← Retour au blog
tech 8 July 2026

Why You Shouldn't Trust Trusted Publishing

Trusted Publishing isn't for you to trust. It's a machine-to-machine affair. Discover why this authentication method is more complex than it seems.

Article inspired by the original source
You shouldn't trust Trusted Publishing ↗ blog.yossarian.net

Introduction

In a world where digital security is increasingly critical, the concept of "Trusted Publishing" has gained popularity. Initially developed by PyPI in 2023, this authentication scheme is now adopted by various packaging ecosystems like npm, RubyGems, crates.io, and NuGet. But why can't we really trust it?

What is Trusted Publishing?

"Trusted Publishing" relies on an OpenID Connect (OIDC) federation. The idea is straightforward: instead of using long-lived credentials that are often vulnerable and poorly configured, this system generates short-lived, narrowly scoped credentials. These credentials are linked to a CI/CD machine identity, thus avoiding human error in access management.

Benefits of Trusted Publishing

One of the main advantages lies in the automation and simplicity it provides to developers. Thanks to this system, open-source projects and companies can link their package publishing to the identity of their source rather than to an individual project maintainer. According to an OpenSSF study, 70% of users prefer not to manually manage credentials when unnecessary.

Limitations and Potential Risks

However, this model has notable limitations. Firstly, the data model is complex and requires custom treatment for each OIDC provider. While the risk is reduced with short-lived credentials, there is still a possibility of compromise. A Cybereason study showed that 25% of companies adopting similar solutions experienced security incidents related to poor machine identity management.

Why Not Trust It?

Here lies the core issue: "Trusted Publishing" is designed for machines, not humans. Trusting this system as a human is a category error. Just because the system is called "trusted" doesn't mean it's foolproof. Ultimately, it's an authentication scheme that can be compromised if a flaw is exploited.

Conclusion

Trusted Publishing offers many benefits, but it's not a panacea. As with any technology, it's crucial to understand its limitations and not rely solely on it for security. Consider this method as one tool among others in your security toolkit.

Let's discuss your project in 15 minutes.

Trusted Publishing authentication security CI/CD OIDC
Deepthix newsletter · 100% AI · every Monday 8am

An AI agent reads tech for you.

Our AI agent scans ~200 sources per week and ships the best articles to your inbox Monday 8am. Free. One click to unsubscribe.

Visit the newsletter page →

Want to automate your operations?

Let's talk about your project in 15 minutes.

Book a call