I've recently used pip
to install packets inside of a public network without thinking about it:
pip install packetname
and I was wondering if pip does some sort of verification via hashing or PGP.
I've recently used pip
to install packets inside of a public network without thinking about it:
pip install packetname
and I was wondering if pip does some sort of verification via hashing or PGP.
Aside from SSL based security aspect, when installing from PyPI pip
has an MD5 based checking mechanism (though the hashing algorithm can be changed), which is designed to prevent/check download corruptions and not really be a security guard:
PyPI provides an MD5 hash in the fragment portion of each package download URL, like #md5=123..., which pip checks as a protection against download corruption. Other hash algorithms that have guaranteed support from hashlib are also supported here: sha1, sha224, sha384, sha256, and sha512. Since this hash originates remotely, it is not a useful guard against tampering and thus does not satisfy the --require-hashes demand that every package have a local hash.
But, pip
can also work in the hash-checking mode (which is not enabled by default), which allows you to validate against local hashes for each of the packages you install:
Since version 8.0, pip can check downloaded package archives against local hashes to protect against remote tampering.
Check out this relevant thread as well:
pip uses https as transfer protocol unless you consciously circumvent this. This already includes some verification (the package comes from a trusted source and is transferred in encrypted form and only decrypted on the target computer).
I am not sure about additional verification mechanisms built into pip; but there probably are.