Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24127

PyPI repos should provide SHA256 hashes in /simple web interface


    • Improvement
    • Resolution: Fixed
    • Major
    • 3.41.0
    • 3.21.1
    • PyPI
    • 3
    • NXRM MadMax Sprint 37, NXRM MadMax Sprint 38
    • non-concept


      Nexus hosted PyPI repositories should provide SHA256 hashes in the /simple web interface's href attributes that link to package files being served, as described in PEP503.  Currently, Nexus hosted PyPI repositories provides MD5 hashes for packages through the /simple web interface.

      From PEP 503, describing the PyPI /simple interface:

      The href attribute MUST be a URL that links to the location of the file for download, and the text of the anchor tag MUST match the final path component (the filename) of the URL. The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #<hashname>=<hashvalue>, where <hashname> is the lowercase name of the hash function (such as sha256) and <hashvalue> is the hex encoded digest.
      Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.

      On client systems that are FIPS 140-2 compliant (the MD5 algorithm is disabled), 'pip' cannot download packages from a Nexus hosted PyPI repository because it provides MD5 hashes in the href fragment.


        1. nexus_fix.js
          0.6 kB
        2. nginx.conf
          3 kB
        3. prepare_hashes.py
          0.6 kB

        Issue Links



              iudovika Igor Udovika
              JamesB James Brophy
              Rich Seddon Rich Seddon
              NXRM - Mad Max
              Igor Udovika Igor Udovika
              29 Vote for this issue
              34 Start watching this issue