cryptoadvance · stepansnigirev · Oct 11, 2020 · Oct 9, 2020 · Oct 10, 2020
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -10,6 +10,7 @@ git clone https://github.com/cryptoadvance/specter-desktop.git
 cd specter-desktop
 virtualenv --python=python3 .env
 source .env/bin/activate
+pip3 install -r requirements.txt --require-hashes
 pip3 install -e .
 ```
 
@@ -24,8 +25,8 @@ python3 -m cryptoadvance.specter server
 Run the tests (still very limited):
 
 ```sh
-pip3 install -e .
 pip3 install -r test_requirements.txt
+pip3 install -e .
 
 # needs a bitcoind on your path
 pytest 
@@ -141,6 +142,13 @@ If you see this to need some improvements, please make it in small steps and exp
 ## Some words about dependencies
 As a quite young project, we don't have many dependencies yet and as a quite secure-aware use-case, we don't even want to have too many dependencies. That's sometimes the reason that we decide to roll our own rather then taking in new dependencies. This is especially true for javascript. We prefer plain javascript over any kind of frameworks.
 
+If you update `requirements.in` you will need to run the following to update `requirements.txt`:
+```sh
+$ pip-compile --generate-hashes requirements.in
+```
+
+This is good for both security and reproducibility.
+
 ## Some words specific to the frontend
 We're aware that currently the app is not very compatible on different browsers and there is no clear strategy yet on how (and whether at all) to fix that. High level consultancy help on that would be appreciated even so (or especially when) you take the above security/dependency requirements into account.
 

diff --git a/docs/continuous-integration.md b/docs/continuous-integration.md
@@ -57,7 +57,7 @@ virtualenv --python=python3 .env
 source .env/bin/activate
 # Workaround because dependencies are not availabe on test.pypi.org
 wget https://raw.githubusercontent.com/cryptoadvance/specter-desktop/master/requirements.txt
-python3 -m pip install -r requirements.txt  
+python3 -m pip install -r requirements.txt  --require-hashes
 # Install the package
 python3 -m pip install --index-url https://test.pypi.org/simple/ --no-deps cryptoadvance.specter
 # AND Ready to go! e.g.:

diff --git a/pyinstaller/README.md b/pyinstaller/README.md
@@ -11,7 +11,7 @@ On Windows `release` folder is empty, but `dist` folder contains a `specter_desk
 `cd` into this directory (`specter-desktop/pyinstaller`) and install requirements:
 
 ```bash
-$ pip3 install -r requirements.txt
+$ pip3 install -r requirements.txt --require-hashes
 ```
 
 Now run:

diff --git a/pyinstaller/build-osx.sh b/pyinstaller/build-osx.sh
@@ -3,8 +3,8 @@
 # pass version number as an argument 
 
 echo $1 > version.txt
+pip install -r requirements.txt --require-hashes
 pip install -e ..
-pip install -r requirements.txt
 rm -rf build/ dist/ release/
 rm *.dmg
 pyinstaller specter_desktop.spec
@@ -14,4 +14,4 @@ mkdir release
 
 create-dmg 'dist/Specter.app'
 mv "Specter 0.0.0.dmg" release/SpecterDesktop-$1.dmg
-zip release/specterd-$1-osx.zip dist/specterd
+zip release/specterd-$1-osx.zip dist/specterd
diff --git a/pyinstaller/build-unix.sh b/pyinstaller/build-unix.sh
@@ -3,8 +3,8 @@
 # pass version number as an argument 
 
 echo $1 > version.txt
+pip install -r requirements.txt --require-hashes
 pip install -e ..
-pip install -r requirements.txt
 rm -rf build/ dist/ release/
 pyinstaller specter_desktop.spec
 pyinstaller specterd.spec

diff --git a/pyinstaller/build-win.bat b/pyinstaller/build-win.bat
@@ -1,7 +1,7 @@
 @ECHO OFF
 echo %1 > version.txt
+pip install -r requirements.txt  --require-hashes
 pip install -e ..
-pip install -r requirements.txt
 rmdir /s /q .\dist\
 rmdir /s /q .\build\
 rmdir /s /q .\release\
@@ -10,4 +10,4 @@ pyinstaller.exe specterd.spec
 
 mkdir release
 
-echo We've built everything we could, now zip specterd and run inno-setup for specter-desktop
+echo We've built everything we could, now zip specterd and run inno-setup for specter-desktop
diff --git a/requirements.in b/requirements.in
@@ -0,0 +1,15 @@
+certifi==2019.9.11
+chardet==3.0.4
+Click==7.0
+daemonize==2.5.0
+Flask==1.1.2
+Flask-Cors==3.0.8
+Flask-Login==0.5.0
+hwi==1.1.2
+bitbox02==4.1.0
+pyserial==3.4
+python-dotenv==0.13.0
+requests==2.23.0
+pysocks==1.7.1
+six==1.12.0
+stem==1.8.0
diff --git a/requirements.txt b/requirements.txt
diff --git a/setup.py b/setup.py
@@ -6,7 +6,12 @@
     install_reqs = f.read().strip().split("\n")
 
 
-reqs = [str(ir) for ir in install_reqs if not ir.startswith("#")]
+# Filter out comments/hashes
+reqs = []
+for req in install_reqs:
+    if req.startswith("#") or req.startswith("    --hash="):
+        continue
+    reqs.append(str(req).rstrip(" \\"))
 
 
 with open("README.md", "r") as fh:

diff --git a/test_requirements.txt b/test_requirements.txt
@@ -1,5 +1,6 @@
 # requirements for testing
 black==20.8b1
 docker==4.1.0
+pip-tools==5.3.1
 pytest==5.2.2
 PySocks==1.7.1