{"id":633244,"date":"2023-04-21T09:55:49","date_gmt":"2023-04-21T14:55:49","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/21\/pypi-introduces-trusted-publishers\/"},"modified":"2023-04-21T09:55:49","modified_gmt":"2023-04-21T14:55:49","slug":"pypi-introduces-trusted-publishers","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/21\/pypi-introduces-trusted-publishers\/","title":{"rendered":"PyPI Introduces \u201cTrusted Publishers\u201d"},"content":{"rendered":"
\n

<\/p>\n
\n

by: Dustin Ingram \u00b7 <\/b><\/p>\n

2023-04-20<\/span><\/p>\n

Starting today, PyPI package maintainers can adopt a new, more secure
\npublishing method that does not require long-lived passwords or API tokens to
\nbe shared with external systems.<\/p>\n

About trusted publishing<\/h3>\n

“Trusted publishing” is our term for using the OpenID Connect (OIDC)<\/a> standard
\nto exchange short-lived identity tokens between a trusted third-party service
\nand PyPI. This method can be used in automated environments and eliminates the
\nneed to use username\/password combinations or manually generated API tokens to
\nauthenticate with PyPI when publishing.<\/p>\n

Instead, PyPI maintainers can configure PyPI to trust an identity provided by a
\ngiven OpenID Connect Identity Provider (IdP). This allows allows PyPI to verify
\nand delegate trust to that identity, which is then authorized to request
\nshort-lived, tightly-scoped API tokens from PyPI. These API tokens never need
\nto be stored or shared, rotate automatically by expiring quickly, and provide a
\nverifiable link between a published package and its source.<\/p>\n

Using trusted publishing with GitHub Actions<\/h3>\n

PyPI currently supports trusted publishing with GitHub Actions, using their
\nsupport for OpenID Connect<\/a>.<\/p>\n

After configuring PyPI to trust a given GitHub repository and workflow, users
\nof the PyPA’s ‘pypi-publish’ GitHub Action<\/a> can adopt trusted publishing by
\nremoving the username<\/code> and password<\/code> fields from their workflow
\nconfiguration, and adding permissions to generate an identity token:<\/p>\n

\n
<\/span>jobs:<\/span>\n <\/span>  pypi-publish:\n <\/span>    name: upload release to PyPI\n <\/span>    runs-on: ubuntu-latest\n+    permissions:<\/span>\n+      # IMPORTANT: this permission is mandatory for trusted publishing<\/span>\n+      id-token: write<\/span>\n <\/span>    steps:\n <\/span>      # retrieve your distributions here\n\n <\/span>      - name: Publish package distributions to PyPI\n <\/span>        uses: pypa\/gh-action-pypi-publish@release\/v1\n-        with:<\/span>\n-          username: __token__<\/span>\n-          password: ${{ secrets.PYPI_TOKEN }}<\/span>\n<\/code><\/pre>\n<\/div>\n
Additional security hardening is available<\/h3>\n
PyPI package maintainers can further increase the security of their release
\nworkflows by configuring trusted publishers to only release from a specific
\nGitHub Actions environment<\/a>.<\/p>\n
Configuring an environment is optional, but strongly recommended: with a GitHub
\nenvironment, you can apply additional restrictions to your trusted GitHub
\nActions workflow, such as requiring manual approval on each run by a trusted
\nsubset of repository maintainers.<\/p>\n
Unblocking future security improvements<\/h3>\n
In addition to making publishing more secure now, the availability of trusted
\npublishers unblocks additional future security improvements for PyPI.<\/p>\n
Configuring and using a trusted publisher provides a ‘strong link’ between a
\nproject and its source repository, which can allow PyPI to verify related
\nmetadata, like the URL of a source repository for a project1<\/a><\/sup>. Additionally,
\npublishing with a trusted publisher allows PyPI to correlate more information
\nabout where a given file was published from in a verifiable way.<\/p>\n
Finally, although trusted publishers is currently limited to GitHub Actions,
\nmuch of the underlying work that went into making this feature possible is
\ngeneralizable and not specific to a single publisher. We’re interested in
\nsupporting the ability to publish from additional services that provide OpenID
\nConnect identities.<\/p>\n
Get started today<\/h3>\n
To get started with using trusted publishers on PyPI, see our documentation
\nhere: https:\/\/docs.pypi.org\/trusted-publishers\/<\/a>.<\/p>\n
Acknowledgements<\/h3>\n
Funding for this work was provided by the Google Open Source Security Team, and
\nmuch of the development work was performed by Trail of Bits<\/a>, with special
\nthanks to contributor William Woodruff<\/a>.<\/p>\n
Many thanks as well to Sviatoslav Sydorenko<\/a>, maintainer of the PyPA’s
\n‘pypi-publish’ GitHub Action<\/a> for his quick and timely work to add support for
\ntrusted publishers in the action.<\/p>\n
Finally, we want to thank all our beta testers, including GitHub staff, for
\nworking with us to ensure this feature is intuitive and useful, and for
\nproviding valuable feedback to improve this feature along the way.<\/p>\n
\n
Dustin Ingram is a maintainer of the Python Package Index and a director of
\nthe Python Software Foundation.<\/em><\/p>\n<\/p><\/div>\n
      <\/main><\/p><\/div>\n
Read More<\/a>
\n Blythe Drews<\/p>\n","protected":false},"excerpt":{"rendered":"
by: Dustin Ingram \u00b7 2023-04-20 Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems. About trusted publishing “Trusted publishing” is our term for using the OpenID Connect (OIDC) standard to exchange short-lived identity tokens between a<\/p>\n","protected":false},"author":1,"featured_media":633245,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1536,46,42399],"tags":[],"class_list":{"0":"post-633244","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-introduces","8":"category-technology","9":"category-trusted"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/633244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=633244"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/633244\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/633245"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=633244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=633244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=633244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Using the PyPA’s GitHub action is strongly recommended, but not required. More
\ndetails on how to manually exchange tokens are available in our
\ndocumentation<\/a>.<\/p>\n