Bootstrapping Trust in Community Repository Projects

Sangat Vaidya, Santiago Torres-Arias, Justin Cappos, Reza Curtmola

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Community repositories such as PyPI and NPM are immensely popular and collectively serve more than a billion packages per day. However, existing software certification mechanisms such as code signing, which seeks to provide to end users authenticity and integrity for a piece of software, are not suitable for community repositories and are not used in this context. This is very concerning, given the recent increase in the frequency and variety of attacks against community repositories. In this work, we propose a different approach for certifying the validity of software projects hosted on community repositories. We design and implement a Software Certification Service (SCS) that receives certification requests from a project owner for a specific project and then issues a project certificate once the project owner successfully completes a protocol for proving ownership of the project. The proposed certification protocol is inspired from the highly-successful ACME protocol used by Let’s Encrypt and can be fully automated on the SCS side. It is, however, fundamentally different in its attack mitigation capabilities and in how ownership is proven. It is also compatible with existing community repositories such as PyPI, RubyGems, or NPM, without requiring changes to these repositories. To support this claim, we instantiate the proposed certification service with several practical deployments.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 18th EAI International Conference, SecureComm 2022, Proceedings
EditorsFengjun Li, Kaitai Liang, Zhiqiang Lin, Sokratis K. Katsikas
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages20
ISBN (Print)9783031255373
StatePublished - 2023
Event18th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2022 - Virtual, Online
Duration: Oct 17 2022Oct 19 2022

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume462 LNICST
ISSN (Print)1867-8211
ISSN (Electronic)1867-822X


Conference18th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2022
CityVirtual, Online

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications


  • Software certification
  • Trust establishment

Cite this