Security practices#

Token privacy#

You need a private token to access channels and content. For your security, please keep your token saved in a secure location.

Conda package signature verification#

Caution

Conda signature verification is off by default. Conda version 4.10.1 or later is required.

The conda signature verification feature allows you to detect tampering with packages and package metadata that took place between our secure build process and the end user’s install process. Based on The Update Framework (TUF), it provides defense against a wide variety of attacks.

Enabling conda signature verification#

  1. Install the necessary packages:

    conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust

  2. Use conda-token to configure access, turn on signature verification, and empty the index cache:

    conda token set --enable-signature-verification <YOUR_PRODUCT_TOKEN>

Conda signature verification should now be functional. When you ask conda to install packages from the professional repository, conda will inform you of the signature status of the packages it proposes installing by appending the following to trusted packages:

(INFO: package metadata is signed by Anaconda and trusted)

If the trusted signatures do not match the data, tampering may have occurred, and you will receive a warning instead:

(WARNING: metadata signature verification failed)

Note

If no signatures are currently provided for a package (for example, if you are installing from third-party channels), the signature status message is not provided.

example result
(environment) ➜  ~ conda install django

## Package Plan ##

    environment location: /home/s/miniconda3-av2

    added / updated specs:
        - django


The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    asgiref-3.3.4              |     pyhd3eb1b0_0          24 KB
    django-3.2                 |     pyhd3eb1b0_0         3.1 MB
    krb5-1.17.1                |       h173b8e3_0         1.3 MB
    libpq-12.2                 |       h20c2e04_0         2.1 MB
    psycopg2-2.8.6             |   py38h3c74f83_1         160 KB
    pytz-2021.1                |     pyhd3eb1b0_0         181 KB
    sqlparse-0.4.1             |             py_0          35 KB
    ------------------------------------------------------------
                                        Total:         6.9 MB

The following NEW packages will be INSTALLED:

    asgiref       repo/main/noarch::asgiref-3.3.4-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    django        repo/main/noarch::django-3.2-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    krb5          repo/main/linux-64::krb5-1.17.1-h173b8e3_0 (INFO: package metadata is signed by Anaconda and trusted)
    libpq         repo/main/linux-64::libpq-12.2-h20c2e04_0 (INFO: package metadata is signed by Anaconda and trusted)
    psycopg2      repo/main/linux-64::psycopg2-2.8.6-py38h3c74f83_1 (INFO: package metadata is signed by Anaconda and trusted)
    pytz          repo/main/noarch::pytz-2021.1-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    sqlparse      repo/main/noarch::sqlparse-0.4.1-py_0 (INFO: package metadata is signed by Anaconda and trusted)

Disabling conda signature verification#

To turn the feature off, you can adjust your conda configuration:

conda config --set extra_safety_checks false

Please see our blog post on conda signature verification for more information.