Include pip requirements hashes

diff --git a/doc/install.rst b/doc/install.rst
index d03034c86d7a835662d24c0ad5930635521d5ce3..77294b37dd9217fda406c5360797d7b252da1b1f 100644 (file)
--- a/doc/install.rst
+++ b/doc/install.rst
@@ -4,7 +4,7 @@ Install
 Preferable way is to :ref:`download <download>` tarball with the
 signature from `official website <http://pyderasn.cypherpunks.ru/>`__::
 
-    $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-|VERSION|.tar.xz
+    $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-5.4.tar.xz
     $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-5.4.tar.xz.sig
     $ gpg --verify pyderasn-5.4.tar.xz.sig pyderasn-5.4.tar.xz
     $ xz --decompress --stdout pyderasn-5.4.tar.xz | tar xf -
@@ -16,9 +16,13 @@ PyDERASN depends on `six <https://pypi.org/project/six/>`__ package
 for keeping compatibility with Py27/Py35. It is included in the tarball.
 You can also find it mirrored on :ref:`download <download>` page.
 
-You could use PIP (**no** authentication is performed!)::
+You could use pip (**no** OpenPGP authentication is performed!) with PyPI::
 
-    $ pip install pyderasn
+    $ cat > requirements.txt <<EOF
+    pyderasn==5.4 --hash=sha256:c6b4cfbe3b4bfb3bed1c5b8fc8e5d4cc78fd2abc10a7c1360336471d9a2b4372
+    six==1.13.0 --hash=sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66
+    EOF
+    $ pip install --requirement requirements.txt
 
 You have to verify downloaded tarballs integrity and authenticity to be
 sure that you retrieved trusted and untampered software. `GNU Privacy

diff --git a/makedist.sh b/makedist.sh
index 7d63461754221ab63faed0c8e1cdb70035f0c74b..d947a1d8855e51be22a86a60dd070a5635e1363e 100755 (executable)
--- a/makedist.sh
+++ b/makedist.sh
@@ -21,6 +21,9 @@ mv -v $tmp/six-*/*six.py $tmp/pyderasn-"$release"
 tar xvfC doc/download/termcolor-1.1.0.tar.xz $tmp --include "*/termcolor.py"
 mv -v $tmp/termcolor-*/termcolor.py $tmp/pyderasn-"$release"
 
+pip_hash=$(pip hash dist/pyderasn-"$release".tar.gz | sed -n '$p')
+six_requirement="six==1.13.0 --hash=sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66"
+
 cd $tmp
 tar cvf pyderasn-"$release".tar --uid=0 --gid=0 --numeric-owner pyderasn-"$release"
 xz -9v pyderasn-"$release".tar
@@ -39,6 +42,9 @@ An entry for documentation:
      - \`link <download/pyderasn-${release}.tar.xz>\`__
        \`sign <download/pyderasn-${release}.tar.xz.sig>\`__
      - \`\`$hash\`\`
+
+pyderasn==$release $pip_hash
+$six_requirement
 EOF
 
 mv $tmp/$tarball $tmp/"$tarball".sig $cur/doc/download
@@ -68,6 +74,11 @@ SHA256 hash: $hash
 GPG key: 2ED6 C846 3051 02DF 5B4E  0383 04A9 33D1 BA20 327A
          PyDERASN releases <pyderasn at cypherpunks dot ru>
 
+pip'es requirements file:
+
+    pyderasn==$release $pip_hash
+    $six_requirement
+
 Please send questions regarding the use of PyDERASN, bug reports and patches
 to mailing list: https://lists.cypherpunks.ru/mailman/listinfo/pyderasn-devel
 EOF