安全实践

本主题提供有关以下操作的指导:


代币隐私

商业版需要一个私有令牌来访问频道和内容。为了您的安全,请将您的令牌保存在安全的位置

Anaconda Content Trust:conda 包签名验证

商业版用户的conda 签名验证功能需要 conda 版本 4.10.1(或更高版本)。使用它可以让您在我们的安全构建过程和最终用户的安装过程之间检测对包和包元数据的篡改。它基于更新框架 (TUF),可防御各种攻击

笔记

Conda 签名验证必须打开,因为它当前默认关闭。

设置

  1. 安装必要的软件包:

    conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust

  2. 使用 conda-token 配置你的 CE 访问,开启签名验证,清空索引缓存:

    conda token set --enable-signature-verification <YOUR_COMMERCIAL_EDITION_TOKEN>

结果

Conda 签名验证现在应该可以正常工作了。当您要求 conda 从高级存储库安装软件包时,conda 会通知您它建议安装的软件包的签名状态。例如,在这种情况下,我们运行了:conda install django

## Package Plan ##

    environment location: /home/s/miniconda3-av2

    added / updated specs:
        - django


The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    asgiref-3.3.4              |     pyhd3eb1b0_0          24 KB
    django-3.2                 |     pyhd3eb1b0_0         3.1 MB
    krb5-1.17.1                |       h173b8e3_0         1.3 MB
    libpq-12.2                 |       h20c2e04_0         2.1 MB
    psycopg2-2.8.6             |   py38h3c74f83_1         160 KB
    pytz-2021.1                |     pyhd3eb1b0_0         181 KB
    sqlparse-0.4.1             |             py_0          35 KB
    ------------------------------------------------------------
                                           Total:         6.9 MB

The following NEW packages will be INSTALLED:

    asgiref            repo/main/noarch::asgiref-3.3.4-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    django             repo/main/noarch::django-3.2-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    krb5               repo/main/linux-64::krb5-1.17.1-h173b8e3_0 (INFO: package metadata is signed by Anaconda and trusted)
    libpq              repo/main/linux-64::libpq-12.2-h20c2e04_0 (INFO: package metadata is signed by Anaconda and trusted)
    psycopg2           repo/main/linux-64::psycopg2-2.8.6-py38h3c74f83_1 (INFO: package metadata is signed by Anaconda and trusted)
    pytz               repo/main/noarch::pytz-2021.1-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    sqlparse           repo/main/noarch::sqlparse-0.4.1-py_0 (INFO: package metadata is signed by Anaconda and trusted)

受信任的软件包标有.(INFO: package metadata is signed by Anaconda and trusted)

如果当前没有为包提供签名(例如,如果您从第三方渠道安装)将不会提供该消息。

此外,如果受信任的签名与数据不匹配,则可能发生了篡改,您将收到警告:。(WARNING: metadata signature verification failed)

要关闭该功能,您可以调整 conda 配置:

conda config --set extra_safety_checks false

有关更多信息,请参阅我们关于conda 签名验证的博客文章。