Provide Trusted Publisher information pypi's API

[lukehinds]

What's the problem this feature will solve?

Trusted publisher is now a feature in pypi, with plans to render the information on the UI care of #14727 - "verified via Trusted Publishing"

It would be useful to provide the same information via the API. This way anyone who ingests the API and consults the metadata such as source repository, has an improved level of confidence that this is correct (over the previous implementation which allowed publishers to stuff made up values in setup.py / pyproject.toml)

Describe the solution you'd like

Render a value via the API to signify the package was published using trusted publisher.

Additional context

[di]

Thanks for the issue @lukehinds.

I'm not sure I see the value in an API field like trusted_publishing: true -- this doesn't actually provide any additional assurances about where the package came from or whether the provided metadata is accurate. An attacker (e.g. a starjacker) could still publish from one repository via trusted publishing and say the project is from another repo.

Instead, it would probably make more sense to expose something like the repository URL that has been configured for trusted publishing, but this is a fairly GitHub-centric view and wouldn't cover other future publishers that we have plans to add support for (like Activestate, Google Cloud Build, etc). We'd need to think about how to do this in a consistent way that still allows us to accommodate the potential variations between different trusted publishers.

[lukehinds]

An attacker (e.g. a starjacker) could still publish from one repository via trusted publishing and say the project is from another repo.

I can't confess to have read the code behind TP, but are you sure its possible to just stuff any value in? From what I can tell you have explicitly list the repo and workflow URI in order for OIDC publishing to work. If no validation still occurs, that's quite an omission.

[di]

It is possible to put any information you want in those fields, but it's only possible to publish from the repository that's been configured.

However, that's not what I'm talking about: regardless of what is in those fields, metadata like Project-Url comes from the artifact itself and doesn't currently have any relationship to what trusted publisher is configured (which is why we're talking about 'verifying' it in #14727). We don't currently surface the values that trusted publishing is configured with anywhere publicly.

[lukehinds]

Thanks for the info @dl. I might not have been clear enough here with my thinking, my suggestion is when we are 'verifying' it in #14727 , we also expose the same via the API.

[woodruffw]

Triaging: this is included in PEP 740, which we're tracking with #15871 🙂

[woodruffw]

Update: TP metadata is now indirectly supplied in the simple HTML and JSON APIs, per PEP 740.

xref: #16546

[di]

(This was temporarily rolled back, but will be resolved soon, so I'll leave this closed)