assert!(launcher.python_path == python_executable_path);
 
+        // Now sign the launcher using Set-AuthenticodeSignature...
+        #[cfg(windows)]
+        {
+            Command::new("powershell")
+                .args([
+                    "-NoProfile",
+                    "-NonInteractive",
+                    "-Command",
+                    &format!(
+                        r#"
+                        $ErrorActionPreference = 'Stop'
+                        $store = 'Cert:\CurrentUser\My'
+                        $cert = New-SelfSignedCertificate `
+                            -Subject 'CN=UvTrampolineTest' `
+                            -Type CodeSigning `
+                            -KeyUsage DigitalSignature `
+                            -KeyAlgorithm RSA `
+                            -KeyLength 2048 `
+                            -CertStoreLocation $store;
+                        try {{
+                            Set-AuthenticodeSignature -FilePath '{}' -Certificate $cert;
+                        }} finally {{
+                            Remove-Item -Path "$store\$($cert.Thumbprint)" -Force;
+                        }}"#,
+                        console_bin_path
+                            .path()
+                            .display()
+                            .to_string()
+                            .replace("'", "''")
+                    ),
+                ])
+                .assert()
+                .success();
+
+            // ...and verify that it still runs as it did.
+            let stdout_predicate = "Hello from uv-trampoline-console.exe\r\n";
+            let stderr_predicate = "Hello from uv-trampoline-console.exe\r\n";
+            Command::new(console_bin_path.path())
+                .assert()
+                .success()
+                .stdout(stdout_predicate)
+                .stderr(stderr_predicate);
+        }
+
         Ok(())
     }
 
diff --git a/crates/uv-trampoline/Cargo.toml b/crates/uv-trampoline/Cargo.toml
@@ -42,12 +42,15 @@ windows = { version = "0.61.0", features = [
   "Win32_System_Console",
   "Win32_System_Environment",
   "Win32_System_JobObjects",
+  "Win32_System_LibraryLoader",
   "Win32_System_Threading",
   "Win32_UI_WindowsAndMessaging",
 ] }
 ufmt-write = "0.1.0"
 ufmt = { version = "0.2.0", features = ["std"] }
 dunce = { version = "1.0.5" }
+# TODO: not sure if we will need this for uv-trampoline-builder after all.
+# object = { version = "0.37.2" }
 
 [build-dependencies]
 embed-manifest = "1.4.0"
diff --git a/crates/uv-trampoline/src/bounce.rs b/crates/uv-trampoline/src/bounce.rs
@@ -1,8 +1,5 @@
 #![allow(clippy::disallowed_types)]
 use std::ffi::{CString, c_void};
-use std::fs::File;
-use std::io::{Read, Seek, SeekFrom};
-use std::mem::size_of;
 use std::path::{Path, PathBuf};
 use std::vec::Vec;
 
@@ -14,6 +11,7 @@ use windows::Win32::{
     System::Console::{
         GetStdHandle, STD_INPUT_HANDLE, STD_OUTPUT_HANDLE, SetConsoleCtrlHandler, SetStdHandle,
     },
+    System::LibraryLoader::{FindResourceA, LoadResource, LockResource, SizeofResource},
     System::Environment::GetCommandLineA,
     System::JobObjects::{
         AssignProcessToJobObject, CreateJobObjectA, JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE,
@@ -32,10 +30,14 @@ use windows::Win32::{
 };
 use windows::core::{BOOL, PSTR, s};
 
+// TODO: see if we need object::pe after all. Maybe we can keep the nice const for readability.
+// use object::pe::RT_RCDATA;
+
 use crate::{error, format, warn};
 
-const PATH_LEN_SIZE: usize = size_of::<u32>();
-const MAX_PATH_LEN: u32 = 32 * 1024;
+/// Resource IDs for the trampoline metadata
+const RESOURCE_TRAMPOLINE_TYPE: &str = "TRAMPOLINE_TYPE\0";
+const RESOURCE_PYTHON_PATH: &str  = "PYTHON_PATH\0";
 
 /// The kind of trampoline.
 enum TrampolineKind {
@@ -46,21 +48,33 @@ enum TrampolineKind {
 }
 
 impl TrampolineKind {
-    const fn magic_number(&self) -> &'static [u8; 4] {
-        match self {
-            Self::Script => b"UVSC",
-            Self::Python => b"UVPY",
+    fn from_resource(data: &[u8]) -> Option<Self> {
+        match data.get(0) {
+            Some(1) => Some(Self::Script),
+            Some(2) => Some(Self::Python),
+            _ => {None},
         }
     }
+}
 
