PyPI Introduces Index-Hosted Digital Attestations for Packages
/ 4 min read
Quick take - The Python Package Index (PyPI) has implemented a new security feature called index-hosted digital attestations, as described in PEP 740, to enhance package distribution security by improving usability, verifiability, and provenance, particularly for packages published through the Trusted Publishing mechanism.
Fast Facts
- PyPI has launched index-hosted digital attestations to enhance package distribution security, as detailed in PEP 740, improving usability and cryptographic strength.
- Attestations are enabled by default for packages published with the Trusted Publishing mechanism from version 1.11.0 onwards, allowing approved identities to upload releases without manual API tokens.
- Over 19,000 projects are registered as Trusted Publishers, collectively publishing nearly half a million files, with other ecosystems like RubyGems and crates.io interested in similar features.
- Attestations link package identities to their provenance using ephemeral key pairs, but currently, only 5% of the 360 most-downloaded packages on PyPI have uploaded attestations.
- Future plans include developing a verification plugin architecture for installation clients and a “trust on first use” model to enhance the verification process for signing identities.
PyPI Introduces Index-Hosted Digital Attestations
The Python Package Index (PyPI) has introduced a new security feature known as index-hosted digital attestations, as outlined in PEP 740. This feature aims to enhance traditional PGP signatures by improving usability, index verifiability, cryptographic strength, and provenance properties of package distributions.
Trusted Publishing Mechanism
Attestations are now enabled by default for packages published using the Trusted Publishing mechanism starting from version 1.11.0 and later. Trusted Publishing allows project maintainers to declare approved identities, such as GitHub and GitLab, which can upload new releases without the need for a manually configured API token. To verify the authenticity of requests from these Trusted Publishers, the system uses public key cryptography via OpenID Connect (OIDC). This OIDC flow enables Trusted Publishers to automatically obtain a short-lived, minimally-scoped PyPI API token, thereby reducing the risk of credential leaks.
Currently, over 19,000 individual projects have registered as Trusted Publishers, collectively publishing nearly half a million files to PyPI. Other software ecosystems, including RubyGems and Rust’s crates.io, have shown interest in adopting similar Trusted Publishing features to enhance their security protocols.
Integration with Sigstore
The integration of Sigstore offers a solution for binding short-lived signing keys to machine identities, effectively connecting Trusted Publishing initiatives with package provenance. This collaboration allows for the generation of publicly verifiable credentials without revealing sensitive OIDC credentials. PEP 740 specifically outlines how Sigstore and Trusted Publishing relate to package distribution through a defined attestation payload. Attestations are signed using an ephemeral key pair that links the distribution’s identity to its provenance.
Packages uploaded with attestations now include a key in the JSON simple API, along with a corresponding attribute in the PEP 503 index that references a provenance object. As of October 29, attestations are the default for packages utilizing Trusted Publishing via the PyPA publishing action for GitHub. This change enables approximately 20,000 packages to attest to their provenance by default, with expectations for this number to grow.
Future Enhancements and Research Opportunities
The importance of a package’s attestations is correlated with its significance, as measured by total download counts. A tracking tool named “Are We PEP 740 Yet?” monitors the adoption of PEP 740 attestations among the 360 most-downloaded packages on PyPI. Currently, only 5% of these packages have uploaded attestations, with many yet to be updated since the feature’s implementation.
However, PEP 740 does not define a verification flow for installation clients, which may limit the short-term impact of index-hosted attestations. Ongoing efforts aim to develop a plugin architecture for verification logic in installation clients. Future enhancements include plans for a “trust on first use” model for signing identities, which is expected to bolster verification processes. Moreover, the anticipated adoption of standardized lockfiles, as defined in PEP 751, is expected to improve the storage and verification of expected distribution identities.
Researchers may leverage PEP 740 attestations for security and supply chain research, given their verifiable connection between source repositories and packages. Incident responders could benefit from these attestations by simplifying the process of tracing artifacts back to their source. Users who control their build systems can integrate attestation verification into their own build processes.
Original Source: Read the Full Article Here
