2023-04

2023-04-20 Introducing Trusted Publishers by: Dustin Ingram #publishing #security #oidc ( enabling short lived tokens for upload )

• https://blog.pypi.org/tags/

• https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

• https://docs.pypi.org/trusted-publishers/

Introduction

Starting today (2023-04-20), PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.

About trusted publishing

• https://openid.net/connect/

“Trusted publishing” is our term for using the OpenID Connect (OIDC) standard to exchange short-lived identity tokens between a trusted third-party service and PyPI.

This method can be used in automated environments and eliminates the need to use username/password combinations or manually generated API tokens to authenticate with PyPI when publishing.

Instead, PyPI maintainers can configure PyPI to trust an identity provided by a given OpenID Connect Identity Provider (IdP).

This allows allows PyPI to verify and delegate trust to that identity, which is then authorized to request short-lived, tightly-scoped API tokens from PyPI.

These API tokens never need to be stored or shared, rotate automatically by expiring quickly, and provide a verifiable link between a published package and its source.

Using trusted publishing with GitHub Actions

• https://docs.pypi.org/trusted-publishers/using-a-publisher/#the-manual-way

PyPI currently supports trusted publishing with GitHub Actions, using their support for OpenID Connect.

After configuring PyPI to trust a given GitHub repository and workflow, users of the PyPA’s ‘pypi-publish’ GitHub Action can adopt trusted publishing by removing the username and password fields from their workflow configuration, and adding permissions to generate an identity token:

jobs:
   pypi-publish:
     name: upload release to PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
       # retrieve your distributions here

       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          username: __token__
-          password: ${{ secrets.PYPI_TOKEN }}

Using the PyPA’s GitHub action is strongly recommended, but not required.

More details on how to manually exchange tokens are available in our documentation

Get started today

To get started with using trusted publishers on PyPI, see our documentation here: https://docs.pypi.org/trusted-publishers/

Acknowledgements

• https://github.com/woodruffw

• https://github.com/woodruffw.atom

• https://infosec.exchange/@yossarian

• https://infosec.exchange/@yossarian.rss

• https://blog.yossarian.net/

Funding for this work was provided by the Google Open Source Security Team, and much of the development work was performed by Trail of Bits, with special thanks to contributor William Woodruff .

Many thanks as well to Sviatoslav Sydorenko, maintainer of the PyPA’s ‘pypi-publish’ GitHub Action for his quick and timely work to add support for trusted publishers in the action.

Finally, we want to thank all our beta testers, including GitHub staff, for working with us to ensure this feature is intuitive and useful, and for providing valuable feedback to improve this feature along the way.

Other news

• 2023-04-03
  • 2023-04-03 nicegui
    • Description
    • API responses
    • Deployment