1

I'm using the pycryptodomme library. The documentation states

All source packages and wheels on PyPI are cryptographically signed. They can be verified with the following PGP key:

I installed it via pip

pip install pycryptodome

I tried just downloading the wheel file directly via 

pip download pycryptodome

There isn't a *.sig or *.asc file. I don't even see it when I inspect the wheel file directly using the suggestion here.

Question :

How do I check the signature of the wheel file as the documentation suggests?

irritable_phd_syndrome
  • 4,631
  • 3
  • 32
  • 60

2 Answers2

2

The docs is outdated.

All source packages and wheels on PyPI are cryptographically signed.

That's no longer true. PGP signatures were dropped from PyPI when they switched from old backend to Warehouse:

https://github.com/pypa/warehouse/issues/3356#issuecomment-375303794

https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html

Things that will go away once legacy PyPI shuts down:

GPG/PGP signatures for packages

Community
  • 1
  • 1
phd
  • 82,685
  • 13
  • 120
  • 165
  • Is there a similar method that is used by the new version of PyPI to verify the integrity of a package? – irritable_phd_syndrome Jun 09 '20 at 12:58
  • @irritable_phd_syndrom I don't know of any. There is PEP 458 but I don't know if it is implemented. And anyway it's about a different security threat. – phd Jun 09 '20 at 18:36
  • 1
    PGP signatures are not dropped, and there's no other way for distro package maintainers to verify the authenticity of content pulled from PyPI without it. It *was* removed from the PyPI WUI and API, but gpg is still supported: you just have to append a '.asc' to the file in question. For example: https://files.pythonhosted.org/packages/aa/4e/6edf9672fea0d8c7b7af0905fc18db76661f833db34b8f696240e11b9513/borgbackup-1.2.0a8.tar.gz.asc – Michael Altfield Jul 02 '20 at 01:58
  • PyPI does still support package signing, and GPG `.asc` files are retrievable from PyPI - see [twine doc](https://twine.readthedocs.io/en/stable/#why-should-i-use-this) - however the support by tools to verify GPG signatures seems poor, see [this issue comment](https://github.com/pypa/twine/issues/157#issuecomment-652782263) and [this gist](https://gist.github.com/tarekziade/4110897) (very old, Python 2.7). There is [vpypi](https://pypi.org/project/vpypi/), which looked good but hung when I tried it. – RichVel May 12 '22 at 06:57
1

You have to download it manually by getting the URL of the file and then appending .asc to it.

For example, the borgbackup project can be viewed here on PyPI's website:

Clicking the "Download Files" button gives you an option to download the lastest tarball at the following URL:

Alternatively, you can also get this URL using cURL against the PyPI "simple" API

user@disp5066:~$ curl -s https://pypi.org/simple/borgbackup/ | grep -i borgbackup-1.1.13.tar.gz
    <a href="https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz#sha256=164a8666a61071ce2fa6c60627c7646f12e3a8e74cd38f046be72f5ea91b3821">borgbackup-1.1.13.tar.gz</a><br/>
user@disp5066:~$

To get the signature of this file, simply append .asc to the URL:

user@disp5066:~$ wget https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz.asc
--2020-07-02 07:51:12--  https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz.asc
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.37.63, 2a04:4e42:9::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.37.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 862 [application/octet-stream]
Saving to: ‘borgbackup-1.1.13.tar.gz.asc’

borgbackup-1.1.13.t 100%[===================>]     862  --.-KB/s    in 0s      

2020-07-02 07:51:14 (37.2 MB/s) - ‘borgbackup-1.1.13.tar.gz.asc’ saved [862/862]

user@disp5066:~$ cat borgbackup-1.1.13.tar.gz.asc 
-----BEGIN PGP SIGNATURE-----

iQJHBAABCgAxFiEEL4Gv+6sE4R/o7mXUJDrPqVH3jgEFAl7cGqwTHHR3QHdhbGRt
YW5uLWVkdi5kZQAKCRAkOs+pUfeOAd9ND/4nm2O7CK5a4aK41jAI1NisbgEtEJup
SiD6bvMKpo3VU0P/3Y6pUibKOGzaRImBTB04qS3LlgjB0mCp1RSVsj/Hn+yCNw+k
hfUH7E7JgAkq96Vkv1dcYgaJ9nhzuIAkEf0aDyzSo8HkBvGGN0/tfCQ7Nr7hI21u
v5qupIyu7KZrBwY389l7+6yJ9G5qCtHU0fDALRYyjsX+WphrAaizrhFZJO7Km8VZ
gZhAz3WUDPFwgNMb1mToUxpI2ZpnYnRxVBwjnX0Ps77ua4F5OsYM+hYwH5eX9bS9
gmb+W3NjUNjVVj4z+OgN8FGbCTeFVQ6E+IVdm55D4ZRU8KarvFoKOI7HS4GP/3iv
4iWqDaYBMRShnUTk1FKFCKjTb5tXewUGPwio+4bpgUyfJj0OWj1ecMqeF5VAslWz
6pZnsUqLpTFuHUA6dr18TKX4U+c6rdXVM7BhNZe2XtjaQwau6Wz9nC1xhZyFNl1q
CHY7jmLhsfP8GXkh31X9bJrKSZMyYRYat2e7kOroIJczRcHG9T708T+KzsfAb+6w
pWZbfWNfCbCmVQehyhDvNepB3IB5w6ijrZwKTamHAnYBVkAUD/aYwDQJf4nAL4YI
7JXBRpLlCVQGRUQdClqy8QjzpSZs5/Dbetvy5of753JbVjFQtGO2gLLp0wL0HB0v
vIZv3dfBDvfcXQ==
=F4gj
-----END PGP SIGNATURE-----
user@disp5066:~$

See also:

  1. https://github.com/borgbackup/borg/issues/4213
  2. https://security.stackexchange.com/questions/232855/does-pythons-pip-provide-cryptographic-authentication-and-integrity-validation
Michael Altfield
  • 2,083
  • 23
  • 39