Skip to content

Signing and verification tools for conda

License

Notifications You must be signed in to change notification settings

conda/conda-content-trust

Folders and files

NameName
Last commit message
Last commit date
Feb 3, 2025
Jan 22, 2025
Jun 1, 2023
Sep 11, 2023
Aug 29, 2023
Apr 18, 2024
Aug 30, 2023
Aug 17, 2023
Aug 30, 2023
Aug 30, 2023
Sep 5, 2023
Aug 30, 2023
Feb 3, 2025
Aug 30, 2023
Aug 30, 2023
Aug 15, 2024
Nov 19, 2024
Aug 16, 2023
Jun 5, 2023
Feb 3, 2025
Sep 11, 2023
Apr 18, 2024
Aug 15, 2024

Repository files navigation

Conda Content Trust: Signing and verification tools for Conda

Tests (GitHub Actions) Codecov Status latest release version

What: Based on The Update Framework (TUF), conda-content-trust is intended to ensure that when users in the conda ecosystem obtain a package or data about that package, they can know whether or not it is trustworthy (e.g. originally comes from a reliable source and has not been tampered with). A basic library and basic CLI are included to provide signing, verification, and trust delegation functionality.

Why: This exists as an alteration of TUF because of the very particular needs of the conda ecosystem. (Developers are encouraged to just use TUF whenever possible!)

Where: This tool is general purpose. It is currently used in conda 4.10.1+ to verify package metadata signatures when they are available (announcement, instructions).

Installation

Installation can be accomplished via conda:

conda install conda-content-trust

Or via pip:

pip install conda-content-trust

(If you intend to tinker with the code, feel free to use an editable install: pip install -e .)

Optional Dependencies for Producing Signatures with GPG Keys / YubiKeys

If you intend to create GPG key signatures (as opposed to the typical non-GPG signatures), and/or you intend to use the YubiKey interface, you will need to install two optional dependencies:

  • GPG (any gpg client that provides command-line gpg functionality should do)
  • securesystemslib (pip install securesystemslib)

Demonstration and Use

Use of the command-line utility provides help functionality::

conda-content-trust --help

You should be able to run the demo after installing:

python3 demo.py

(Portions of the demo may require the optional dependencies above.)

Testing

Each set of tests is a module in the tests/ directory. These can all be run with:

pytest