PyPI Enables Passwordless Package Publishing

Python Pypi Introduces Secure Method of Publishing Packages to Combat Malicious Updates

Python Package Index (Pypi) has introduced a new authentication method called “Trusted Publishers” to prevent malicious updates where predetermined passwords or tokens fall into the wrong hands. The new method eliminates the need for fixed passwords and access tokens on external systems.

The authentication method uses the standard Openid Connect (OIDC), which exchanges authentication tokens with a limited time of action to confirm the package publishing operation, instead of traditional login/passwords or manually-provided constant API access. External services exchange these tokens with the Pypi catalog.

The “Trusted Publishers” mechanism is already implemented for handlers launched at Github Actions, and other external services are expected to support it in the future. Accompanying packages can put a sign of trust on the PYPI side to identifiers provided to the external providers Openid (IDP, Openid Connect Identity Provider).

The PYPI performs additional verification of metadata with the generated Openid Connect tokens, ensuring the published package correlates with a certain repository. These tokens are not preserved or attached to certain APIs and automatically expire after a short time of life.

In March 2023, Sonatype company identified 6933 harmful packets in the catalog Pypi. Since 2019, over 115 thousand malicious packages have been identified in the PYPI. Attackers typically mask most of these packages for popular libraries using Typskvotynt. With this technique, attackers create package names that differ from popular libraries by a few individual symbols, counting on inattentive users.

Most malicious actions reduce to sending confidential data found on the local system as a result of determining standard files with passwords, access keys, cryptocurrencies, tokens, session cookies, and other confidential information.

Source: https://blog.pypi.org/posts/2023-04-20-20-20-20-indrustucing-trusted-publishers/

/Reports, release notes, official announcements.