Template for a Python package with a secure project host and package repository configuration.
Project description
Secure Python package template
Template for a Python package with a secure project host and package repository configuration.
The goals of this project are to:
- Show how to configure a Python package hosted on GitHub with:
- Operational security best-practices
- Automated publishing to PyPI
- Code quality and vulnerability scanning
- Build reproducibility
- Releases with provenance attestation
- Obtain a perfect rating from OpenSSF Scorecard
- SLSA Level 3 using GitHub OIDC
Configuring git
Git needs to be configured to be able to sign commits and tags. Git uses GPG for signing, so you need to
create a GPG key
if you don't have one already. Make sure you use a email address associated with your GitHub account
as the email address for the key. If you wish to keep your email address private you should use GitHub's provided noreply
email address.
$ gpg --full-generate-key
After you've generated a GPG key you need to add the GPG key to your GitHub account. Then locally you can configure git to use your signing key:
$ git config --global --unset gpg.format
# List GPG secret keys, in this example the key ID is '3AA5C34371567BD2'
$ gpg --list-secret-keys --keyid-format=long
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Hubot <hubot@example.com>
ssb 4096R/4BB6D45482678BE3 2016-03-10
# Tell git about your signing key
$ git config --global user.signingkey 3AA5C34371567BD2
# Then tell git to auto-sign commits and tags
$ git config --global commit.gpgsign true
$ git config --global tag.gpgSign true
Now all commits and tags you create from this git instances will be signed and show up as "verified" on GitHub.
Creating the GitHub repository
Clone this repository locally:
$ git clone ssh://git@github.com/sethmlarson/secure-python-package-template
Cloning into 'secure-python-package-template'...
...
Receiving objects: 100% (79/79), 29.37 KiB | 1002.00 KiB/s, done.
Resolving deltas: 100% (20/20), done.
Rename the folder to the name of the package and remove existing git repository:
$ mv secure-python-package-template package-name
$ cd package-name
$ rm -rf .git
Create a new git repository and ensure the branch name is main
:
$ git init
Initialized empty Git repository in .../package-name/.git/
$ git status
On branch main
No commits yet
...
If the branch isn't named main
you can rename the branch:
$ git branch -m master main
Create an empty repository on GitHub. To ensure the repository is empty you shouldn't add a README file, .gitignore file, or a license yet. For the examples below the GitHub repository will be named sethmlarson/package-name
but you should substitute that with the GitHub repository name you chose.
We need to tell our git repository about our new GitHub repository:
$ git remote add origin ssh://git@github.com/sethmlarson/package-name
Change all the names and URLs be for your own package. Places to update include:
README.md
pyproject.toml
(project.name
andproject.urls.Home
)src/{{secure_package_template}}
tests/test_{{secure_package_template}}.py
You should also change the license to the one you want to use for the package. Update the value in here:
LICENSE
README.md
Now we can create our initial commit and ensure it is signed by default:
$ git add .
$ git commit -m "Initial commit"
# Verify that this commit is signed. If not you
# should configure git to auto-sign commits.
$ git verify-commit HEAD
gpg: Signature made Fri 15 Jul 2022 10:55:10 AM CDT
gpg: using RSA key 9B2E1343B0B201B8883C79E3A99A0A21AD478212
gpg: Good signature from "Seth Michael Larson <sethmichaellarson@gmail.com>" [ultimate]
Now we push our commit and branch:
$ git push origin main
Enumerating objects: 25, done.
Counting objects: 100% (25/25), done.
Delta compression using up to 12 threads
Compressing objects: 100% (21/21), done.
Writing objects: 100% (25/25), 17.92 KiB | 1.28 MiB/s, done.
Total 25 (delta 0), reused 0 (delta 0), pack-reused 0
To ssh://github.com/sethmlarson/package-name
* [new branch] main -> main
Success! You should now see the commit and all files on your GitHub repository.
Configuring PyPI
PyPI is increasing the minimum requirements for account security and credential management to make consuming packages on PyPI more secure. This includes eventually requiring 2FA for all users and requiring API tokens to publish packages. Instead of waiting for these best practices to become required we can opt-in to them now.
Obtain an API token
API tokens will eventually be required for all packages to publish to PyPI.
- Upload a dummy v0.0 package under the desired package name using your PyPI username and password.
