In python PIP, how can I make files in my private pip index "secure and verifiable"?

Question

I was a happy man, having his own happy local pip index. One day I've updated pip client and I'm not happy anymore:

Downloading/unpacking super_package
Getting page https://my_server/index/super_package/
URLs to search for versions for super_package:
* https://my_server/index/super_package/
* https://pypi.python.org/simple/super_package/
Analyzing links from page https://my_server/index/super_package/
Skipping https://my_server/ci/super_package-0.2.2.tar.gz (from https://my_server/index/super_package/) because it is an insecure and unverifiable file.

But WHY? I have SSL enabled on my server and my pip.conf file looks like this:

[global]
cert = /path/to/my_server/cert.pem
index-url = https://my_server/index
extra-index-url = https://pypi.python.org/simple/

How is 'secure and verifiable'/'insecure and unverifiable' file defined? How PIP distinguishes between them?

Finally: Do you want me to switch to easy_install?

EDIT:

My own PIP index looks like this:

<html>
<head>
<title>Package Index</title>
<meta name="api-version" value="2" />
</head>
<body><a href="ADMESARfari/index.html">ADMESARfari</a><br/>
<a href="chembl-internal-ws/index.html">chembl-internal-ws</a><br/>
<a href="chembl_api/index.html">chembl_api</a><br/>
    ...
<a href="gdb/index.html">gdb</a><br/>
</body>
</html>

CA cert of the PIP server is installed on my mac but I'm still having the same problem...

Answer 1

Are you specifying hashes in your package links? If not, pip won't trust the link.

Check out the warehouse docs on the simple api for details / examples.

Answer 2

Short answer

Check the <meta name="api-version" value="..." /> of the https://my_server/index file.

Detailed answer

I could be more specific if I knew the true url of your local index (given as https://my_server/index) and how did you create it.

I don't, so I hope to help with the following more general thoughts.

First of all, you can use the --allow-insecure command line option. Apparently this is not a good idea as far as you care about the security of your computer.

If you prefer to stay in the secure zone then you need to find out why your source is considered as insecure and unverifiable.

Looking at the code where this error was generated you can see that the most probable reason is the result of the verifiable() method of the Link class.

Looking at this method and given that your index page should be in the trusted list because of the

index-url = https://my_server/index

line in your config file, the main reason left is the value of the variable _api_version. To verify what's the api_version of your index file check the meta tags and look for something like that:

<meta name="api-version" value="2" />

If it's not there or if it has a value of 1 or less then the problem should be here.

There is also some hash verification but I didn't investigate how does it work.