I've recently used pip to install packets inside of a public network without thinking about it:
pip install packetname
and I was wondering if pip does some sort of verification via hashing or PGP.
Asked
Active
Viewed 3,971 times
0
Anders
- 64,406
- 24
- 178
- 215
Anton Althoff
- 3
- 1
- 3
2 Answers
1
Aside from SSL based security aspect, when installing from PyPI pip has an MD5 based checking mechanism (though the hashing algorithm can be changed), which is designed to prevent/check download corruptions and not really be a security guard:
PyPI provides an MD5 hash in the fragment portion of each package download URL, like #md5=123..., which pip checks as a protection against download corruption. Other hash algorithms that have guaranteed support from hashlib are also supported here: sha1, sha224, sha384, sha256, and sha512. Since this hash originates remotely, it is not a useful guard against tampering and thus does not satisfy the --require-hashes demand that every package have a local hash.
But, pip can also work in the hash-checking mode (which is not enabled by default), which allows you to validate against local hashes for each of the packages you install:
Since version 8.0, pip can check downloaded package archives against local hashes to protect against remote tampering.
Check out this relevant thread as well:
alecxe
- 1,515
- 5
- 19
- 34
-
@AntonAlthoff since the md5 hash is also coming from the PyPI server, you cannot trust it either.. – alecxe Dec 14 '17 at 03:40
0
pip uses https as transfer protocol unless you consciously circumvent this. This already includes some verification (the package comes from a trusted source and is transferred in encrypted form and only decrypted on the target computer).
I am not sure about additional verification mechanisms built into pip; but there probably are.
jk - Reinstate Monica
- 1,658
- 1
- 11
- 18