Hosted PyPI repository /simple interface does not provide SHA256 hashes

We are using Sonatype Nexus Repository Manager (OSS 3.21.1-01) to provide a hosted PyPI repository.

Is there a way to make the Nexus hosted PyPI repository provide SHA256 hashes in the /simple web interface’s href attributes that link to the packages being served, as described in PEP 503? Currently, the Nexus hosted PyPI repository’s /simple web interface defaults to providing MD5 hashes for packages.

From PEP 503, describing the /simple interface:

The href attribute MUST be a URL that links to the location of the file for download, and the text of the anchor tag MUST match the final path component (the filename) of the URL. The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #<hashname>=<hashvalue>, where <hashname> is the lowercase name of the hash function (such as sha256) and <hashvalue> is the hex encoded digest.

Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.

On client systems that are FIPS 140-2 compliant (the MD5 algorithm is disabled), ‘pip’ cannot download packages from the Nexus hosted PyPI repository because it is providing MD5 hashes in the href fragment.

@james.l.brophy Thanks for raising this. Could you file this as an improvement ticket at under the Nexus project please.

Thank you for the suggestion.

I created issue NEXUS-24127.

1 Like