Skip to main content

A setuptools extension for signed certificate and public key metadata for verifying contents of pip modules.

Project description

Setuptools Certificate Metadata Extension

⚠️ This package has been permanently moved to the otumat package and will no longer be maintained here. Make sure to update any dependency accordingly.

This is a setuptools extension that provides new keyword arguments privkey_path and pubkey_path.

By specifying the privkey_path, setuptools will generate the git hash (SHA1) of the module directory and sign the output based on the PEM key path passed in. The resulting signature will be stored as egg metadata {{module_name}}.sig accessible via pkg_resources module.

If passing pubkey_path, this will simply be copied in as egg metadata {{module_name}}.pub.

This provides a solution to determining the 'trust-worthiness' of plugins or extensions that may be developed by the community for a given pip package if the public key file is available for the RSA keypair. The choice of what to do for failed verification is up to you.

Use

Extensible Package e.g. base

setuptools.setup(
    ...
    setup_requires=['setuptools_certificate'],
    pubkey_path='./pubkey.pem',
    ...

Plugin Package e.g. plugin1

setuptools.setup(
    ...
    setup_requires=['setuptools_certificate'],
    privkey_path='~/keys/privkey.pem',
    ...

Verifying Contents

import pkg_resources
from pathlib import Path
from setuptools_certificate import hash_pkg, verify

base_name = 'base'
plugin_name = 'plugin1'
base_meta = pkg_resources.get_distribution(base_name)
plugin_meta = pkg_resources.get_distribution(plugin_name)

data = hash_pkg(str(Path(plugin_meta.module_path, plugin_name)))
signature = plugin_meta.get_metadata('{}.sig'.format(plugin_name))
pubkey_path = str(Path(base_meta.egg_info, '{}.pub'.format(base_name)))

verify(pubkey_path, data, signature)

Compatibility with git and openssl CLI

For reference, certificates may also be generated and verified using git and openssl by the following process:

Generate

$ cd {{/path/to/local/repo/dir}}
$ git add . --all
$ GIT_HASH=$(git ls-files -s {{/pip/package/dir}} | git hash-object --stdin)
$ printf $GIT_HASH | openssl dgst -sha256 -sign {{/path/to/privkey/pem}} -out {{pip_package_name}}.sigbin -sigopt rsa_padding_mode:pss
$ openssl enc -base64 -in {{pip_package_name}}.sigbin -out {{pip_package_name}}.sig
$ rm {{pip_package_name}}.sigbin
$ git reset

Verify

$ cd {{/path/to/local/repo/dir}}
$ git add . --all
$ GIT_HASH=$(git ls-files -s {{/pip/package/dir}} | git hash-object --stdin)
$ openssl enc -base64 -d -in {{pip_package_name}}.sig -out {{pip_package_name}}.sigbin
$ printf $GIT_HASH | openssl dgst -sha256 -verify {{/path/to/pubkey/pem}} -signature {{pip_package_name}}.sigbin -sigopt rsa_padding_mode:pss
$ rm {{pip_package_name}}.sigbin
$ git reset

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

setuptools_certificate-0.0.7.tar.gz (3.9 kB view details)

Uploaded Source

Built Distribution

setuptools_certificate-0.0.7-py3-none-any.whl (5.4 kB view details)

Uploaded Python 3

File details

Details for the file setuptools_certificate-0.0.7.tar.gz.

File metadata

  • Download URL: setuptools_certificate-0.0.7.tar.gz
  • Upload date:
  • Size: 3.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.7.7

File hashes

Hashes for setuptools_certificate-0.0.7.tar.gz
Algorithm Hash digest
SHA256 540914654f05a8aaa8c8bf4b30b773822965fe2baca8e194673b97eb74146a5a
MD5 69fcffe15d264998165fabb2d8ba4cd7
BLAKE2b-256 e82d219031f6a6e2ca32d43ea1272431d94730c85123cee59694aec021d99be2

See more details on using hashes here.

File details

Details for the file setuptools_certificate-0.0.7-py3-none-any.whl.

File metadata

  • Download URL: setuptools_certificate-0.0.7-py3-none-any.whl
  • Upload date:
  • Size: 5.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.7.7

File hashes

Hashes for setuptools_certificate-0.0.7-py3-none-any.whl
Algorithm Hash digest
SHA256 1384922d6137b6433f381742e22286ee608023251195d572e3eb4d56dd0d6d7c
MD5 326a434d9e4aaebb16d784016a27dcd8
BLAKE2b-256 4c369e8b7d888ad4eaeef37439f1622e29edf741258db1975f879142965b039e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page