Trusted Publishing: Lessons from PyPI

Explore the concept of "trusted publishing" in this 24-minute conference talk by William Woodruff from Trail of Bits, presented at OpenSSF. Gain a developer-focused introduction to the OpenID Connect-based authentication scheme successfully implemented by PyPI to reduce reliance on manual API tokens. Discover how thousands of packages, including critical Python packages, have adopted trusted publishing to enhance security and auditability in the Python ecosystem. Delve into a two-part discussion: first, examine the high-level overview of trusted publishing, its use of ephemeral OpenID Connect credentials, and its security advantages over traditional authentication methods. Then, dive into the technical details of PyPI's implementation, addressing challenges with OIDC, multiple identity provider support, threat model considerations, and potential future integrations with code-signing schemes like Sigstore.