Skip to content

Commit

Permalink
Send only the digests we have from PackageFile (#776)
Browse files Browse the repository at this point in the history
* Send only the digests we have from PackageFile

Once again, we have to deal with third-party package repositories doing
their own thing and users needing this to just work. Those repositories
combined with FIPS mean that we will need to send the information we
actually have and only that when it comes to digests.

Closes gh-775

* Update function and comments for clarity

Let's be clearer about some of the bizarre logic we use to support 
repositories other than PyPI and distributions using FIPS

Co-authored-by: Brian Rutledge <[email protected]>

Co-authored-by: Brian Rutledge <[email protected]>
  • Loading branch information
sigmavirus24 and bhrutledge authored Jul 16, 2021
1 parent b4a196e commit fc20d94
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 2 deletions.
3 changes: 3 additions & 0 deletions changelog/776.bugfix.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Do not include md5_digest or blake2_256_digest if FIPS mode is enabled on the
host. This removes those fields from the metadata before sending the metadata
to the repository.
18 changes: 18 additions & 0 deletions tests/test_package.py
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,24 @@ def test_fips_hash_manager_blake2(monkeypatch):
assert hasher.hexdigest() == hashes


def test_fips_metadata_excludes_md5_and_blake2(monkeypatch):
"""Generate a valid metadata dictionary for Nexus when FIPS is enabled.
See also: https://github.com/pypa/twine/issues/775
"""
replaced_blake2b = pretend.raiser(ValueError("fipsmode"))
replaced_md5 = pretend.raiser(ValueError("fipsmode"))
monkeypatch.setattr(package_file.hashlib, "md5", replaced_md5)
monkeypatch.setattr(package_file.hashlib, "blake2b", replaced_blake2b)

filename = "tests/fixtures/twine-1.5.0-py2.py3-none-any.whl"
pf = package_file.PackageFile.from_filename(filename, None)

mddict = pf.metadata_dictionary()
assert "md5_digest" not in mddict
assert "blake2_256_digest" not in mddict


def test_pkginfo_returns_no_metadata(monkeypatch):
"""Raise an exception when pkginfo can't interpret the metadata.
Expand Down
11 changes: 9 additions & 2 deletions twine/package.py
Original file line number Diff line number Diff line change
Expand Up @@ -152,9 +152,7 @@ def metadata_dictionary(self) -> Dict[str, MetadataValue]:
"download_url": meta.download_url,
"supported_platform": meta.supported_platforms,
"comment": self.comment,
"md5_digest": self.md5_digest,
"sha256_digest": self.sha2_digest,
"blake2_256_digest": self.blake2_256_digest,
# PEP 314
"provides": meta.provides,
"requires": meta.requires,
Expand All @@ -174,6 +172,15 @@ def metadata_dictionary(self) -> Dict[str, MetadataValue]:
if self.gpg_signature is not None:
data["gpg_signature"] = self.gpg_signature

# FIPS disables MD5 and Blake2, making the digest values None. Some package
# repositories don't allow null values, so this only sends non-null values.
# See also: https://github.com/pypa/twine/issues/775
if self.md5_digest:
data["md5_digest"] = self.md5_digest

if self.blake2_256_digest:
data["blake2_256_digest"] = self.blake2_256_digest

return data

def add_gpg_signature(
Expand Down

0 comments on commit fc20d94

Please sign in to comment.