Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a digest for each get-pip.py file #207

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add a digest for each get-pip.py file #207

wants to merge 3 commits into from

Conversation

mcpate
Copy link

@mcpate mcpate commented Mar 19, 2024
edited
Loading

Relates to: #47

This PR adds a SHA256 digest of the get-pip.py file (alongside the get-pip.py file). This seems like a useful first step towards providing mechanisms for users to validate the integrity and authenticity of the get-pip.py file.

With these changes, the output of the script now looks like this (there are now two files being output for each version in the public directories):

Screenshot 2024-03-18 at 7 39 39 PM

The SHAs can be verified in bulk as follows (the output consists of the directory, a digest for the get-pip.py file, the related digest in the *.sha246 file, and a boolean representing whether the two digests match):

>>> import hashlib
>>> import os
>>>
>>> for _path, _, _ in os.walk("./public"):
...     print(_path, end=": ")
...     hash = hashlib.sha256()
...     with open(os.path.join(_path, "get-pip.py"), "rb") as f:
...         for b_block in iter(lambda: f.read(4096), b""):
...             hash.update(b_block)
...     digest = hash.hexdigest()
...     print(digest, end=":")
...     with open (os.path.join(_path, "get-pip.py.sha256"), "r") as f:
...         file_digest = f.readlines()[0].strip()
...         print(file_digest, end=":")
...         print(digest == file_digest)
...
./public: dfe9fd5c28dc98b5ac17979a953ea550cec37ae1b47a5116007395bfacff2ab9:dfe9fd5c28dc98b5ac17979a953ea550cec37ae1b47a5116007395bfacff2ab9:True
./public/3.3: 9698fcacf9011da4f0a3cabebe679dbb1509d19b3493e8c8c9c26dd74faf5cd0:9698fcacf9011da4f0a3cabebe679dbb1509d19b3493e8c8c9c26dd74faf5cd0:True
./public/3.4: dbd5dae3d1e7f6df844d630cdf65e0f0d98e483c9997daea17c7c9d86f7b38ad:dbd5dae3d1e7f6df844d630cdf65e0f0d98e483c9997daea17c7c9d86f7b38ad:True
./public/3.5: 311afebb7cdd310eb3a3a6bb6fffef53d84493db98c7cebf4008a18d3418c8be:311afebb7cdd310eb3a3a6bb6fffef53d84493db98c7cebf4008a18d3418c8be:True
./public/3.2: bcd45dea17cff6e8b2beb383ee3cb7c25b4d30b3bac9d01fc0220d1fd3d87de9:bcd45dea17cff6e8b2beb383ee3cb7c25b4d30b3bac9d01fc0220d1fd3d87de9:True
./public/2.7: 40ee07eac6674b8d60fce2bbabc148cf0e2f1408c167683f110fd608b8d6f416:40ee07eac6674b8d60fce2bbabc148cf0e2f1408c167683f110fd608b8d6f416:True
./public/2.6: 6e1a2feaa6a90b844e36c4f8ccdc222dcebcf581a1b2f9dab09fa72e53ead0e5:6e1a2feaa6a90b844e36c4f8ccdc222dcebcf581a1b2f9dab09fa72e53ead0e5:True
./public/3.6: 0bd6aa5c457b84958cebfe1bd34aec9fa98212a65fe962dbed1195425aea58e1:0bd6aa5c457b84958cebfe1bd34aec9fa98212a65fe962dbed1195425aea58e1:True

The SHAs can also be verified directly/simply using something like sha256sum:

Screenshot 2024-03-18 at 10 12 00 PM

@mcpate mcpate marked this pull request as ready for review March 19, 2024 14:07
@pradyunsg pradyunsg force-pushed the add-get-pip-verification-files branch from f69e550 to 2d0b977 Compare July 8, 2024 00:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mcpate