-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add certificate pinning or a similar alternative to pip https support. #1168
Comments
As mentioned in the other thread I'm +1 on this feature. I believe it needs:
As an aside, users can approximate this feature already using a custom CA bundle but that's far less useful as proper certificate pinning. |
Closing this, in the time since this had been opened I've become -1 on this feature. The place where it would be most useful if PyPI, but PyPI can't pin because we don't control all of our certificates (Fastly controls some of them). In addition this is more or less superseded by the TUF proposal to add package signing, and at that point we only rely on HTTPS for confidentiality. In addition since we use requests (which uses urllib3) we will get this for "free" if urllib3 implements urllib3/urllib3#607. |
Perhaps |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Certificate pinning can prevent MITM attacks where the attacker colludes with a certificate authority other than the CA specified by pinning. In the context of pip, such an attack would allow an attacker colluding with a certificate authority to inject code during a pip install.
This is mentioned as a "bonus feature" in #1167, and I decided to make a separate ticket because tickets with more specific scope are more likely to be useful.
The text was updated successfully, but these errors were encountered: