0

I've recently used pip to install packets inside of a public network without thinking about it:

pip install packetname

and I was wondering if pip does some sort of verification via hashing or PGP.

Anders
  • 64,406
  • 24
  • 178
  • 215

2 Answers2

1

Aside from SSL based security aspect, when installing from PyPI pip has an MD5 based checking mechanism (though the hashing algorithm can be changed), which is designed to prevent/check download corruptions and not really be a security guard:

PyPI provides an MD5 hash in the fragment portion of each package download URL, like #md5=123..., which pip checks as a protection against download corruption. Other hash algorithms that have guaranteed support from hashlib are also supported here: sha1, sha224, sha384, sha256, and sha512. Since this hash originates remotely, it is not a useful guard against tampering and thus does not satisfy the --require-hashes demand that every package have a local hash.

But, pip can also work in the hash-checking mode (which is not enabled by default), which allows you to validate against local hashes for each of the packages you install:

Since version 8.0, pip can check downloaded package archives against local hashes to protect against remote tampering.

Check out this relevant thread as well:

alecxe
  • 1,515
  • 5
  • 19
  • 34
  • @AntonAlthoff since the md5 hash is also coming from the PyPI server, you cannot trust it either.. – alecxe Dec 14 '17 at 03:40
0

pip uses https as transfer protocol unless you consciously circumvent this. This already includes some verification (the package comes from a trusted source and is transferred in encrypted form and only decrypted on the target computer).

I am not sure about additional verification mechanisms built into pip; but there probably are.

jk - Reinstate Monica
  • 1,658
  • 1
  • 11
  • 18