Packages - Anaconda

Selecting a channel from the Channels page displays its packages.

The channel details page with the package list spotlighted

Searching for packages

If you want to know if a package is available on one of your organization’s channels, search for it by entering the package name into the Search artifacts field.

If you see that the package contains zero files, it means that all the files for that package were removed from the channel, and the package is not available. Select the package to view the reason the files were removed.

Viewing package details

Clicking on any package in a channel will display the package details. From here, you can view the following information:

All the files contained within the package
The package’s dependents (other packages that require this package to operate properly)
The package’s dependencies (other packages that this package needs to operate properly)
CVEs that are associated with files in the package (for Business tier organizations)

Conda automatically installs a package’s dependencies along with the package itself when that package is requested from the channel. If a dependency is not available due to an applied policy filter, you will not be able to build a working environment with the packages from the current channel.

General information about the package, such as its license type, version number, web homepage, and documentation (if available) is also available from this page.

Package signatures

Packages in Anaconda’s repository come with a security signature: a special key value that proves that the package hasn’t been tampered with since going through Anaconda’s curation process. Files within a package that have a signature display a green check beside their names. The actual signature value can be viewed at the bottom of the metadata file.

Viewing package metadata

From the package details view, click on a file’s name to display its metadata. The metadata is a .json formatted file that contains all of the information about the package file.

Click to expand the metadata panel to full screen.

Viewing package SBOMs

Anaconda’s Software Bill Of Materials (SBOMs) are built in accordance with Software Package Data Exchange (SPDX) specifications, version 2.2.1, which specifies the checksum hash values of software down to the individual file level. From the package details view, click on a file’s name, then select the File SBOM tab.

If no SBOM tab appears, there is no SBOM for that package file.

Installing a package in your environment

The package details page also provides you with a command to run if you want to install the package from this channel. Keep in mind that the command also installs the package’s dependencies.

Conda package signature verification

Conda signature verification requires conda version 4.10.1 or later. Signature verification is not enabled by default.

The conda signature verification feature—available to users with paid access to our premium repository—allows you to detect tampering with packages and package metadata that took place between our secure build process and the end user’s install process. Based on The Update Framework (TUF), it provides defense against a wide variety of attacks. Please see our blog post on conda signature verification for more information.

Enabling conda signature verification

Install the necessary packages:

conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust

Use conda-token to configure access, turn on signature verification, and empty the index cache:

# Replace <TOKEN> with your organization access token
conda token set --enable-signature-verification <TOKEN>

Conda signature verification is now enabled. When using conda to install packages from the premium repository, conda informs you of the signature status of the proposed packages by appending the following to trusted packages:

(INFO: package metadata is signed by Anaconda and trusted)

If the trusted signatures do not match the data, tampering may have occurred, and conda will append a warning to the package instead:

(WARNING: metadata signature verification failed)

If no signatures are currently provided for a package (for example, if you are installing from third-party channels), the signature status message is not provided.

Example result

(environment) ➜  ~ conda install django

## Package Plan ##

    environment location: /home/s/miniconda3-av2

    added / updated specs:
        - django


The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    asgiref-3.3.4              |     pyhd3eb1b0_0          24 KB
    django-3.2                 |     pyhd3eb1b0_0         3.1 MB
    krb5-1.17.1                |       h173b8e3_0         1.3 MB
    libpq-12.2                 |       h20c2e04_0         2.1 MB
    psycopg2-2.8.6             |   py38h3c74f83_1         160 KB
    pytz-2021.1                |     pyhd3eb1b0_0         181 KB
    sqlparse-0.4.1             |             py_0          35 KB
    ------------------------------------------------------------
                                        Total:         6.9 MB

The following NEW packages will be INSTALLED:

    asgiref       repo/main/noarch::asgiref-3.3.4-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    django        repo/main/noarch::django-3.2-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    krb5          repo/main/linux-64::krb5-1.17.1-h173b8e3_0 (INFO: package metadata is signed by Anaconda and trusted)
    libpq         repo/main/linux-64::libpq-12.2-h20c2e04_0 (INFO: package metadata is signed by Anaconda and trusted)
    psycopg2      repo/main/linux-64::psycopg2-2.8.6-py38h3c74f83_1 (INFO: package metadata is signed by Anaconda and trusted)
    pytz          repo/main/noarch::pytz-2021.1-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    sqlparse      repo/main/noarch::sqlparse-0.4.1-py_0 (INFO: package metadata is signed by Anaconda and trusted)

Disabling conda signature verification

To turn the feature off, you can adjust your conda configuration:

conda config --set extra_safety_checks false

Package Security Manager (Cloud)

​Searching for packages

​Viewing package details

​Package signatures

​Viewing package metadata

​Viewing package SBOMs

​Installing a package in your environment

​Conda package signature verification

​Enabling conda signature verification

​Disabling conda signature verification

Searching for packages

Viewing package details

Package signatures

Viewing package metadata

Viewing package SBOMs

Installing a package in your environment

Conda package signature verification

Enabling conda signature verification

Disabling conda signature verification