Refactor pip_install.py and provide hashes.

tools/pip_install.py

@@ -75,7 +75,7 @@ def call_with_print(command):
     subprocess.check_call(command, shell=True)
 
 
-def pip_install_with_print(args_str, disable_build_isolation):
+def pip_install_with_print(args_str, disable_build_isolation=True):
     command = ['"', sys.executable, '" -m pip install --disable-pip-version-check ']
     if disable_build_isolation:
         command.append('--no-build-isolation ')
@@ -83,7 +83,7 @@ def pip_install_with_print(args_str, disable_build_isolation):
     call_with_print(''.join(command))
 
 
-def main(args, disable_build_isolation=True):
+def main(args):
     tools_path = find_tools_path()
     working_dir = tempfile.mkdtemp()
 
@@ -98,7 +98,7 @@ def main(args, disable_build_isolation=True):
 
         if os.environ.get('CERTBOT_NO_PIN') == '1':
             # With unpinned dependencies, there is no constraint
-            pip_install_with_print(' '.join(args), disable_build_isolation)
+            pip_install_with_print(' '.join(args))
         else:
             # Otherwise, we merge requirements to build the constraints and pin dependencies
             requirements = None
@@ -112,17 +112,15 @@ def main(args, disable_build_isolation=True):
                 # First step, install the transitive dependencies of oldest requirements
                 # in respect with oldest constraints.
                 pip_install_with_print('--constraint "{0}" --requirement "{1}"'
-                                       .format(all_constraints, requirements),
-                                       disable_build_isolation)
+                                       .format(all_constraints, requirements))
                 # Second step, ensure that oldest requirements themselves are effectively
                 # installed using --force-reinstall, and avoid corner cases like the one described
                 # in https://github.com/certbot/certbot/issues/7014.
                 pip_install_with_print('--force-reinstall --no-deps --requirement "{0}"'
-                                       .format(requirements),
-                                       disable_build_isolation)
+                                       .format(requirements))
 
             pip_install_with_print('--constraint "{0}" {1}'.format(
-                all_constraints, ' '.join(args)), disable_build_isolation)
+                all_constraints, ' '.join(args)))
     finally:
         if os.environ.get('TRAVIS'):
             print('travis_fold:end:install_certbot_deps')

tools/pipstrap.py

@@ -7,16 +7,40 @@ pinned the same way as our other packages.
 """
 from __future__ import absolute_import
 
+import os
+import tempfile
+
 import pip_install
 
 
+# We include the hashes of the packages here for extra verification of
+# the packages downloaded from PyPI. This is especially valuable in our
+# builds of Certbot that we ship to our users such as our Docker images.
+REQUIREMENTS = r"""
+pip==20.2.4 \
+    --hash=sha256:51f1c7514530bd5c145d8f13ed936ad6b8bfcb8cf74e10403d0890bc986f0033 \
+    --hash=sha256:85c99a857ea0fb0aedf23833d9be5c40cf253fe24443f0829c7b472e23c364a1
+setuptools==44.1.1 \
+    --hash=sha256:27a714c09253134e60a6fa68130f78c7037e5562c4f21f8f318f2ae900d152d5 \
+    --hash=sha256:c67aa55db532a0dadc4d2e20ba9961cbd3ccc84d544e9029699822542b5a476b
+wheel==0.35.1 \
+    --hash=sha256:497add53525d16c173c2c1c733b8f655510e909ea78cc0e29d374243544b77a2 \
+    --hash=sha256:99a22d87add3f634ff917310a3d87e499f19e663413a52eb9232c447aa646c9f
+"""
+
+
 def main():
-    pkgs = 'pip setuptools wheel'.split()
-    # We don't disable build isolation because we may have an older version of
-    # pip that doesn't support the flag disabling it. We expect these packages
-    # to already have usable wheels available anyway so no building should be
-    # required.
-    pip_install.main(pkgs, disable_build_isolation=False)
+    with tempfile.TemporaryDirectory() as tempdir:
+        requirements_filepath = os.path.join(tempdir, 'reqs.txt')
+        with open(requirements_filepath, 'w') as f:
+            f.write(REQUIREMENTS)
+        pip_install_args = '--requirement ' + requirements_filepath
+        # We don't disable build isolation because we may have an older
+        # version of pip that doesn't support the flag disabling it. We
+        # expect these packages to already have usable wheels available
+        # anyway so no building should be required.
+        pip_install.pip_install_with_print(pip_install_args,
+                                           disable_build_isolation=False)
 
 
 if __name__ == '__main__':