PyPI is the official software repository for third-party applications in the Python programming language.
A few days ago the news broke that the Python PyPI package repository (Python Package Index) already provides the ability to use a new secure method of publishing packages, which eliminates the need to store hard passwords and API access tokens in external systems (for example, in GitHub Actions).
The new authentication method has the name'Trusted Publishers' and is designed to solve the problem of malicious updates being released as a result of compromised external systems and predefined passwords or tokens falling into the wrong hands.
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that doesn't require long-lived passwords or API tokens to share with external systems.
It is mentioned that this new authentication method confers significant usability and security advantages compared to the other traditional PyPI authentication methods:
- Usability: With trusted publishing, users no longer need to manually create API tokens in PyPI and copy and paste them into their CI provider. The only manual step is to configure the editor in PyPI.
- Safety: regular PyPI API tokens are long-lived, which means that an attacker who compromises a package release can use it until its legitimate user notices and manually revokes it. Similarly, uploading with a password means that an attacker can upload any project associated with the account. Trusted Publishing avoids both of these problems: Issued tokens expire automatically and are limited to only the packages they are authorized to upload to.
Regarding this new authentication method, it is mentioned that is based on the OpenID Connect standard (OIDC), which uses time-limited authentication tokens exchanged between external services and the PyPI directory to validate a package publish operation, rather than using a traditional login/password or a persistent API generated manually by access tokens.
“Trusted Publication” is our term for using the OpenID Connect (OIDC) standard to exchange short-lived identity tokens between a trusted third-party service and PyPI. This method can be used in automated environments and eliminates the need to use username/password combinations or manually generated API tokens to authenticate with PyPI when publishing.
On the other hand, it is also mentioned that package maintainers can, on the PyPI side, trust identifiers provided to external OpenID Providers (IdPs), which the external service will use to request non-live tokens. of PyPI.
The generated OpenID Connect tokens confirm the relationship between the project and the controller, which allows PyPI to perform additional metadata verification, such as verifying that the published package is associated with a specific repository. Tokens are not persistent, they are tied to specific APIs, and they automatically expire after a short lifetime.
Instead, PyPI maintainers can configure PyPI to trust an identity provided by a given OpenID Connect identity provider (IdP). This allows PyPI to verify and delegate trust to that identity, which is then authorized to request limited-scope, short-lived API tokens from PyPI. These API tokens never need to be stored or shared, automatically rotate on quick expiration, and provide a verifiable link between a published package and its source.
Today the ability to use the mechanism "Trusted Publishers" It is already implemented and running. for controllers started on GitHub Actions. Last but not least, it is also mentioned that compatibility with Trusted Publishers for other external services is expected in the future.
Finally if you are interested in knowing more about it, you can check the details In the following link.