-    fn from_buffer(buffer: &[u8]) -> Option<Self> {
-        if buffer.ends_with(Self::Script.magic_number()) {
-            Some(Self::Script)
-        } else if buffer.ends_with(Self::Python.magic_number()) {
-            Some(Self::Python)
-        } else {
-            None
-        }
+/// Safely loads a resource from the current module
+fn load_resource(resource_id: &str) -> Option<Vec<u8>> {
+    unsafe {
+        // Find the resource
+        let resource = FindResourceA(
+            None,
+            windows::core::PCSTR(resource_id.as_ptr() as _),
+            windows::core::PCSTR(10 as *const _),  // RT_RCDATA = 10
+        ).ok()?;
+        
+        // Get resource size and data
+        let size = SizeofResource(None, resource);
+        let data = LoadResource(None, resource).ok();
+        
+        let ptr = LockResource(data?) as *const u8;
+        
+        // Copy the resource data into a Vec
+        Some(std::slice::from_raw_parts(ptr, size as usize).to_vec())
     }
 }
 
@@ -70,14 +84,34 @@ fn make_child_cmdline() -> CString {
     let executable_name = std::env::current_exe().unwrap_or_else(|_| {
         error_and_exit("Failed to get executable name");
     });
-    let (kind, python_exe) = read_trampoline_metadata(executable_name.as_ref());
+    
+    // Load trampoline type
+    let trampoline_type = load_resource(RESOURCE_TRAMPOLINE_TYPE)
+        .and_then(|data| TrampolineKind::from_resource(&data))
+        .unwrap_or_else(|| error_and_exit("Failed to load trampoline type from resources"));
+    
+    // Load Python path
+    let python_path = load_resource(RESOURCE_PYTHON_PATH)
+        .and_then(|data| String::from_utf8(data).ok())
+        .map(PathBuf::from)
+        .unwrap_or_else(|| error_and_exit("Failed to load Python path from resources"));
+        
+    // Convert relative paths to absolute
+    let python_exe = if python_path.is_absolute() {
+        python_path
+    } else {
+        executable_name
+            .parent()
+            .unwrap_or_else(|| error_and_exit("Executable path has no parent directory"))
+            .join(python_path)
+    };
+    
     let mut child_cmdline = Vec::<u8>::new();
-
     push_quoted_path(python_exe.as_ref(), &mut child_cmdline);
     child_cmdline.push(b' ');
 
     // Only execute the trampoline again if it's a script, otherwise, just invoke Python.
-    match kind {
+    match trampoline_type {
         TrampolineKind::Python => {
             // SAFETY: `std::env::set_var` is safe to call on Windows, and
             // this code only ever runs on Windows.
@@ -145,6 +179,7 @@ fn push_quoted_path(path: &Path, command: &mut Vec<u8>) {
     command.extend(br#"""#);
 }
 
+
 /// Checks if the given executable is part of a virtual environment
 ///
 /// Checks if a `pyvenv.cfg` file exists in grandparent directory of the given executable.
@@ -159,143 +194,6 @@ fn is_virtualenv(executable: &Path) -> bool {
         .unwrap_or(false)
 }
 
