Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Learn how modern package ecosystems are transitioning from traditional PGP signatures to build attestations for enhanced security in this conference talk from USENIX Security '25. Explore the challenges of software signing including securing private keys, distributing public keys, and rotating key material across major package repositories like npm, Homebrew, PyPI, Maven Central, and RubyGems. Discover how build attestations provide not only package integrity verification but also create non-falsifiable links to specific source code revisions, build instructions, and build logs. Examine a real-world case study of how these attestations helped respond to the Ultralytics package compromise on PyPI in December 2024. Gain practical knowledge on accessing this new security information and implementing build attestations in your own open source packages through detailed walkthroughs and demonstrations.
![CNCF [Cloud Native Computing Foundation]](https://www.classcentral.com/cdn-cgi/image/height=40,format=auto,quality=85/images/logos/institutions/cncf-cloud-native-computing-foundation-hz.png){kind=small}
