#trustedpublishing — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #trustedpublishing, aggregated by home.social.
-
Weekend side project: Site that shows a timeline of package registries that support Trusted Publishing (and when support was added).
To my knowledge, the following package registries support Trusted Publishing:
- pub.dev
- PyPI
- RubyGems
- JSR
- crates.io
- npm
- NuGethttps://jduabe.dev/posts/2025/are-we-trusted-publishing-yet/
-
Weekend side project: Site that shows a timeline of package registries that support Trusted Publishing (and when support was added).
To my knowledge, the following package registries support Trusted Publishing:
- pub.dev
- PyPI
- RubyGems
- JSR
- crates.io
- npm
- NuGethttps://jduabe.dev/posts/2025/are-we-trusted-publishing-yet/
-
via @dotnet : New Trusted Publishing enhances security on NuGet.org
https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont… -
via @dotnet : New Trusted Publishing enhances security on NuGet.org
https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont… -
via @dotnet : New Trusted Publishing enhances security on NuGet.org
https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont… -
via @dotnet : New Trusted Publishing enhances security on NuGet.org
https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont… -
via @dotnet : New Trusted Publishing enhances security on NuGet.org
https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont… -
I wrote an annotated version of a talk I gave at my local Python meetup (Python WA) a couple of weeks ago; Trusted Publishing & Digital Attestations in the OSS Ecosystem.
With the recent attacks on popular packages and registries, it's important to learn what tools and techniques are available to increase trust and security in our software supply chain.
https://jduabe.dev/posts/2025/trusted-publishing-attestations/
-
I wrote an annotated version of a talk I gave at my local Python meetup (Python WA) a couple of weeks ago; Trusted Publishing & Digital Attestations in the OSS Ecosystem.
With the recent attacks on popular packages and registries, it's important to learn what tools and techniques are available to increase trust and security in our software supply chain.
https://jduabe.dev/posts/2025/trusted-publishing-attestations/
-
Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:
https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl
Downstream verification for installers such as pip is the next step:
https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
-
Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:
https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl
Downstream verification for installers such as pip is the next step:
https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
-
Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:
https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl
Downstream verification for installers such as pip is the next step:
https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
-
Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:
https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl
Downstream verification for installers such as pip is the next step:
https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
-
Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:
https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl
Downstream verification for installers such as pip is the next step:
https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
-
Setting up trusted publishing with uv in GHA:
1. set up trusted publishing in pypi
2. add `permissions: {id-token: write}` and `uv publish` step to the workflow,
3. profit