Security practices¶
On this page:
Token privacy¶
You need a private token to access channels and content. For your security, please keep your token saved in a secure location.
Anaconda Content Trust: conda package signature verification¶
The conda signature verification feature requires conda version 4.10.1 (or later). Using it allows you to detect tampering with packages and package metadata between our secure build process and the end user’s install process. Based on The Update Framework (TUF), it provides defense against a wide variety of attacks.
Caution
Conda signature verification must be turned on, as it is currently off by default.
Setup¶
Install the necessary packages:
conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust
Use conda-token to configure access, turn on signature verification, and empty the index cache:
conda token set --enable-signature-verification <YOUR_PRODUCT_TOKEN>
Result¶
Conda signature verification should now be functional. When you ask conda to install packages from the professional repository, conda will inform you about the signature status of the packages it proposes installing. For example, in this case we’ve run conda install django
:
## Package Plan ##
environment location: /home/s/miniconda3-av2
added / updated specs:
- django
The following packages will be downloaded:
package | build
---------------------------|-----------------
asgiref-3.3.4 | pyhd3eb1b0_0 24 KB
django-3.2 | pyhd3eb1b0_0 3.1 MB
krb5-1.17.1 | h173b8e3_0 1.3 MB
libpq-12.2 | h20c2e04_0 2.1 MB
psycopg2-2.8.6 | py38h3c74f83_1 160 KB
pytz-2021.1 | pyhd3eb1b0_0 181 KB
sqlparse-0.4.1 | py_0 35 KB
------------------------------------------------------------
Total: 6.9 MB
The following NEW packages will be INSTALLED:
asgiref repo/main/noarch::asgiref-3.3.4-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
django repo/main/noarch::django-3.2-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
krb5 repo/main/linux-64::krb5-1.17.1-h173b8e3_0 (INFO: package metadata is signed by Anaconda and trusted)
libpq repo/main/linux-64::libpq-12.2-h20c2e04_0 (INFO: package metadata is signed by Anaconda and trusted)
psycopg2 repo/main/linux-64::psycopg2-2.8.6-py38h3c74f83_1 (INFO: package metadata is signed by Anaconda and trusted)
pytz repo/main/noarch::pytz-2021.1-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
sqlparse repo/main/noarch::sqlparse-0.4.1-py_0 (INFO: package metadata is signed by Anaconda and trusted)
Trusted packages are marked with (INFO: package metadata is signed by Anaconda and trusted)
.
If no signatures are currently provided for a package–for example, if you are installing from third-party channels–that message will not be provided.
Further, if the trusted signatures do not match the data, tampering may have occurred, and you will receive a warning instead: (WARNING: metadata signature verification failed)
.
To turn the feature off, you can adjust your conda configuration:
conda config --set extra_safety_checks false
Please see our blog post on conda signature verification for more information.