Rust contributors are discussing a new RFC that proposes adding support for “Trusted Publishing” to Crates.io, a more secure publishing method for package maintainers that exchanges short-lived identity tokens between a trusted third-party service and package registries.
Crate authors currently publish via user-created API tokens, which have a number of security drawbacks detailed in the proposal:
- By default, they are long-lived and do not expire.
- They can be used from any source without restriction.
- When using the tokens in automated workflows, they must be created in advance and copied by a human -- increasing the risk of accidental exposure.
- Manually-configured API tokens need to be manually revoked if compromised.
In 2020, the Rust team was notified of a vulnerability affecting Crates.io API tokens generation and storage, and out of abundance of caution they revoked all existing tokens. As part of that investigation, they also found that API keys were stored in plain text, which would have granted an attacker API access for all current tokens. These oversights were remedied at the time but the incident highlighted the need for a more secure authentication mechanism.
Since that time, Crates.io has grown significantly, now hosting more than 157,000 crates which have received a cumulative 82+ billion downloads. In 2023, Crates.io had more downloads (13.5 billion) than the previous 7+ years combined (13.2 billion).
It’s clear that a more robust system like Trusted Publishing would greatly improve security and reduce the risks associated with token management across Crates.io’s rapidly growing user base.
Inspired by PyPI, RubyGems.org, and other registries that have adopted this authentication mechanism, Rust contributors contend that Trusted Publishing will offer a major improvement for Crates supply chain security. The authentication method is rapidly gaining traction with open source package repositories as a better way to protect both developers and end users from the risks of long-lived API tokens.
The RFC recommends using a phased process to transition from API tokens to short-lived access tokens granted via the OpenID Connect (OIDC) protocol to authenticate and authorize actions with the crates.io APIs. Trusted publishing would first be rolled out for those using GItHub Actions, which makes up the largest user base of Crates authors. This would be followed by support for other CI/CD trusted publishers including GitLab and CircleCI.
Although there are several potential hurdles to adoption, such as the initial complexity in setting up trusted relationship between the CI/CD provider and crates.io and the relatively steep learning curve, the RFC highlights PyPI’s success. In the past 18 months since it was deployed, PyPI has seen more than 16,000 projects voluntarily adopt this new authentication method.
The RFC also notes that OAuth 2.0 combined with the Open ID Connect protocol is widely used, well-documented, and the Rust ecosystem could "benefit from the cumulative security expertise intrinsically embedded into these solutions.”
While this RFC is still in the proposal stage, it has garnered positive feedback from developers who see it as a necessary step forward for Rust's security. The increasing reliance on third-party code makes verifying the integrity of published code more critical than ever. Rust, being a widely adopted language for systems programming, has not been immune to supply chain risks. The new proposal to add Trusted Publishing makes a strong case for reducing the risk of leaked credentials, limiting the potential for existing crates to be hijacked or compromised.