| title |
Trusted Publishing: Lessons from PyPI |
| date |
2023-10-26 |
| authors |
|
| conference |
|
| resources |
| label |
path |
Slides |
Trusted Publishing: Lessons from PyPI.pdf |
|
|
This talk will provide a developer-minded introduction to "trusted publishing,"
an OpenID Connect-based authentication scheme that PyPI has successfully
deployed to reduce the need for (and risk associated with) manual configured
API tokens. Thousands of packages (including many of Python's most critical
packages) have already enrolled in trusted publishing, improving the overall
security posture (and audibility) of the Python ecosystem.
We will cover trusted
publishing in two parts: the first part will be a high-level overview of the
trusted publishing scheme and how it uses ephemeral OpenID Connect credentials,
including motivation for the scheme's security properties and how they improve
upon pre-existing package index authentication schemes (e.g. user/password pairs
and long-lived API tokens). The second part will dive into the nitty-gritty
details of how trusted publishing was implemented on PyPI, and will serve as
both a retrospective on the work and a reference for other package indices
considering similar models: it will cover some of the challenges posted by OIDC
(including support for multiple identity providers), threat model
considerations, as well as "knock-on" benefits (such as future adjoiners with
code-signing schemes like Sigstore).