Wednesday, October 28, 2020

Key generation and signing ceremony for PyPI

On Friday October 30th at 11:15 AM EDT the Python Software Foundation will be live streaming a remote key generation and signing ceremony to bootstrap The Update Framework for The Python Package Index. You can click here to see what time this is in your local timezone.

This ceremony is one of the first practical steps in deploying The Update Framework to PyPI per PEP 458.

The Python Software Foundation Director of Infrastructure, Ernest W. Durbin III, and Trail of Bits Senior Security Engineer, William Woodruff, will be executing the runbook developed at https://github.com/psf/psf-tuf-runbook.

For transparency purposes a live stream will be hosted from the Python Software Foundation's YouTube channel. Please subscribe to the channel to be notified when the stream is live if you'd like to follow along.

Additionally the recording will be archived on the Python Software Foundation's YouTube channel.


This work is being funded by Facebook Research and was originally announced in late 2018 and a portion of it commenced in 2019 while awaiting PEP 458's acceptance. With PEP 458 in place we announced that work would commence in March.

We appreciate the patience and contributions of the community, Facebook Research, and Trail of Bits in seeing through the implementation of PEP 458.

Additionally volunteers from The Secure Systems Lab at NYUDatadog, and VMWare have helped to develop the implementation for PyPI but have begun work on client implementations to verify the results in pip.