pip: pip doesn't work in FIPS mode

  • Pip version: pip 7.1.0 from /usr/lib/python2.6/site-packages (python 2.6)

  • Python version: Python 2.6.6

  • Operating System: redhat-release-server-6Server-6.8.0.5.el6.x86_64

Description:

I can’t install any package by pip on systems in FIPS mode (Federal Information Processing Standard ). Problem is using hashlib and md5.

>>> hashlib.new("md5").digest_size
*** ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

I received following traceback.

> /usr/lib/python2.6/site-packages/pip/download.py(490)_check_hash()
-> if download_hash.digest_size != hashlib.new(link.hash_name).digest_size:
(Pdb) hashlib.new(link.hash_name)
*** ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

>> pip install --upgrade pip
Exception:
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pip/basecommand.py", line 223, in main
    status = self.run(options, args)
  File "/usr/lib/python2.6/site-packages/pip/commands/install.py", line 290, in run
    requirement_set.prepare_files(finder)
  File "/usr/lib/python2.6/site-packages/pip/req/req_set.py", line 334, in prepare_files
    functools.partial(self._prepare_file, finder))
  File "/usr/lib/python2.6/site-packages/pip/req/req_set.py", line 321, in _walk_req_to_install
    more_reqs = handler(req_to_install)
  File "/usr/lib/python2.6/site-packages/pip/req/req_set.py", line 491, in _prepare_file
    session=self.session)
  File "/usr/lib/python2.6/site-packages/pip/download.py", line 826, in unpack_url
    session,
  File "/usr/lib/python2.6/site-packages/pip/download.py", line 674, in unpack_http_url
    from_path, content_type = _download_http_url(link, session, temp_dir)
  File "/usr/lib/python2.6/site-packages/pip/download.py", line 887, in _download_http_url
    _download_url(resp, link, content_file)
  File "/usr/lib/python2.6/site-packages/pip/download.py", line 627, in _download_url
    _check_hash(download_hash, link)
  File "/usr/lib/python2.6/site-packages/pip/download.py", line 490, in _check_hash
    if download_hash.digest_size != hashlib.new(link.hash_name).digest_size:
AttributeError: 'NoneType' object has no attribute 'digest_size'

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

@gshennessy , I think you can just run something like this:

pip install -i https://pypi.org/simple/ requests , replacing requests with your desired package.

+3
flowersw on Mar 10, 2017

Current PyPI relies on MD5 hashes which is not FIPS compatible. You can switch over to using https://pypi.org/simple/ which uses sha256 hashes and thus should be FIPS compatible.

+3
dstufft on Nov 1, 2016

Wanted to mention, MD5 is not secure if pip is using this for integrity verification of packages. Its prone to collision attacks and apps should move to using sha2 or gpg (if they can - although I understand migration can be a challenge for already computed hashes).

That is why FIPS is blocking MD5, as its a security hazard.

+1
lukehinds on Jan 25, 2017

Sorry, @dstufft , how can you switch over to using https://pypi.org/simple/ ? Is it pip configuration? Can it be done from the command-line? Thanks

Nevermind. I figured it out: By specifiying the -i option. Thanks

+1
flowersw on Nov 18, 2016
Read more comments on GitHub
← pip: PIP doesn't read setup.cfg in UTF-8, which causes UnicodeDecodeError
pip: pip download --platform --python-version does not work for some packages →