Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24127

PyPI repos should provide SHA256 hashes in /simple web interface


    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.21.1
    • Fix Version/s: None
    • Component/s: PyPI
    • Labels:


      Nexus hosted PyPI repositories should provide SHA256 hashes in the /simple web interface's href attributes that link to package files being served, as described in PEP503.  Currently, Nexus hosted PyPI repositories provides MD5 hashes for packages through the /simple web interface.

      From PEP 503, describing the PyPI /simple interface:

      The href attribute MUST be a URL that links to the location of the file for download, and the text of the anchor tag MUST match the final path component (the filename) of the URL. The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #<hashname>=<hashvalue>, where <hashname> is the lowercase name of the hash function (such as sha256) and <hashvalue> is the hex encoded digest.
      Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.

      On client systems that are FIPS 140-2 compliant (the MD5 algorithm is disabled), 'pip' cannot download packages from a Nexus hosted PyPI repository because it provides MD5 hashes in the href fragment.


        1. nexus_fix.js
          0.6 kB
        2. nginx.conf
          3 kB
        3. prepare_hashes.py
          0.6 kB



            Unassigned Unassigned
            JamesB James Brophy
            Last Updated By:
            Joe Tom Joe Tom
            25 Vote for this issue
            27 Start watching this issue


              Date of First Response: