7

I was a happy man, having his own happy local pip index. One day I've updated pip client and I'm not happy anymore:

Downloading/unpacking super_package
Getting page https://my_server/index/super_package/
URLs to search for versions for super_package:
* https://my_server/index/super_package/
* https://pypi.python.org/simple/super_package/
Analyzing links from page https://my_server/index/super_package/
Skipping https://my_server/ci/super_package-0.2.2.tar.gz (from https://my_server/index/super_package/) because it is an insecure and unverifiable file.

But WHY? I have SSL enabled on my server and my pip.conf file looks like this:

[global]
cert = /path/to/my_server/cert.pem
index-url = https://my_server/index
extra-index-url = https://pypi.python.org/simple/

How is 'secure and verifiable'/'insecure and unverifiable' file defined? How PIP distinguishes between them?

Finally: Do you want me to switch to easy_install?

EDIT:

My own PIP index looks like this:

<html>
<head>
<title>Package Index</title>
<meta name="api-version" value="2" />
</head>
<body><a href="ADMESARfari/index.html">ADMESARfari</a><br/>
<a href="chembl-internal-ws/index.html">chembl-internal-ws</a><br/>
<a href="chembl_api/index.html">chembl_api</a><br/>
    ...
<a href="gdb/index.html">gdb</a><br/>
</body>
</html>

CA cert of the PIP server is installed on my mac but I'm still having the same problem...

enter image description here

mnowotka
  • 16,430
  • 18
  • 88
  • 134

2 Answers2

1

Short answer

Check the <meta name="api-version" value="..." /> of the https://my_server/index file.

Detailed answer

I could be more specific if I knew the true url of your local index (given as https://my_server/index) and how did you create it.

I don't, so I hope to help with the following more general thoughts.

First of all, you can use the --allow-insecure command line option. Apparently this is not a good idea as far as you care about the security of your computer.

If you prefer to stay in the secure zone then you need to find out why your source is considered as insecure and unverifiable.

Looking at the code where this error was generated you can see that the most probable reason is the result of the verifiable() method of the Link class.

Looking at this method and given that your index page should be in the trusted list because of the 

index-url = https://my_server/index

line in your config file, the main reason left is the value of the variable _api_version. To verify what's the api_version of your index file check the meta tags and look for something like that:

<meta name="api-version" value="2" />

If it's not there or if it has a value of 1 or less then the problem should be here.

There is also some hash verification but I didn't investigate how does it work.

Andrei Boyanov
  • 2,309
  • 15
  • 18
  • Hi, thanks for the answer. First of all I will try to add `allow-insecure` to my `pip.conf` and add `api-version` tag with correct value and see if that helps. If not, I will edit my question. `hash` verification would be harder to make... – mnowotka Feb 14 '14 at 10:19
  • Try first to correct the `api-version` - it's more secure – Andrei Boyanov Feb 14 '14 at 12:42
  • Unfortunately I didn't have to to check your answer over the weekend but since this is the only answer I have, if it proved to be correct, I would feel bad, loosing a chance to award you a bounty. So I do it, but this doesn't mean the answer is correct. – mnowotka Feb 17 '14 at 09:24
  • Thank you for the bounty! But please check it when you have the time to do it. I spent some time investigating your problem and thus I have the feeling that my answer should be correct. – Andrei Boyanov Feb 17 '14 at 22:13
  • OK, so I checked and the answer is not correct. I already have `api-version` meta with value set to 2. Using `--allow-insecure` is not an option for me because I have many package with lost of dependencies in the same index so I would have to list all of them which makes no sense. – mnowotka Feb 18 '14 at 09:58
  • Sorry to hear that. Can you send a link to the real index file that causes the problem or send me a copy of that file? – Andrei Boyanov Feb 18 '14 at 12:16
  • I'm afraid I can't send you a link as this exists only in intranet but I can pase HTML source of the index if that helps. – mnowotka Feb 18 '14 at 12:27
  • It would be great to the have the html source of your index file. You can put it on some public server and give here the download url. – Andrei Boyanov Feb 19 '14 at 07:17
  • Done, my question is now edited and body of my index can be found there. – mnowotka Feb 19 '14 at 12:16
1

Are you specifying hashes in your package links? If not, pip won't trust the link.

Check out the warehouse docs on the simple api for details / examples.

Ivo
  • 5,378
  • 2
  • 18
  • 18
  • So why it says "The links may optionally include a hash using the url fragment.". Does it mean is doesn't "MAY OPTIONALLY" but is a MUST. – mnowotka Feb 19 '14 at 13:32
  • Probably because it is optional, it's just that pip as of 1.5 will no longer download it without extra flags; and also because warehouse is currently under heavy development, so I wouldn't expect the docs to be absolutely feature complete or completely up to date from when they were first created annotating the old API. – Ivo Feb 19 '14 at 13:34