Security practices#
Token privacy#
You need a private token to access channels and content. For your security, save your token in a secure location.
Conda package signature verification#
Caution
Conda signature verification requires conda version 4.10.1 or later. Signature verification is not enabled by default.
The conda signature verification feature—available to users with paid access to our premium repository—allows you to detect tampering with packages and package metadata that took place between our secure build process and the end user’s install process. Based on The Update Framework (TUF), it provides defense against a wide variety of attacks.
Please see our blog post on conda signature verification for more information.
Enabling conda signature verification#
Install the necessary packages:
conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust
Use
conda-tokento configure access, turn on signature verification, and empty the index cache:conda token set --enable-signature-verification <YOUR_PRODUCT_TOKEN>
Caution
Conda version 23.10+ uses libmamba as the default solver, which bypasses signature verification. If you are using conda 23.10 or later, you must configure your
.condarcfile to use the classic environment solver by running the following command:conda config --set solver classic
Conda signature verification should now be enabled. When using conda to install packages from the premium repository, conda informs you of the signature status of the proposed packages by appending the following to trusted packages:
(INFO: package metadata is signed by Anaconda and trusted)
If the trusted signatures do not match the data, tampering may have occurred, and conda will append a warning to the package instead:
(WARNING: metadata signature verification failed)
Note
If no signatures are currently provided for a package (for example, if you are installing from third-party channels), the signature status message is not provided.
example result
(environment) ➜ ~ conda install django
## Package Plan ##
environment location: /home/s/miniconda3-av2
added / updated specs:
- django
The following packages will be downloaded:
package | build
---------------------------|-----------------
asgiref-3.3.4 | pyhd3eb1b0_0 24 KB
django-3.2 | pyhd3eb1b0_0 3.1 MB
krb5-1.17.1 | h173b8e3_0 1.3 MB
libpq-12.2 | h20c2e04_0 2.1 MB
psycopg2-2.8.6 | py38h3c74f83_1 160 KB
pytz-2021.1 | pyhd3eb1b0_0 181 KB
sqlparse-0.4.1 | py_0 35 KB
------------------------------------------------------------
Total: 6.9 MB
The following NEW packages will be INSTALLED:
asgiref repo/main/noarch::asgiref-3.3.4-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
django repo/main/noarch::django-3.2-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
krb5 repo/main/linux-64::krb5-1.17.1-h173b8e3_0 (INFO: package metadata is signed by Anaconda and trusted)
libpq repo/main/linux-64::libpq-12.2-h20c2e04_0 (INFO: package metadata is signed by Anaconda and trusted)
psycopg2 repo/main/linux-64::psycopg2-2.8.6-py38h3c74f83_1 (INFO: package metadata is signed by Anaconda and trusted)
pytz repo/main/noarch::pytz-2021.1-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
sqlparse repo/main/noarch::sqlparse-0.4.1-py_0 (INFO: package metadata is signed by Anaconda and trusted)
Disabling conda signature verification#
To turn the feature off, you can adjust your conda configuration:
conda config --set extra_safety_checks false