specter-desktop
specter-desktop copied to clipboard
cryptoadvance
Verification of hashes for pip-installation of the cryptoadvance.specter package currently unclear
The pip-installation was the first installation we had and #496 did a great job with this for the Development setup. But is it possible to do a proper hash-verfied pip-installtion out of packages as well?
Currently that doesn't seem to be the case. Or at least, it's quite cumbersome:
(.env) ➜ temp virtualenv --python=python3 .env
created virtual environment CPython3.8.5.final.0-64 in 200ms
creator CPython3Posix(dest=/home/kim/tmp/specter-desktop/temp/.env, clear=False, global=False)
seeder FromAppData(download=False, wheel=latest, distlib=latest, pep517=latest, CacheControl=latest, colorama=latest, chardet=latest, retrying=latest, pkg_resources=latest, idna=latest, urllib3=latest, webencodings=latest, six=latest, appdirs=latest, certifi=latest, packaging=latest, contextlib2=latest, msgpack=latest, pytoml=latest, lockfile=latest, pip=latest, setuptools=latest, pyparsing=latest, distro=latest, progress=latest, requests=latest, html5lib=latest, ipaddr=latest, via=copy, app_data_dir=/home/kim/.local/share/virtualenv/seed-app-data/v1.0.1.debian)
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
(.env) ➜ temp . ./.env/bin/activate
(.env) ➜ temp pip install cryptoadvance.specter --require-hashes
Collecting cryptoadvance.specter
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
cryptoadvance.specter from https://files.pythonhosted.org/packages/75/08/eb87a883ec7784eda961f56fa571f137b23043b8aed0d3686d8924f1b425/cryptoadvance.specter-0.9.2-py3-none-any.whl#sha256=b2d8c2d9b136aa80d1a5f593fe9bb831abe013e120966508fb99f5905f7081cd
(.env) ➜ temp
It's not clear to me where to pin that version. Maybe it should be pinned in the requirements.txt BEFORE release? Should test that. However, if we would do that, How can you be sure that the hash which you get from the pip-package-management-system is the correct hash? Because of that, i though the right way would do a release of a tar.gz-ninary and a manual hashing:
(.env) ➜ temp wget https://github.com/cryptoadvance/specter-desktop/releases/download/v0.9.2/cryptoadvance.specter-0.9.2.tar.gz
...
cryptoadvance.spect 100%[===================>] 1,11M 1,47MB/s in 0,8s
2020-11-13 09:22:08 (1,47 MB/s) - ‘cryptoadvance.specter-0.9.2.tar.gz’ saved [1167636/1167636]
(.env) ➜ temp wget https://github.com/cryptoadvance/specter-desktop/releases/download/v0.9.2/sha256.signed.txt
...
sha256.signed.txt 100%[===================>] 1,15K --.-KB/s in 0s
2020-11-13 09:23:19 (12,8 MB/s) - ‘sha256.signed.txt’ saved [1180/1180]
(.env) ➜ temp # do the checks here....
(.env) ➜ temp pip install cryptoadvance.specter-0.9.2.tar.gz --require-hashes
Processing ./cryptoadvance.specter-0.9.2.tar.gz
ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
file:///home/kim/tmp/specter-desktop/temp/cryptoadvance.specter-0.9.2.tar.gz --hash=sha256:83195b4dcacb3bcb0ae98ba324d61def2402732cfb144c754a7d3adcd215d140
(.env) ➜ temp
So this unfortunately doesn't work either. Any hints highly appreciated.
