KivyMD icon indicating copy to clipboard operation
KivyMD copied to clipboard

Published 20 hours ago verified publisher icon kivymd

Sign PyPI releases

Open maltfield opened this issue 3 years ago • 1 comments

Describe the bug

When a user downloads this python module using pip, there is no cryptographic authenticity or integrity validation to protect the user from a MITM attack.

Therefore, this project is making any other projects that obtain the kivymd module via pip in their build process vulnerable to a watering hole attack.

Expected behavior

A developer should have a mechanism to cryptographically verify the integrity and authenticity of kivymd when obtaining it through pip.

To Reproduce

pip install kivymd

Additional context

Possible solutions include:

  1. Using the --sign argument of twine when uploading packages to PyPI

  2. Publishing a cryptographically signed document (ideally using gpg) listing the hashes for all packages uploaded to PyPI, which users can then pass into pip using the --hash argument

maltfield avatar Aug 31 '20 10:08 maltfield

It seems like a good measure.

podraco avatar Aug 31 '20 13:08 podraco