build_encrypted_exe.ps1 builds a Windows executable distribution for SingBoxTunGui from the source PowerShell GUI script located at extracted_source/SingBoxTunGui.ps1.
The script is designed to produce a self-contained release folder under dist/ with:
SingBoxTunGui.exe, a Windows GUI executable launcher.SingBoxTunGui.exe.sha256, a checksum file compatible with sha256sum -c.SingBoxTunGui_CodeSigning.cer, the public part of the generated code-signing certificate.The build process performs the following steps.
build_encrypted_exe.ps1.extracted_source/SingBoxTunGui.ps1 exists.build_encrypted/ and dist/ if they do not already exist..ico application icon using .NET drawing APIs.The primary input file is:
extracted_source/SingBoxTunGui.ps1
This file contains the actual SingBoxTunGui PowerShell/WinForms application. The build script does not modify the source file in place. Instead, it reads the file, applies an in-memory runtime-path adjustment, encrypts the resulting script content, and embeds it into the generated executable launcher.
Intermediate files are written to:
build_encrypted/
This folder contains files used during compilation, including:
SingBoxTunGui.Loader.cs, the generated C# launcher source.SingBoxTunGui.ico, the generated Windows icon.These files are build artifacts. They can be regenerated by running the build script again.
Final release files are written to:
dist/
The distribution folder contains:
SingBoxTunGui.exe
SingBoxTunGui.exe.sha256
SingBoxTunGui_CodeSigning.cer
SingBoxTunGui.exe is the executable launcher. It contains the encrypted PowerShell application payload and starts the GUI through Windows PowerShell at runtime.
SingBoxTunGui.exe.sha256 contains the SHA-256 checksum in the standard two-space format:
<sha256-hash> SingBoxTunGui.exe
From inside the dist/ folder, the checksum can be verified with:
sha256sum -c SingBoxTunGui.exe.sha256
SingBoxTunGui_CodeSigning.cer contains the public certificate used to sign the executable.
The build script encrypts the PowerShell source payload using:
The encrypted payload is stored in the generated C# launcher as Base64 chunks. At runtime, the launcher decrypts the payload in memory, writes a temporary PowerShell script to the user temporary directory, and starts Windows PowerShell with that temporary script.
This protects the source script from being stored as plain text inside the executable. It is obfuscation and packaging protection, not a hardware-backed secret. A user with full control of the machine and enough reverse-engineering effort can still inspect a running application.
When SingBoxTunGui.exe starts, the launcher:
SINGBOXTUNGUI_APPDIR.%TEMP%\SingBoxTunGui\SingBoxTunGui.runtime.ps1
-NoLogo -NoProfile -ExecutionPolicy Bypass -STA -File <runtime-script>
The -STA flag is required because the packaged application uses WinForms.
The script creates or reuses a self-signed code-signing certificate with this subject:
CN=SingBoxTunGui Local Code Signing
The certificate is created in:
Cert:\CurrentUser\My
When a new certificate is generated, it is also added to the current user’s:
The executable is signed with Authenticode using SHA-256. The script fails the build if the resulting signature status is not Valid.
The exported .cer file contains only the public certificate. It does not contain the private signing key.
The build script expects the following Windows components to be available:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe.System.Drawing and System.Windows.Forms assemblies.New-SelfSignedCertificate, Export-Certificate, and Set-AuthenticodeSignature.Run the build script from PowerShell:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\build_encrypted_exe.ps1
After a successful build, the console output lists the executable, checksum file, exported certificate, and signature status.
The generated certificate is valid for local signing and local verification. On another machine, Windows may not trust the executable until the exported certificate is imported into an appropriate trusted certificate store.
Security tools may inspect or block executables that decrypt and launch script payloads. If that happens, the certificate, signature, and checksum can help identify the build output, but they do not override endpoint security policy.