KivyMD
KivyMD copied to clipboard
Sign PyPI releases
Describe the bug
When a user downloads this python module using pip
, there is no cryptographic authenticity or integrity validation to protect the user from a MITM attack.
Therefore, this project is making any other projects that obtain the kivymd
module via pip
in their build process vulnerable to a watering hole attack.
Expected behavior
A developer should have a mechanism to cryptographically verify the integrity and authenticity of kivymd when obtaining it through pip
.
To Reproduce
pip install kivymd
Additional context
Possible solutions include:
-
Using the
--sign
argument oftwine
when uploading packages to PyPI -
Publishing a cryptographically signed document (ideally using
gpg
) listing the hashes for all packages uploaded to PyPI, which users can then pass intopip
using the--hash
argument
It seems like a good measure.