fix #1652: Use GitHub API for standalone python checksums

13steinj · 13steinj · commit 85de6aca63a8 · 2025-08-26T11:48:06.000-05:00
Since the [20250708](https://github.com/astral-sh/python-build-standalone/releases/tag/20250708) release, the [python-build-standalone](https://github.com/astral-sh/python-build-standalone) project does not provide checksum files for individual artifacts, but rather a single `SHA256SUMS` manifest file containing checksums for all artifacts. However, since June 3, the GitHub API [directly provides checksums for release artifacts](https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/). Because we always fetch the latest release and it's been over a month since the last cached index file, we can just save the checksums in out cached index of Python versions.
diff --git a/changelog.d/1652.bugfix.md b/changelog.d/1652.bugfix.md
@@ -0,0 +1 @@
+Set up standalone python fetching to use checksums directly from the GitHub API.
diff --git a/src/pipx/standalone_python.py b/src/pipx/standalone_python.py
@@ -71,7 +71,7 @@ def download_python_build_standalone(python_version: str, override: bool = False
             logger.warning(f"A previous attempt to install python {python_version} failed. Retrying.")
             shutil.rmtree(install_dir)
 
-    full_version, download_link = resolve_python_version(python_version)
+    full_version, (download_link, digest) = resolve_python_version(python_version)
 
     with tempfile.TemporaryDirectory() as tempdir:
         archive = Path(tempdir) / f"python-{full_version}.tar.gz"
@@ -81,7 +81,7 @@ def download_python_build_standalone(python_version: str, override: bool = False
         _download(full_version, download_link, archive)
 
         # unpack the python build
-        _unpack(full_version, download_link, archive, download_dir)
+        _unpack(full_version, download_link, archive, download_dir, digest)
 
         # the python installation we want is nested in the tarball
         # under a directory named 'python'. We move it to the install
@@ -104,15 +104,13 @@ def _download(full_version: str, download_link: str, archive: Path):
             raise PipxError(f"Unable to download python {full_version} build.") from e
 
 
-def _unpack(full_version, download_link, archive: Path, download_dir: Path):
+def _unpack(full_version, download_link, archive: Path, download_dir: Path, expected_checksum: str):
     with animate(f"Unpacking python {full_version} build", True):
         # Calculate checksum
         with open(archive, "rb") as python_zip:
-            checksum = hashlib.sha256(python_zip.read()).hexdigest()
+            checksum = "sha256:" + hashlib.sha256(python_zip.read()).hexdigest()
 
         # Validate checksum
-        checksum_link = download_link + ".sha256"
-        expected_checksum = urlopen(checksum_link).read().decode().rstrip("\n")
         if checksum != expected_checksum:
             raise PipxError(
                 f"Checksum mismatch for python {full_version} build. Expected {expected_checksum}, got {checksum}."
@@ -152,7 +150,7 @@ def get_latest_python_releases() -> List[str]:
         # raise
         raise PipxError(f"Unable to fetch python-build-standalone release data (from {GITHUB_API_URL}).") from e
 
-    return [asset["browser_download_url"] for asset in release_data["assets"]]
+    return [(asset["browser_download_url"], asset.get("digest")) for asset in release_data["assets"]]
 
 
 def list_pythons(use_cache: bool = True) -> Dict[str, str]:
@@ -168,23 +166,23 @@ def list_pythons(use_cache: bool = True) -> Dict[str, str]:
     python_releases = get_or_update_index(use_cache)["releases"]
 
     available_python_links = [
-        link
+        (link, digest)
         # Suffixes are in order of preference.
         for download_link_suffix in download_link_suffixes
-        for link in python_releases
+        for link, digest in python_releases
         if link.endswith(download_link_suffix)
     ]
 
     python_versions: dict[str, str] = {}
-    for link in available_python_links:
+    for link, digest in available_python_links:
         match = PYTHON_VERSION_REGEX.search(link)
         assert match is not None
         python_version = match[1]
         # Don't override already found versions, they are in order of preference
         if python_version in python_versions:
             continue
 
-        python_versions[python_version] = link
+        python_versions[python_version] = link, digest
 
     return {
         version: python_versions[version]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Set up standalone python fetching to use checksums directly from the GitHub API.`