Secure Package Downloads for R

Overview

Traditionally installing packages from CRAN has used standard HTTP connections without encryption. However, it’s now possible to install packages from CRAN using encrypted HTTPS connections. Using an encrypted connection is strongly recommended as it provides much higher assurance that the code you are downloading is in fact from a legitimate CRAN mirror rather than from another server posing as one.

This article describes how to ensure that you are using an encrypted connection when installing packages from CRAN. In short, two things are required:

1. The R download.file.method option needs to specify a method that is capable of HTTPS; and

2. The CRAN mirror you are using must be capable of HTTPS connections (not all of them are).

The actions required to ensure secure package downloads differ depending on whether you are working within RStudio or within another environment (e.g. Shiny Server, R terminal, R GUI, ESS, etc.):

1. For RStudio users, the RStudio IDE includes an option (enabled by default) that takes care of the required configuration automatically. If you are able to use the latest version of RStudio then doing so is the simplest way to ensure secure connections. See the RStudio Automatic Configuration section below for further details.

2. If you are not able to upgrade RStudio or are running R in another environment entirely you can still modify your configuration to use secure connections. See the Manual Configuration via .Rprofile section below for further details.

RStudio Automatic Configuration

By default, RStudio automatically configures your R environment for secure downloads from CRAN (and displays a warning message if it’s not able to for some reason). This option is called Use secure download method for HTTP and is available from the Packages pane of the Global Options dialog:

If you are running RStudio v0.99.467 or later and have this option selected (it is by default) then absent a warning message to the contrary your R environment is configured for secure downloads. You can verify this by installing a package and confirming that the download used HTTPS as described in the Testing Your Configuration section below.

If you have this option enabled and still receive a warning message it’s likely you need to select an alternate CRAN mirror that supports HTTPS. Mirrors currently known to support HTTPS are enumerated below in Secure CRAN Mirrors. It’s also possible that you’ve manually specified a download method or CRAN mirror in your .Rprofile that doesn't support secure downloads. RStudio won’t override manually specified options so to establish a secure connection you’ll need to either not set these options (allowing RStudio automatic configuration to set them instead) or change them to secure alternatives as described below in Manual Configuration via .Rprofile.

If you are using Packrat to manage your packages within projects, you may also see warnings when switching to an older project. In that case you'll need to update the repository for that project following the directions below.

Preventing Secure Download Warnings

We strongly recommend that if you are using a public CRAN mirror that doesn’t support HTTPS downloads that you switch to one which does. However, if you are using a private/internal CRAN mirror that doesn’t support HTTPS you might wish to disable the secure download warning message. To eliminate the warning message you can do one of two things:

1. Uncheck the Use secure download method for HTTP option; or

2. Set the RSTUDIO_DISABLE_SECURE_DOWNLOAD_WARNING environment variable to “1” by setting it in .Renviron or a similar location (see R Startup Files for more on setting environment variables)

The latter might be preferable when you wish to disable the warning for an entire installation of R (e.g. when run on a server or centrally managed desktop environment).

Manual Configuration via .Rprofile

If you are running an older version of RStudio or running R within another environment entirely you can also manually configure a secure download method and CRAN mirror by adding code to your .Rprofile or Rprofile.site file (see R Startup Files for details on where these files are located).

Secure Download Methods

When R transfers files over HTTP (e.g. using the install.packages or download.file function) a download method is chosen based on the download.file.method option. There are several methods available and the default behavior if no option is explicitly specified is to use R’s internal HTTP implementation. In many circumstances this internal method will not support HTTPS connections so you’ll need to override the default.

R 3.2+

R 3.2 added two new download methods (“libcurl” and “wininet”) that both support HTTPS connections. We recommend that you use these new methods when running under R 3.2 or later. The requisite code to add to .Rprofile or Rprofile.site is as follows:

Windows

options(download.file.method = "wininet")

Note that in the upcoming R 3.2.2 release this will no longer be necessary, as the default method is equivalent to “wininet”.

