Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verification of hashes for pip-installation of the cryptoadvance.specter package currently unclear #601

Open
k9ert opened this issue Nov 13, 2020 · 1 comment
Open

Verification of hashes for pip-installation of the cryptoadvance.specter package currently unclear #601

k9ert opened this issue Nov 13, 2020 · 1 comment
Labels
chore testing, automation, releasing and the like help wanted Extra attention is needed

Comments

@k9ert
Copy link
Collaborator

k9ert commented Nov 13, 2020

The pip-installation was the first installation we had and #496 did a great job with this for the Development setup.
But is it possible to do a proper hash-verfied pip-installtion out of packages as well?

Currently that doesn't seem to be the case. Or at least, it's quite cumbersome:

(.env) ➜  temp virtualenv --python=python3 .env
created virtual environment CPython3.8.5.final.0-64 in 200ms
  creator CPython3Posix(dest=/home/kim/tmp/specter-desktop/temp/.env, clear=False, global=False)
  seeder FromAppData(download=False, wheel=latest, distlib=latest, pep517=latest, CacheControl=latest, colorama=latest, chardet=latest, retrying=latest, pkg_resources=latest, idna=latest, urllib3=latest, webencodings=latest, six=latest, appdirs=latest, certifi=latest, packaging=latest, contextlib2=latest, msgpack=latest, pytoml=latest, lockfile=latest, pip=latest, setuptools=latest, pyparsing=latest, distro=latest, progress=latest, requests=latest, html5lib=latest, ipaddr=latest, via=copy, app_data_dir=/home/kim/.local/share/virtualenv/seed-app-data/v1.0.1.debian)
  activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
(.env) ➜  temp . ./.env/bin/activate
(.env) ➜  temp pip install cryptoadvance.specter --require-hashes
Collecting cryptoadvance.specter
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    cryptoadvance.specter from https://files.pythonhosted.org/packages/75/08/eb87a883ec7784eda961f56fa571f137b23043b8aed0d3686d8924f1b425/cryptoadvance.specter-0.9.2-py3-none-any.whl#sha256=b2d8c2d9b136aa80d1a5f593fe9bb831abe013e120966508fb99f5905f7081cd
(.env) ➜  temp

It's not clear to me where to pin that version. Maybe it should be pinned in the requirements.txt BEFORE release? Should test that.
However, if we would do that, How can you be sure that the hash which you get from the pip-package-management-system is the correct hash?
Because of that, i though the right way would do a release of a tar.gz-ninary and a manual hashing:

(.env) ➜  temp wget https://github.com/cryptoadvance/specter-desktop/releases/download/v0.9.2/cryptoadvance.specter-0.9.2.tar.gz
...
cryptoadvance.spect 100%[===================>]   1,11M  1,47MB/s    in 0,8s    

2020-11-13 09:22:08 (1,47 MB/s) - ‘cryptoadvance.specter-0.9.2.tar.gz’ saved [1167636/1167636]

(.env) ➜  temp wget https://github.com/cryptoadvance/specter-desktop/releases/download/v0.9.2/sha256.signed.txt
...

sha256.signed.txt   100%[===================>]   1,15K  --.-KB/s    in 0s      

2020-11-13 09:23:19 (12,8 MB/s) - ‘sha256.signed.txt’ saved [1180/1180]

(.env) ➜  temp # do the checks here....
(.env) ➜  temp pip install cryptoadvance.specter-0.9.2.tar.gz --require-hashes
Processing ./cryptoadvance.specter-0.9.2.tar.gz
ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
    file:///home/kim/tmp/specter-desktop/temp/cryptoadvance.specter-0.9.2.tar.gz --hash=sha256:83195b4dcacb3bcb0ae98ba324d61def2402732cfb144c754a7d3adcd215d140
(.env) ➜  temp

So this unfortunately doesn't work either. Any hints highly appreciated.
@k9ert k9ert added chore testing, automation, releasing and the like help wanted Extra attention is needed labels Nov 30, 2020
@roshii
Copy link
Contributor

roshii commented May 24, 2024

AFAIK, we could proceed as follows:

  1. Calculate sha256sum for both source and wheel release during the release_pip CI step.
WHEEL_HASH=$(sha256sum cryptoadvance.specter-*.whl)
SRC_HASH=$(sha256sum cryptoadvance.specter-*.tar.gz)
echo "$WHEEL_HASH" > SHA256SUMS-pip
echo "$SRC_HASH" >> SHA256SUMS-pip
  1. Create an additional requirement file (pipy-requires.txt) for cryptoadvance.specter pinning its hashes during the release_pip CI step
echo "-r requirements.txt" > pipy-requires.txt
echo "cryptoadvance.specter==${CI_COMMIT_TAG} \\" >> pipy-requires.txt
echo "  --hash=sha256:${WHEEL_HASH%% *} \\" >> pipy-requires.txt
echo "  --hash=sha256:${SRC_HASH%% *}" >> pipy-requires.txt
  1. Distribute pipy-requires.txt through github releases or any other means

User can then download pipy-requires.txt and simply execute pip install -r pipy-requires.txt to do a proper hash-verfied pip-installtion out of packages as well.

If this makes sense to you, I can update CI script to work accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore testing, automation, releasing and the like help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@k9ert @roshii