- Create an API token that is scoped to only the package
- Copy the value into your clipboard, it will be used later (see
PYPI_TOKEN
in the GitHub Environments section below)
Opt-in to required 2FA
If you don't have 2FA enabled on PyPI already there's a section in the PyPI Help page about how to enable 2FA for your account. To make 2FA required for the new project:
- Open "Your projects" on PyPI
- Select "Manage" for the project
- Settings > Enable 2FA requirement for project
Configuring the GitHub repository
Dependabot
- Settings > Code security and analysis
- Dependency graph should be enabled. This is the default for public repos.
- Enable Dependabot security updates
CodeQL and vulnerable code scanning
- CodeQL is already configured in
.github/workflows/codeql-analysis.yml
- Configure as desired after reading the documentation for CodeQL.
Protected branches
- Settings > Branches
- Select the "Add rule" button
- Branch name pattern should be your default branch, usually
main
- Enable "Require a pull request before merging"
- Enable "Require approvals". To get a perfect score from OpenSSF scorecard metric "Branch Protection" you must set the number of required reviewers to 2 or more.
- Enable "Dismiss stale pull request approvals when new commits are pushed"
- Enable "Require review from Code Owners"
- Enable "Require status checks to pass before merging"
- Add all status checks that should be required. For this template they will be:
Analyze (python)
Test (3.8)
Test (3.9)
Test (3.10)
- Ensure the "source" of all status checks makes sense and isn't set to "Any source". By default this should be configured properly to "GitHub Actions" for all the above status checks.
- Enable "Require branches to be up to date before merging". Warning: This will increase the difficulty to receive contributions from new contributors.
- Add all status checks that should be required. For this template they will be:
- Enable "Require signed commits". Warning: This will increase the difficulty to receive contributions from new contributors.
- Enable "Require linear history"
- Enable "Include administrators". This setting is more a reminder and doesn't prevent administrators from temporarily disabling this setting in order to merge a stuck PR in a pinch.
- Ensure that "Allow force pushes" is disabled.
- Ensure that "Allow deletions" is disabled.
- Select the "Create" button.
Protected tags
- Settings > Tags > New rule
- Use a pattern of
*
to protect all tags - Select "Add rule"
Publish GitHub Environment
- Settings > Environments > New Environment
- Name the environment:
publish
- Add required reviewers, should be maintainers
- Select "Save protection rules" button
- Select "Protected Branches" in the deployment branches dropdown
- Select "Add secret" in the environment secrets section
- Add the PyPI API token value under
PYPI_TOKEN
Private vulnerability reporting
- Settings > Code security and analysis
- Select "Enable" for "Private vulnerability reporting". This will allow users to privately submit vulnerability reports directly to the repository.
- Update the URL in the
SECURITY.md
file to the URL of your own repository.
Verifying configurations
Verifying reproducible builds
- Find the latest release that was done via the publish GitHub Environment. (v0.1.0)
- Pull up the release page on PyPI.
- Select the "Download files" tab.
- For each
.whl
file select "view hashes" and copy the SHA256 and save the value somewhere (de58d65d34fe9548b14b82976b033b50e55840324053b5501073cb98155fc8af
) - Clone the GitHub repository locally. Don't use an existing clone of the repository to avoid tainting the workspace (
$ git clone ssh://git@github.com/sethmlarson/secure-python-package-template
) - Check out the corresponding git tag (
$ git checkout v0.1.0
) - Run
$ git log -1 --pretty=%ct
and store this value (1656789393
) - Export the stored value into
SOURCE_DATE_EPOCH
($ export SOURCE_DATE_EPOCH=1656789393
) - Install the dependencies for publishing (
$ python -m pip install -r requirements/publish.txt
) - Run
$ python -m build
- Run
sha256sum dist/*.whl
- Compare SHA256 hashes with the values on PyPI. They should match for each
.whl
file.
License
CC0-1.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for secure_package_template-0.5.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3ce3ffba589c22cbe7bdcca97953bfe1dcb4fe1e9c39d3bad76a5313e65c8f91 |
|
MD5 | 6304a599002d921a984d1320c4317be3 |
|
BLAKE2b-256 | 2d9e950096bd3553d7c56bcfdcd20f1392dffe899f430e0dd006d58720793b4e |
Hashes for secure_package_template-0.5.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0c9ddc014524b661b45667b683022a8b98ec341ca60aed9fd6e3173b231061e6 |
|
MD5 | 1034587ad2d3c1a773708a3b37e8ec54 |
|
BLAKE2b-256 | fce8258799318ad13f6ab6d76c75e9be8e8dced573ece6a9ac7be385c96c3214 |