-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign PyPI Releases #226
Comments
Hey @maltfield, Where would you get the hashes and/or the public key that you can use to verify a signature from? How would you trust the hashes and/or the public key haven't been tampered with? Forgive me for being blunt, I've read several discussions on the subject and I'm yet to hear a convincing argument about signed hashes like this doing more than just moving the trust (with all the security implications) elsewhere. The cryptography is a non-issue as far as I understand, it's the key distribution that's the (unsolved) problem. |
PGP has been around since 1991. Rather than having one way to distribute your authoritative PGP signing key, there are many solutions to this problem. Personally, I recommend that you upload your public key (or, at minimum, the full fingerprint of your key) to as many distinct domains as possible. For example:
By uploading your key to multiple distinct domains, you permit your end-users or downstream developers to obtain your key safely, as it's significantly less likely for an attacker to modify the key or fingerprint's contents or pull-off a MITM attack on 3+ distinct domains. But that's just my personal recommendation. Many large organizations sign their releases with PGP, and some of them have written best-practices guides based on their experiences, which I recommend looking into:
Please let me know if you have any other questions regarding how to generate a PGP signing keypair, safely distribute its public key, sign your packages with this key, and how to document the process for users to cryptographically verify your release's signatures for their authenticity and integrity. |
I'm sorry, you seem to have assumed I don't know or understand all of those things (I do) while not really responding to my questions. |
Sorry, I'm not sure how the above explanation doesn't answer your question? |
Describe the bug
When a user downloads this python module using
pip
, there is no cryptographic authenticity or integrity validation to protect the user from a MITM attack.Therefore, this project is making any other projects that obtain the
netaddr
module viapip
in their build process vulnerable to a watering hole attack.Expected behavior
Users should have a mechanism to cryptographically verify the integrity and authenticity of netaddr when obtaining it through
pip
.To Reproduce
pip install netaddr
Additional context
Possible solutions include:
Using the
--sign
argument oftwine
when uploading packages to PyPIPublishing a cryptographically signed document (ideally using
gpg
) listing the hashes for all packages uploaded to PyPI, which users can then pass intopip
using the--hash
argumentThe text was updated successfully, but these errors were encountered: