PyPI Introduces Digital Attestations to Strengthen Python Package Security

The Python Package Index (PyPI) has announced support for digital attestations. This new feature allows package maintainers to publish signed digital attestations when uploading their projects, providing an additional layer of trust and verification for users.

What Are Digital Attestations?

Digital attestations are cryptographic statements or proofs that verify the authenticity, integrity, and origin of a digital artifact, like a software package. In the context of software distribution, a digital attestation serves as a "seal" or "proof" that a package is genuinely created by the declared author, has not been tampered with, and originates from a specific, verifiable source.

The PEP (Python Enhancement Proposal) for this new feature identified several motivations for adding digital attestations, including the following:

• Maintainers wish to demonstrate the integrity and authenticity of their package uploads;
• Individual downstream users wish to verify package integrity and authenticity without placing additional trust in their index’s honesty;
• “Bulk” downstream users (such as Operating System distributions) wish to perform similar verifications and potentially re-expose or countersign for their own downstream packaging ecosystems.

PyPI has as new web UI for viewing per-file attributes, which can be found on the #files page for each project. This is the example included in the announcement:

https://pypi.org/project/sampleproject/#sampleproject-4.0.0.tar.gz

PyPI adopted Trusted Publishing in 2023, a more secure publishing method for package maintainers that exchanges short-lived identity tokens between a trusted third-party service and PyPI. Trail of Bits, the company contracted to assist PyPI with implementing trusted publishing and digital attestations, said this new security feature will likely be enabled by default for those who are already in this workflow:

The good news: if you already publish packages to PyPI using Trusted Publishing, you likely won’t have to change a single thing: the official PyPI publishing workflow has attestation support built right in, enabled by default as of v1.11.0 and newer. In other words, so long as you already use (or upgrade to) pypa/gh-action-pypi-publish@v1.11.0 or newer and with a Trusted Publisher, your packages will get build provenance by default!

The PyPI documentation has more information on how to generate and upload attestations automatically by default, with no additional configuration necessary.

Why Digital Attestations Are a Big Deal for Python Security#

This new security feature has the potential to greatly deter unsophisticated and opportunistic attacks on PyPI packages, as attackers would now need to overcome the challenge of accessing private signing identities.

Digital attestations also enhance index verifiability. The feature’s PEP notes that the only attestation currently provided by the index is an optional PGP signature per release file: “These signatures are not (and cannot be) checked by the index either for well-formedness or for validity, since the index has no mechanism for identifying the right public key for the signature. This PEP overcomes this limitation by ensuring that provenance objects contain all of the metadata needed by the index to verify an attestation’s validity.”

PyPI disabled PGP signature uploads in May 2023 after an investigation found that only only 36% of them were capable of being meaningfully verified, which constituted signatures for only 0.3% of all of those files. The many issues with the feature had already caused PyPI to deemphasize it by removing signatures from the web user interface.

Unlike PGP, the digital attestations feature PyPI is rolling out has the advantage of being verified by the index itself, and also comes with metadata support.

“A key problem this solves is cryptographically linking packages published on PyPI to the exact source code that was used to build those packages,” Simon Willison, co-creator of the Django Web Framework, commented on his blog. “In the absence of this feature there are no guarantees that the .tar.gz or .whl file you download from PyPI hasn't been tampered with (to add malware, for example) in a way that's not visible in the published source code.”

Adoption and Early Momentum#

With over 20,000 attestations already published, the adoption of this feature is off to a strong start. The fact that the attestations are generated and published by default when using the established GitHub Actions workflow with Trusted Publishing, means the community should quickly see more attestations on PyPI projects. This seamless integration simplifies the adoption of the new security features without requiring significant changes to existing maintainer workflows.

Trail of Bits is tracking the adoption of PEP 740 (Python’s standard for defining cryptographically verifiable attestations hosted by indices like PyPI) on a website called “Are we PEP 740 yet?” The site shows the top 360 most-downloaded packages on PyPI which have been uploaded with attestations (in green). This figure is at 21 out of 360 at the time of publishing. The uncolored packages were last uploaded before attestations were available and the yellow packages have no attestations uploaded.

Trail of Bits' announcement notes that “So far, 5% of the 360 most-downloaded packages have attestations uploaded. But there’s a confounding factor: around two-thirds of the most-downloaded packages haven’t been updated at all since attestation enablement, meaning that we don’t yet know how many will have attestations, once they make a new release!”

This initiative represents a proactive step toward bolstering the security of the Python package ecosystem. By facilitating verifiable attestations, PyPI enhances trust between package maintainers and consumers, mitigating risks of supply chain attacks. As more projects adopt this feature, the overall integrity and security of Python software distribution are expected to improve, benefiting the entire community.

Check out the official announcement on the PyPI blog and the Trail of Bits blog for a more technical deep dive into the details.