OS X and Linux

options(download.file.method = "libcurl")

Note that if you built R from source the “libcurl” method may or may not have been compiled in. In the case that it wasn’t (i.e. capabilities("libcurl") == FALSE), you can follow the directions for earlier versions of R below to configure an alternate secure method.

R 3.1 and Earlier

Windows

utils::setInternet2(TRUE)
options(download.file.method = "internal")

Note that setInternet2(TRUE) is the default value in RStudio however is not for R GUI. If you don’t want to use setInternet2(TRUE) on Windows then the only other way to configure secure downloads is to have the “wget” or “curl” utility on your PATH as described for OS X and Linux below.

OS X

options(download.file.method = "curl")

Linux

options(download.file.method = "wget")

Note that the “curl” and “wget” methods will work on any platform so long as the requisite binary is in the system PATH. The recommendations above are based on the fact that “curl” is included in OS X and “wget” is included in most Linux distributions.

Secure CRAN Mirrors

Currently of the over 100 CRAN mirrors only a subset of them support HTTPS connections. As of 7/8/2015 the following mirrors are known to support HTTPS:

• CRAN Master: https://cran.r-project.org
• RStudio: https://cran.rstudio.com/
• China (Beijing 4): https://mirrors.tuna.tsinghua.edu.cn/CRAN/
• China (Hefei): https://mirrors.ustc.edu.cn/CRAN/
• Columbia (Cali): https://www.icesi.edu.co/CRAN/
• Switzerland: https://stat.ethz.ch/CRAN/
• UK (Bristol): https://www.stats.bris.ac.uk/R/
• USA (KS): https://rweb.quant.ku.edu/cran/
• USA (TN): https://mirrors.nics.utk.edu/cran/
• USA (TX): https://cran.revolutionanalytics.com/

Progressively more CRAN mirrors will support HTTPS over time.

To specify one of these mirrors you would add the following code to .Rprofile or Rprofile.site:

local({
   r <- getOption("repos");
   r["CRAN"] <- "https://cran.rstudio.com/"
   options(repos=r)
})

RStudio Workbench / RStudio Server

If you are running RStudio Workbench (previously RStudio Server Pro) or RStudio Server Open Source, there is also an option you can specify in the /etc/rstudio/rsession.conf file that sets a global CRAN mirror for all users. For example, to set this option to use the RStudio CRAN mirror:

/etc/rstudio/rsession.conf

r-cran-repos=https://cran.rstudio.com

Note that RStudio Workbench and RStudio Server also support setting a global default "repos" option via Rprofile.site, and this may be preferable if users log into the server using both a remote terminal (e.g., SSH) and RStudio Workbench or RStudio Server.

Updating repositories in Packrat

If you are using Packrat to manage packages in your projects, you will also need to update your repositories within your projects to ensure that they are using HTTPS. To do this, simply update the repository you wish to use by running a options(repos = "") command like the following:

options(repos = "https://cran.rstudio.com)

 Then, take a Packrat snapshot of your project by running the following command:

packrat::snapshot()

This should update the repository used for that project. Note that you will need to do this for all your older Packrat projects if they were created while using non-secure repositories.

Testing Your Configuration

The best end-to-end test of your configuration is to install a package and confirm that the URL that it was downloaded from uses HTTPS. For example:

> install.packages("xtable")

trying URL 'https://cran.rstudio.com/bin/macosx/mavericks/contrib/3.2/xtable_1.7-4.tgz'
Content type 'application/x-gzip' length 378723 bytes (369 KB)
==================================================
downloaded 369 KB

The downloaded binary packages are in
    /var/folders/st/b1kz7ydn54nfzfsrl7_hggyc0000gn/T//RtmpYTrkaC/downloaded_packages

You can see that the URL referenced begins with “https” indicating that the download did indeed use a secure channel.