get-pip icon indicating copy to clipboard operation
get-pip copied to clipboard
verified publisher icon pypa

Add signature to get-pip.py

Open szepeviktor opened this issue 7 years ago • 3 comments

See the security breach at PEAR https://twitter.com/pear/status/1086634389465956352

Composer uses two different source for signature and payload:

  • https://composer.github.io/installer.sig
  • https://getcomposer.org/installer

Please consider adding it. Thank you!

szepeviktor avatar Jan 25 '19 11:01 szepeviktor

I second this--things like official Python Docker images [1] (and obviously all images that depend on them) use get-pip.py so any incident can have a huge impact.

[1] https://hub.docker.com/_/python

tomaszzielinski avatar Jul 23 '19 12:07 tomaszzielinski

If someone does the work to generate these automatically as a part of invoke generate, I'll be happy to merge that in.

pradyunsg avatar Jul 23 '19 12:07 pradyunsg

@pradyunsg Could you roughly describe what would need to be done here? I don't know much about get-pip..

One big question is how to verify pip itself--because if it's not verified then I think we would just shift the problem?

tomaszzielinski avatar Jul 26 '19 14:07 tomaszzielinski