Replies: 2 comments
-
|
YES supporting OIDC is one of the authorization recommendations in the Principles for Package Repository Security by the OpenSSF, and I think it makes a lot of sense for crates.io to support it. I am in favor of this and I would be happy to help you write your first RFC however I can :) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I mentioned this briefly in one of the team meetings, but figured putting the words down would be a good idea. 🙂
I'd like to explore implementing "trusted publishing" for crates.io. There's a great blog post by Trail of Bits explaining it and its advantages to security and usability. PyPi supports trusted publishers, so we have some prior art that can guide our own implementation. Their official documentation can be found here.
I'll do my best to summarize what this would mean...
Instead of using long-lived API tokens to publish crates, authors would publish through GitHub Actions using signed JWTs to authentication and perform authorized actions on crates.io. This "trusted publishing" uses the OpenID Connect (OIDC) standard as the authentication mechanism.
The JWT will have a set of claims on it that we can use to verify the incoming request and whether it is authorized to perform the particular action (ex. publishing a new version of a crate). There are a lot of potential claims we can use for authorization logic, but I think following PyPi's choices is a great place to start. They require users to define the trusted GitHub organization/owner name, repository name, workflow name (ex. release.yaml), and optionally a GitHub environment name.
I suspect will need some changes to
cargoas well to make migrations to this publishing method smoother for users.If we're on board, I can attempt to write my first RFC. 😅
Beta Was this translation helpful? Give feedback.
All reactions