Zach Steindler, GitHub
Signing software has never been easy. Securing access to private keys, distributing public keys, and being able to rotate key material all pose challenges. Several package ecosystems (npm, Homebrew, PyPI, Maven Central, and RubyGems) are moving from traditional PGP signatures to build attestations. These attestations not only ensure the integrity of the package, but also include non-falsifiable links back to the specific source code revision, build instructions, and build logs of a package. We'll show you how to access this new source of information, describe how it helped respond to the Ultralytics package compromise on PyPI in December of 2024, and describe how it works by walking you through how to add this information to open source packages you maintain.
Zach is the chair of the OpenSSF's Technical Advisory Council and co-chair of the Securing Repositories Working Group which helps coordinate security improvements in programming language package repositories like PyPI and RubyGems. He works at GitHub on securing software development for open source and enterprises. Away from computers he enjoys gardening and welding.
author = {Zach Steindler},
title = {Securing Packages in npm, Homebrew, {PyPI}, Maven Central, and {RubyGems}},
year = {2025},
address = {Seattle, WA},
publisher = {USENIX Association},
month = aug
}