Brandon H  Sep 22, 2025

via @dotnet : New Trusted Publishing enhances security on NuGet.org

https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont

New Trusted Publishing enhances security on NuGet.org - .NET Blog

Announcing Trusted Publishing on NuGet.org - a safer way to publish packages using short-lived tokens instead of long-lived API keys

.NET Blog
Show threadHugo van KemenadeMar 21, 2025

@sysosmaster @0x40k

Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:

https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl

Downstream verification for installers such as pip is the next step:

https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/

#python #PEP740 #PyPI #TrustedPublishing

urllib3

HTTP library with thread-safe connection pooling, file post, and more.

PyPI