Add option to relinquish user-based publish privileges for projects with Trusted Publishing enabled

[sethmlarson]

What's the problem this feature will solve?

Currently being an admin/maintainer of a PyPI project forces your account to have the "publish" privilege. If Trusted Publishers is enabled, having user publish privileges for a project is only additional attack surface area for malware to be published. Opting-in to "Trusted Publisher" publishing only reduces that attack surface to being able to thwart GitHub Environments or access to GitHub accounts.

Describe the solution you'd like

If a project has trusted publishing enabled and has successfully published once with the trusted publisher (ie the trusted publisher isn't pending) then add an additional hardening option in the project settings to relinquish user publishing privileges for a project.

With user publishing privileges relinquished:

• Admins/maintainers of the project can't publish using username/password or API tokens
• New trusted publisher configuration can't be added. Existing trusted publisher configuration can't be removed completely, must always have at least 1 trusted publisher configured.
• Admins/maintainers can still yank releases as normal.

Additional context

• This will add additional support burden to PyPI if users mis-configure their publishing or at a later time want to migrate to a new service (ie GitHub -> GitLab)

[di]

Would this effectively make Trusted Publishing permanent for the project name? Would there ever be a way for the project to disable Trusted Publishing without admin intervention?

(Probably worth considering this in the context of #13366 as well).

[sethmlarson]

That would be the intention yes, once this option is enabled the name would have a permanent Trusted Publisher configuration until a support request to disable it went through. I can also see a future where one could "upgrade" their Trusted Publisher configuration into a same owner/name/workflow configured "Trusted Builder" once we start looking at SLSA.

[dstufft]

I'm not sure I understand what this gains? Even if someone disables user level publishing, they can still add new trusted publishers that can release instead, and it's not like dstufft/foo vs sethmlarson/foo on github is a meaningful security boundary.

[woodruffw]

New trusted publisher configuration can't be added. Existing trusted publisher configuration can't be removed completely, must always have at least 1 trusted publisher configured.

This in particular might cause a lot of support load: I could see users wanting to slightly tweak their trusted publishers (e.g. release.yml -> publish.yml, changing a GitHub username to an owning org, etc.).

Maybe a (slightly) weaker version of this makes sense? Something like:

• A project can be put into "publisher only" mode, which is permanent (modulo admin intervention, e.g. for takeover);
• In publisher only mode, releases can only be made through trusted publishers; any user- or project-scoped tokens that previously covered the project cease to be valid for it;
• The project must always have at least one trusted publisher configured; project owners can modify the trusted publisher at will.

So basically the same as the original proposal, except that the original trusted publisher configuration can be replaced 🙂

That still leaves account takeovers/new publishers as an attack vector however, per @dstufft's point. So I think I agree with him about the gains here being murky.

[davidism]

There's also a problem if a project wants to migrate off GitHub in the future and trusted publishing isn't available at the new location.

[davidism]

I think it would still serve a useful purpose to be able to toggle user/token publishing from the management page. Disabling it would prevent accidental publishing. Enabling it could be useful in unusual circumstances, and should send an email notification like other changes do.

[dstufft]

Currently API tokens are only good for publishing, if you don't want to accidentally publish you could presumably just not create any API tokens? I guess if you want to create new projects from the command line, without enabling uploading projects?

I guess I'm not like, inherently against the idea, I'm just having a hard time understanding what we actually gain.

[davidism]

I have a community organization account, similar to Jazzband if you're familiar with it, where we collect popular Flask extensions for shared community maintenance. Some users have "maintainer" status so they can make releases instead of only commit access. Many of the projects aren't yet set up for trusted publishing either, so as that's enabled for each one we can make sure maintainers don't still manually publish. It would be nice for them to be able to get access to PyPI and manual publishing in case of some sort of issue (such as me not being around for some reason), but for normal circumstances keep it to only trusted publishing.

[dstufft]

Ah okay. That makes a bit more sense then, I was still thinking in terms of security boundary and whole accounts at a time rather than thinking of it as a transitional or more narrow scope thing.

I don't personally have any opposition to a flag on a project to make it trusted publishing only, but it should be something that can be toggled on and off rather than some one way switch.

[ristomcgehee]

Having the ability to toggle on/off a "trusted publishing only" mode sounds like the right approach to me. If that's the consensus, I'm willing to start work on this issue.