search

cryptoadvance / specter-desktop

A desktop GUI for Bitcoin Core optimised to work with hardware wallets
MIT License
793 stars 236 forks source link

Verification of hashes for pip-installation of the cryptoadvance.specter package currently unclear #601

Open k9ert opened 3 years ago

k9ert commented 3 years ago

The pip-installation was the first installation we had and #496 did a great job with this for the Development setup. But is it possible to do a proper hash-verfied pip-installtion out of packages as well?

Currently that doesn't seem to be the case. Or at least, it's quite cumbersome:

(.env) ➜  temp virtualenv --python=python3 .env
created virtual environment CPython3.8.5.final.0-64 in 200ms
  creator CPython3Posix(dest=/home/kim/tmp/specter-desktop/temp/.env, clear=False, global=False)
  seeder FromAppData(download=False, wheel=latest, distlib=latest, pep517=latest, CacheControl=latest, colorama=latest, chardet=latest, retrying=latest, pkg_resources=latest, idna=latest, urllib3=latest, webencodings=latest, six=latest, appdirs=latest, certifi=latest, packaging=latest, contextlib2=latest, msgpack=latest, pytoml=latest, lockfile=latest, pip=latest, setuptools=latest, pyparsing=latest, distro=latest, progress=latest, requests=latest, html5lib=latest, ipaddr=latest, via=copy, app_data_dir=/home/kim/.local/share/virtualenv/seed-app-data/v1.0.1.debian)
  activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
(.env) ➜  temp . ./.env/bin/activate
(.env) ➜  temp pip install cryptoadvance.specter --require-hashes
Collecting cryptoadvance.specter
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    cryptoadvance.specter from https://files.pythonhosted.org/packages/75/08/eb87a883ec7784eda961f56fa571f137b23043b8aed0d3686d8924f1b425/cryptoadvance.specter-0.9.2-py3-none-any.whl#sha256=b2d8c2d9b136aa80d1a5f593fe9bb831abe013e120966508fb99f5905f7081cd
(.env) ➜  temp

It's not clear to me where to pin that version. Maybe it should be pinned in the requirements.txt BEFORE release? Should test that. However, if we would do that, How can you be sure that the hash which you get from the pip-package-management-system is the correct hash? Because of that, i though the right way would do a release of a tar.gz-ninary and a manual hashing:

(.env) ➜  temp wget https://github.com/cryptoadvance/specter-desktop/releases/download/v0.9.2/cryptoadvance.specter-0.9.2.tar.gz
...
cryptoadvance.spect 100%[===================>]   1,11M  1,47MB/s    in 0,8s    

2020-11-13 09:22:08 (1,47 MB/s) - ‘cryptoadvance.specter-0.9.2.tar.gz’ saved [1167636/1167636]

(.env) ➜  temp wget https://github.com/cryptoadvance/specter-desktop/releases/download/v0.9.2/sha256.signed.txt
...

sha256.signed.txt   100%[===================>]   1,15K  --.-KB/s    in 0s      

2020-11-13 09:23:19 (12,8 MB/s) - ‘sha256.signed.txt’ saved [1180/1180]

(.env) ➜  temp # do the checks here....
(.env) ➜  temp pip install cryptoadvance.specter-0.9.2.tar.gz --require-hashes
Processing ./cryptoadvance.specter-0.9.2.tar.gz
ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
    file:///home/kim/tmp/specter-desktop/temp/cryptoadvance.specter-0.9.2.tar.gz --hash=sha256:83195b4dcacb3bcb0ae98ba324d61def2402732cfb144c754a7d3adcd215d140
(.env) ➜  temp

So this unfortunately doesn't work either. Any hints highly appreciated.

roshii commented 3 months ago

AFAIK, we could proceed as follows:

  1. Calculate sha256sum for both source and wheel release during the release_pip CI step.

    WHEEL_HASH=$(sha256sum cryptoadvance.specter-*.whl)
SRC_HASH=$(sha256sum cryptoadvance.specter-*.tar.gz)
echo "$WHEEL_HASH" > SHA256SUMS-pip
echo "$SRC_HASH" >> SHA256SUMS-pip

  2. Create an additional requirement file (pipy-requires.txt) for cryptoadvance.specter pinning its hashes during the release_pip CI step

    echo "-r requirements.txt" > pipy-requires.txt
echo "cryptoadvance.specter==${CI_COMMIT_TAG} \\" >> pipy-requires.txt
echo "  --hash=sha256:${WHEEL_HASH%% *} \\" >> pipy-requires.txt
echo "  --hash=sha256:${SRC_HASH%% *}" >> pipy-requires.txt

  3. Distribute pipy-requires.txt through github releases or any other means

User can then download pipy-requires.txt and simply execute pip install -r pipy-requires.txt to do a proper hash-verfied pip-installtion out of packages as well.

If this makes sense to you, I can update CI script to work accordingly.