Skip to content

Add a digest for each get-pip.py file#207

Open
mcpate wants to merge 3 commits intopypa:mainfrom
mcpate:add-get-pip-verification-files
Open

Add a digest for each get-pip.py file#207
mcpate wants to merge 3 commits intopypa:mainfrom
mcpate:add-get-pip-verification-files

Conversation

@mcpate
Copy link
Copy Markdown

@mcpate mcpate commented Mar 19, 2024
edited
Loading

Relates to: #47

This PR adds a SHA256 digest of the get-pip.py file (alongside the get-pip.py file). This seems like a useful first step towards providing mechanisms for users to validate the integrity and authenticity of the get-pip.py file.

With these changes, the output of the script now looks like this (there are now two files being output for each version in the public directories):

Screenshot 2024-03-18 at 7 39 39 PM

The SHAs can be verified in bulk as follows (the output consists of the directory, a digest for the get-pip.py file, the related digest in the *.sha246 file, and a boolean representing whether the two digests match):

>>> import hashlib
>>> import os
>>>
>>> for _path, _, _ in os.walk("./public"):
...     print(_path, end=": ")
...     hash = hashlib.sha256()
...     with open(os.path.join(_path, "get-pip.py"), "rb") as f:
...         for b_block in iter(lambda: f.read(4096), b""):
...             hash.update(b_block)
...     digest = hash.hexdigest()
...     print(digest, end=":")
...     with open (os.path.join(_path, "get-pip.py.sha256"), "r") as f:
...         file_digest = f.readlines()[0].strip()
...         print(file_digest, end=":")
...         print(digest == file_digest)
...
./public: dfe9fd5c28dc98b5ac17979a953ea550cec37ae1b47a5116007395bfacff2ab9:dfe9fd5c28dc98b5ac17979a953ea550cec37ae1b47a5116007395bfacff2ab9:True
./public/3.3: 9698fcacf9011da4f0a3cabebe679dbb1509d19b3493e8c8c9c26dd74faf5cd0:9698fcacf9011da4f0a3cabebe679dbb1509d19b3493e8c8c9c26dd74faf5cd0:True
./public/3.4: dbd5dae3d1e7f6df844d630cdf65e0f0d98e483c9997daea17c7c9d86f7b38ad:dbd5dae3d1e7f6df844d630cdf65e0f0d98e483c9997daea17c7c9d86f7b38ad:True
./public/3.5: 311afebb7cdd310eb3a3a6bb6fffef53d84493db98c7cebf4008a18d3418c8be:311afebb7cdd310eb3a3a6bb6fffef53d84493db98c7cebf4008a18d3418c8be:True
./public/3.2: bcd45dea17cff6e8b2beb383ee3cb7c25b4d30b3bac9d01fc0220d1fd3d87de9:bcd45dea17cff6e8b2beb383ee3cb7c25b4d30b3bac9d01fc0220d1fd3d87de9:True
./public/2.7: 40ee07eac6674b8d60fce2bbabc148cf0e2f1408c167683f110fd608b8d6f416:40ee07eac6674b8d60fce2bbabc148cf0e2f1408c167683f110fd608b8d6f416:True
./public/2.6: 6e1a2feaa6a90b844e36c4f8ccdc222dcebcf581a1b2f9dab09fa72e53ead0e5:6e1a2feaa6a90b844e36c4f8ccdc222dcebcf581a1b2f9dab09fa72e53ead0e5:True
./public/3.6: 0bd6aa5c457b84958cebfe1bd34aec9fa98212a65fe962dbed1195425aea58e1:0bd6aa5c457b84958cebfe1bd34aec9fa98212a65fe962dbed1195425aea58e1:True

The SHAs can also be verified directly/simply using something like sha256sum:

Screenshot 2024-03-18 at 10 12 00 PM

@mcpate mcpate marked this pull request as ready for review March 19, 2024 14:07
mcpate added 3 commits July 8, 2024 01:10
@pradyunsg pradyunsg force-pushed the add-get-pip-verification-files branch from f69e550 to 2d0b977 Compare July 8, 2024 00:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mcpate