A setuptools extension for signed certificate and public key metadata for verifying contents of pip modules.
Project description
Setuptools Certificate Metadata Extension
⚠️ This package has been permanently moved to the otumat package and will no longer be maintained here. Make sure to update any dependency accordingly.
This is a setuptools extension that provides new keyword arguments privkey_path and pubkey_path.
By specifying the privkey_path, setuptools will generate the git hash (SHA1) of the module directory and sign the output based on the PEM key path passed in. The resulting signature will be stored as egg metadata {{module_name}}.sig accessible via pkg_resources module.
If passing pubkey_path, this will simply be copied in as egg metadata {{module_name}}.pub.
This provides a solution to determining the 'trust-worthiness' of plugins or extensions that may be developed by the community for a given pip package if the public key file is available for the RSA keypair. The choice of what to do for failed verification is up to you.
Use
Extensible Package e.g. base
setuptools.setup(
...
setup_requires=['setuptools_certificate'],
pubkey_path='./pubkey.pem',
...
Plugin Package e.g. plugin1
setuptools.setup(
...
setup_requires=['setuptools_certificate'],
privkey_path='~/keys/privkey.pem',
...
Verifying Contents
import pkg_resources
from pathlib import Path
from setuptools_certificate import hash_pkg, verify
base_name = 'base'
plugin_name = 'plugin1'
base_meta = pkg_resources.get_distribution(base_name)
plugin_meta = pkg_resources.get_distribution(plugin_name)
data = hash_pkg(str(Path(plugin_meta.module_path, plugin_name)))
signature = plugin_meta.get_metadata('{}.sig'.format(plugin_name))
pubkey_path = str(Path(base_meta.egg_info, '{}.pub'.format(base_name)))
verify(pubkey_path, data, signature)
Compatibility with git and openssl CLI
For reference, certificates may also be generated and verified using git and openssl by the following process:
Generate
$ cd {{/path/to/local/repo/dir}}
$ git add . --all
$ GIT_HASH=$(git ls-files -s {{/pip/package/dir}} | git hash-object --stdin)
$ printf $GIT_HASH | openssl dgst -sha256 -sign {{/path/to/privkey/pem}} -out {{pip_package_name}}.sigbin -sigopt rsa_padding_mode:pss
$ openssl enc -base64 -in {{pip_package_name}}.sigbin -out {{pip_package_name}}.sig
$ rm {{pip_package_name}}.sigbin
$ git reset
Verify
$ cd {{/path/to/local/repo/dir}}
$ git add . --all
$ GIT_HASH=$(git ls-files -s {{/pip/package/dir}} | git hash-object --stdin)
$ openssl enc -base64 -d -in {{pip_package_name}}.sig -out {{pip_package_name}}.sigbin
$ printf $GIT_HASH | openssl dgst -sha256 -verify {{/path/to/pubkey/pem}} -signature {{pip_package_name}}.sigbin -sigopt rsa_padding_mode:pss
$ rm {{pip_package_name}}.sigbin
$ git reset
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for setuptools_certificate-0.0.7.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 540914654f05a8aaa8c8bf4b30b773822965fe2baca8e194673b97eb74146a5a |
|
| MD5 | 69fcffe15d264998165fabb2d8ba4cd7 |
|
| BLAKE2b-256 | e82d219031f6a6e2ca32d43ea1272431d94730c85123cee59694aec021d99be2 |
Hashes for setuptools_certificate-0.0.7-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1384922d6137b6433f381742e22286ee608023251195d572e3eb4d56dd0d6d7c |
|
| MD5 | 326a434d9e4aaebb16d784016a27dcd8 |
|
| BLAKE2b-256 | 4c369e8b7d888ad4eaeef37439f1622e29edf741258db1975f879142965b039e |
