loading...

Why doesn't the python package manager (PIP) have package signing feature?

prahladyeri profile image Prahlad Yeri ・1 min read

I'm using the Python Package Manager (PyPi) since a very long time and I couldn't help but notice that package signing feature isn't there at all (According to this reddit thread, it used to be there many years ago but they removed it sometime back for some unknown reasons).

That means, if I install some package by running pip install xyz, there is no way for me to ensure whether its the same one uploaded by the author of that package. Which means that if the PyPI server got compromised any time in the future, millions of users could be affected because of this, not just one or two.

I've authored and published several packages on PyPi myself and hence, this makes me concerned. There is no way to upload the GPG signature file of my package anywhere, nor does pip check the GPG signatures. So the user who installs my package has no way of knowing that it was me who uploaded it there.

This is a serious security concern and I hope the Python team comes up with some kind of solution soon.

Discussion

pic
Editor guide
Collapse
michaelbukachi profile image
Michael Bukachi

From the Reddit discussion it seems PGP is highly flawed. Using TUF would be much better but it's quite hard to implement. So they are just forgoing the whole thing since they don't have the time and resources to work on such features.

Collapse
prahladyeri profile image
Prahlad Yeri Author

There is no flaw in PGP, many other highly used projects like Debian and Ubuntu sign their packages using PGP. It seems, they (Python team) just don't want to be hassled with storing so many authors' PGP public keys and managing them like debian/ubuntu does! However, this feature can be made optional, so that only those who want to sign will upload their keys.

Besides, if they don't like PGP then they should come up with some other solution. Just postponing such a critical security issue isn't a good thing.

Collapse
michaelbukachi profile image
Michael Bukachi

There are flaws. Read this. There are other discussions online.
There are PEPs with proposals to fix the problem but they haven't been approved. Till then, developer vigilance is required.

Collapse
rubberduck profile image
Christopher McClellan

If you’re concerned about this, then I would open an issue and maybe even propose a design to the pip community. Posting here isn’t actionable in any way. Bringing it up with the pip maintainers is.

Collapse
prahladyeri profile image
Prahlad Yeri Author

Sure, you can open an issue but I doubt it'll be much helpful after reading this reddit thread. It seems they've deliberately chosen to not have package signing which seems beyond logic to me!

I know posting here isn't much actionable, consider this as just another rant!

Collapse
gonzron profile image
GonzRon

You are quite right. I think the proper choice is github.com/JonathanLogan/codechain

There are certain interests out there that want to influence standards bodies to keep things as insecure as possible. It's not a conspiracy, it's reality.

Collapse
di profile image
Dustin Ingram

From one of the original maintainers of pip: caremad.io/posts/2013/07/packaging...

Collapse
ramuta profile image
Matej Ramuta

Well, maybe a distributed Pypi (on IPFS) would help solve this problem: github.com/ipfs/notes/issues/28

Collapse
hindemostwoo profile image
Info Comment marked as low quality/non-constructive by the community. View code of conduct
Hindemost-Woo

Pointless, reaearchless, shit post. You don't need to sign it to be sure. just look through it? lazy man's problem.

Collapse
elveskevtar profile image
Kevin Tarta

I've made an account just to respond to your problematic comment. I'm not going to respond to the validity of the author's concerns but if you think that someone could look through a package that contains tens/hundreds of thousands of lines of code, and do that for every package they utilize and then every time they upgrade those packages, then you are delusional. Signing/verifying is a very important aspect of infosec, something you have clearly not researched whatsoever.

Collapse
prahladyeri profile image
Prahlad Yeri Author

Read about further update to this. It turns out that package signing actually works but only in a very manual and archaic way.