Skip to main content

đź“© Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

New Guide for Package Repositories to Adopt Trusted Publishers

By August 5, 2024Blog, Guest Blog
New Guide for Package Repositories to Adopt Trusted Publishers

By Seth Michael Larson

The Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group (WG) has just released a new guide for maintainers of open source software repositories. The guide details a new security capability named “Trusted Publishers” which utilizes the OpenID Connect standard (OIDC) to authenticate with a package repository without the use of long-lived secrets thus avoiding many related security and operational challenges.

Trusted Publishers: Enhancing Security for Open Source Repositories

The guide details the implementation and design considerations gathered from implementing Trusted Publishers in multiple open source software repositories like the Python Package Index (PyPI) and Rubygems.org.

Implementation and Design Considerations

Trusted Publishers pair well with other security technologies like SLSA build provenance as they are built on the same underlying technology in OIDC. For some identity providers, Trusted Publishers also allow binding verifiable metadata like the source repository URL to a published artifact to avoid social confusion attacks like “Star-Jacking”.

User Adoption and Impact

In addition to added security benefits, Trusted Publishers are popular with users when they’re available. For example, PyPI added support for Trusted Publishers in April of 2023 and has since seen over 14,000 projects voluntarily adopt Trusted Publishers.

Accessing and Contributing to the Guide

You can find the guide hosted on openssf.org and submit contributions on GitHub. Thanks to everyone in the working group who contributed their expertise and reviews during the writing of this guide.

About the OpenSSF Securing Software Repositories Working Group

The OpenSSF Securing Software Repositories Working Group focuses on the maintainers of software repositories, software registries, and tools which rely on them. The working group provides a forum to share experiences and to discuss shared problems, risks, and threats. For more information on the OpenSSF Securing Software Repositories Working Group, see our GitHub Repo.

About the Author

SethLarsonSeth Larson is the Security Developer-in-Residence at the Python Software Foundation, Python Software Foundation Fellow, maintainer of popular Python open source packages like urllib3 and Requests, and an advocate for open source sustainability and security.