Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

We do not have a means of verifying the pip packages we download are authentic #3270

Open
heartsucker opened this issue Apr 16, 2018 · 1 comment
Open

We do not have a means of verifying the pip packages we download are authentic #3270

heartsucker opened this issue Apr 16, 2018 · 1 comment
Labels
security

Comments

@heartsucker
Copy link
Contributor

Feature request

Description

Related to #3269.

We do not use the --hash option for all of our pip requirements files. In the cases where we do, if the hashes change, we have no way of verifying that the hashes are correct.

For example, in admin/requirements.txt, the package crypt has 30 (!!!) possible hashes that are acceptable.

bcrypt==3.1.4 \
    --hash=sha256:01477981abf74e306e8ee31629a940a5e9138de000c6b0898f7f850461c4a0a5 \
    --hash=sha256:054d6e0acaea429e6da3613fcd12d05ee29a531794d96f6ab959f29a39f33391 \
    --hash=sha256:0872eeecdf9a429c1420158500eedb323a132bc5bf3339475151c52414729e70 \
    --hash=sha256:09a3b8c258b815eadb611bad04ca15ec77d86aa9ce56070e1af0d5932f17642a \
    --hash=sha256:0f317e4ffbdd15c3c0f8ab5fbd86aa9aabc7bea18b5cc5951b456fe39e9f738c \
    --hash=sha256:2788c32673a2ad0062bea850ab73cffc0dba874db10d7a3682b6f2f280553f20 \
    --hash=sha256:321d4d48be25b8d77594d8324c0585c80ae91ac214f62db9098734e5e7fb280f \
    --hash=sha256:346d6f84ff0b493dbc90c6b77136df83e81f903f0b95525ee80e5e6d5e4eef84 \
    --hash=sha256:34dd60b90b0f6de94a89e71fcd19913a30e83091c8468d0923a93a0cccbfbbff \
    --hash=sha256:3b4c23300c4eded8895442c003ae9b14328ae69309ac5867e7530de8bdd7875d \
    --hash=sha256:43d1960e7db14042319c46925892d5fa99b08ff21d57482e6f5328a1aca03588 \
    --hash=sha256:49e96267cd9be55a349fd74f9852eb9ae2c427cd7f6455d0f1765d7332292832 \
    --hash=sha256:67ed1a374c9155ec0840214ce804616de49c3df9c5bc66740687c1c9b1cd9e8d \
    --hash=sha256:6efd9ca20aefbaf2e7e6817a2c6ed4a50ff6900fafdea1bcb1d0e9471743b144 \
    --hash=sha256:8569844a5d8e1fdde4d7712a05ab2e6061343ac34af6e7e3d7935b2bd1907bfd \
    --hash=sha256:8629ea6a8a59f865add1d6a87464c3c676e60101b8d16ef404d0a031424a8491 \
    --hash=sha256:988cac675e25133d01a78f2286189c1f01974470817a33eaf4cfee573cfb72a5 \
    --hash=sha256:9a6fedda73aba1568962f7543a1f586051c54febbc74e87769bad6a4b8587c39 \
    --hash=sha256:9eced8962ce3b7124fe20fd358cf8c7470706437fa064b9874f849ad4c5866fc \
    --hash=sha256:a005ed6163490988711ff732386b08effcbf8df62ae93dd1e5bda0714fad8afb \
    --hash=sha256:ae35dbcb6b011af6c840893b32399252d81ff57d52c13e12422e16b5fea1d0fb \
    --hash=sha256:b1e8491c6740f21b37cca77bc64677696a3fb9f32360794d57fa8477b7329eda \
    --hash=sha256:c906bdb482162e9ef48eea9f8c0d967acceb5c84f2d25574c7d2a58d04861df1 \
    --hash=sha256:cb18ffdc861dbb244f14be32c47ab69604d0aca415bee53485fcea4f8e93d5ef \
    --hash=sha256:d86da365dda59010ba0d1ac45aa78390f56bf7f992e65f70b3b081d5e5257b09 \
    --hash=sha256:e22f0997622e1ceec834fd25947dc2ee2962c2133ea693d61805bc867abaf7ea \
    --hash=sha256:f2fe545d27a619a552396533cddf70d83cecd880a611cdfdbb87ca6aec52f66b \
    --hash=sha256:f7fd3ed3745fe6e81e28dc3b3d76cce31525a91f32a387e1febd6b982caf8cdb \
    --hash=sha256:f9210820ee4818d84658ed7df16a7f30c9fba7d8b139959950acef91745cc0f7 \

Ideally there would be exactly one hash for the package. Regardless, we have no way of checking that all 30 of these version are the real bcrypt.

In #3269, a new hash for pluggy appeared, and we also have no way of checking that this new hash isn't malware.

Note: When I say "no way", I mean no procedure. Though it might be technically infeasible because there may be more hashes than content on PyPI, so we may not be able to actually fetch every version for every hash.

I was under the impression that PyPI used TUF for package verification, so command line options should not have any effect on whether or not a package is verified or not. This needs additional investigation.

User Stories

As a security conscious dev, I want to know that the dependencies I'm pushing to SD instances are authentic.
@msheiny msheiny mentioned this issue May 24, 2018
Closed
@redshiftzero redshiftzero mentioned this issue Dec 14, 2018
Open
@emkll emkll mentioned this issue May 13, 2019
Merged
9 tasks
@legoktm
Copy link
Member

legoktm commented Sep 30, 2022

So...this is mostly solved through the diff review process where we document the sha256sum of the package we reviewed, which shows up in the requirements.txt file. The other hashes are ignored because we don't download any binaries at build time, as we build from source.

Assuming pip can't be tricked into using a binary when we said not to, then we're safe I think.

But this will be properly solved by reproducible wheels (#5901) as those will be wheels we fully trust, and only the sha256sum of those wheels will be in the build-requirements.txt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@legoktm @heartsucker