Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send only the digests we have from PackageFile #776

Merged
merged 2 commits into from Jul 16, 2021
Merged

Send only the digests we have from PackageFile #776

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5b2313a
Send only the digests we have from PackageFile
sigmavirus24 Jul 15, 2021
1d235dd
Update function and comments for clarity
sigmavirus24 Jul 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/776.bugfix.rst
View file
Open in desktop
@@ -0,0 +1,3 @@
Do not include md5_digest or blake2_256_digest if FIPS mode is enabled on the
host. This removes those fields from the metadata before sending the metadata
to the repository.
18 changes: 18 additions & 0 deletions tests/test_package.py
View file
Open in desktop
Expand Up @@ -262,6 +262,24 @@ def test_fips_hash_manager_blake2(monkeypatch):
assert hasher.hexdigest() == hashes


def test_fips_metadata_excludes_md5_and_blake2(monkeypatch):
"""Generate a valid metadata dictionary for Nexus when FIPS is enabled.

See also: https://github.com/pypa/twine/issues/775
"""
replaced_blake2b = pretend.raiser(ValueError("fipsmode"))
replaced_md5 = pretend.raiser(ValueError("fipsmode"))
monkeypatch.setattr(package_file.hashlib, "md5", replaced_md5)
monkeypatch.setattr(package_file.hashlib, "blake2b", replaced_blake2b)

filename = "tests/fixtures/twine-1.5.0-py2.py3-none-any.whl"
pf = package_file.PackageFile.from_filename(filename, None)

mddict = pf.metadata_dictionary()
assert "md5_digest" not in mddict
assert "blake2_256_digest" not in mddict


def test_pkginfo_returns_no_metadata(monkeypatch):
"""Raise an exception when pkginfo can't interpret the metadata.

Expand Down
11 changes: 9 additions & 2 deletions twine/package.py
View file
Open in desktop
Expand Up @@ -152,9 +152,7 @@ def metadata_dictionary(self) -> Dict[str, MetadataValue]:
"download_url": meta.download_url,
"supported_platform": meta.supported_platforms,
"comment": self.comment,
"md5_digest": self.md5_digest,
"sha256_digest": self.sha2_digest,
"blake2_256_digest": self.blake2_256_digest,
# PEP 314
"provides": meta.provides,
"requires": meta.requires,
Expand All @@ -174,6 +172,15 @@ def metadata_dictionary(self) -> Dict[str, MetadataValue]:
if self.gpg_signature is not None:
data["gpg_signature"] = self.gpg_signature

# FIPS disables MD5 and Blake2, making the digest values None. Some package
# repositories don't allow null values, so this only sends non-null values.
# See also: https://github.com/pypa/twine/issues/775
if self.md5_digest:
data["md5_digest"] = self.md5_digest

if self.blake2_256_digest:
data["blake2_256_digest"] = self.blake2_256_digest

return data

def add_gpg_signature(
Expand Down