Sign PyPI Releases

[maltfield]

Describe the bug

When a user downloads this python module using pip, there is no cryptographic authenticity or integrity validation to protect the user from a MITM attack.

Therefore, this project is making any other projects that obtain the opencanary module via pip in their build process vulnerable to a watering hole attack.

Expected behavior

Users should have a mechanism to cryptographically verify the integrity and authenticity of opencanary when obtaining it through pip.

To Reproduce

pip install opencanary

Additional context

Possible solutions include:

1. Using the --sign argument of twine when uploading packages to PyPI

2. Publishing a cryptographically signed document (ideally using gpg) listing the hashes for all packages uploaded to PyPI, which users can then pass into pip using the --hash argument

[jayjb]

Hi @maltfield,

Thanks for the great suggestion. Ill get on that and get back to you.

[jayjb]

Hi @maltfield,

Thanks for the suggestion. Ive bumped the Opencanary version to 0.6.0. And I've gone the route of using --sign when uploading the new Opencanary packages.

[maltfield]

Thanks! You might also want to work with all your dependent packages to do the same.

[maltfield]

Hi, I see this issue was suddenly closed without any comments. Was it resolved?

Is it now possible to install opencanary (and all of its dependencies) securely?