-/// Reads the executable binary from the back to find:
-///
-/// * The path to the Python executable
-/// * The kind of trampoline we are executing
-///
-/// The executable is expected to have the following format:
-///
-/// * The file must end with the magic number 'UVPY' or 'UVSC' (identifying the trampoline kind)
-/// * The last 4 bytes (little endian) are the length of the path to the Python executable.
-/// * The path encoded as UTF-8 comes right before the length
-///
-/// # Panics
-///
-/// If there's any IO error, or the file does not conform to the specified format.
-fn read_trampoline_metadata(executable_name: &Path) -> (TrampolineKind, PathBuf) {
-    let mut file_handle = File::open(executable_name).unwrap_or_else(|_| {
-        print_last_error_and_exit(&format!(
-            "Failed to open executable '{}'",
-            &*executable_name.to_string_lossy(),
-        ));
-    });
-
-    let metadata = executable_name.metadata().unwrap_or_else(|_| {
-        print_last_error_and_exit(&format!(
-            "Failed to get the size of the executable '{}'",
-            &*executable_name.to_string_lossy(),
-        ));
-    });
-    let file_size = metadata.len();
-
-    // Start with a size of 1024 bytes which should be enough for most paths but avoids reading the
-    // entire file.
-    let mut buffer: Vec<u8> = Vec::new();
-    let mut bytes_to_read = 1024.min(u32::try_from(file_size).unwrap_or(u32::MAX));
-
-    let mut kind;
-    let path: String = loop {
-        // SAFETY: Casting to usize is safe because we only support 64bit systems where usize is guaranteed to be larger than u32.
-        buffer.resize(bytes_to_read as usize, 0);
-
-        file_handle
-            .seek(SeekFrom::Start(file_size - u64::from(bytes_to_read)))
-            .unwrap_or_else(|_| {
-                print_last_error_and_exit("Failed to set the file pointer to the end of the file");
-            });
-
-        // Pulls in core::fmt::{write, Write, getcount}
-        let read_bytes = file_handle.read(&mut buffer).unwrap_or_else(|_| {
-            print_last_error_and_exit("Failed to read the executable file");
-        });
-
-        // Truncate the buffer to the actual number of bytes read.
-        buffer.truncate(read_bytes);
-
-        let Some(inner_kind) = TrampolineKind::from_buffer(&buffer) else {
-            error_and_exit(
-                "Magic number 'UVSC' or 'UVPY' not found at the end of the file. Did you append the magic number, the length and the path to the python executable at the end of the file?",
-            );
-        };
-        kind = inner_kind;
-
-        // Remove the magic number
-        buffer.truncate(buffer.len() - kind.magic_number().len());
-
-        let path_len = match buffer.get(buffer.len() - PATH_LEN_SIZE..) {
-            Some(path_len) => {
-                let path_len = u32::from_le_bytes(path_len.try_into().unwrap_or_else(|_| {
-                    error_and_exit("Slice length is not equal to 4 bytes");
-                }));
-
-                if path_len > MAX_PATH_LEN {
-                    error_and_exit(&format!(
-                        "Only paths with a length up to 32KBs are supported but the python path has a length of {}",
-                        path_len
-                    ));
-                }
-
-                // SAFETY: path len is guaranteed to be less than 32KBs
-                path_len as usize
-            }
-            None => {
-                error_and_exit(
-                    "Python executable length missing. Did you write the length of the path to the Python executable before the Magic number?",
-                );
-            }
-        };
-
-        // Remove the path length
-        buffer.truncate(buffer.len() - PATH_LEN_SIZE);
-
-        if let Some(path_offset) = buffer.len().checked_sub(path_len) {
-            buffer.drain(..path_offset);
-
-            break String::from_utf8(buffer).unwrap_or_else(|_| {
-                error_and_exit("Python executable path is not a valid UTF-8 encoded path");
-            });
-        } else {
-            // SAFETY: Casting to u32 is safe because `path_len` is guaranteed to be less than 32KBs,
-            // MAGIC_NUMBER is 4 bytes and PATH_LEN_SIZE is 4 bytes.
-            bytes_to_read = (path_len + kind.magic_number().len() + PATH_LEN_SIZE) as u32;
-
-            if u64::from(bytes_to_read) > file_size {
-                error_and_exit(
-                    "The length of the python executable path exceeds the file size. Verify that the path length is appended to the end of the launcher script as a u32 in little endian",
-                );
-            }
-        }
-    };
-
-    let path = PathBuf::from(path);
-    let path = if path.is_absolute() {
-        path
-    } else {
-        let parent_dir = match executable_name.parent() {
-            Some(parent) => parent,
-            None => {
-                error_and_exit("Executable path has no parent directory");
-            }
-        };
-        parent_dir.join(path)
-    };
-
-    let path = if !path.is_absolute() || matches!(kind, TrampolineKind::Script) {
-        // NOTICE: dunce adds 5kb~
-        // TODO(john): In order to avoid resolving junctions and symlinks for relative paths and
-        // scripts, we can consider reverting https://github.com/astral-sh/uv/pull/5750/files#diff-969979506be03e89476feade2edebb4689a9c261f325988d3c7efc5e51de26d1L273-L277.
-        dunce::canonicalize(path.as_path()).unwrap_or_else(|_| {
-            error_and_exit("Failed to canonicalize script path");
-        })
-    } else {
-        // For Python trampolines with absolute paths, we skip `dunce::canonicalize` to
-        // avoid resolving junctions.
-        path
-    };
-
-    (kind, path)
-}
 
 fn push_arguments(output: &mut Vec<u8>) {
     // SAFETY: We rely on `GetCommandLineA` to return a valid pointer to a null terminated string.
