Make WordPress Core

Opened 5 years ago

Closed 4 months ago

Last modified 4 months ago

#47315 closed defect (bug) (fixed)

Download authenticity message has no actionability

Reported by: jipmoors's profile jipmoors Owned by: audrasjb's profile audrasjb
Milestone: 6.6 Priority: normal
Severity: normal Version: 5.2
Component: Upgrade/Install Keywords: has-patch
Focuses: ui, administration, ui-copy Cc:

Description

Problem

While testing some upgrades of themes I noticed the following message:

The authenticity of twentynineteen.1.4.zip could not be verified as no signature was found.

As a user I have no idea what this means and more importantly, what I can do about it.

Proposed solution

Add more context about what it means, why it is a not a blocker (soft-fail) when this is the case.
This could be a page on WordPress.org or explained in-line.

Provide a context on where this should be solved, locally/server/WordPress.org

Expectations

I would have expected the theme update to be verified as it is downloaded from WordPress.org directly.

Change History (27)

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


5 years ago

#3 @karmatosed
5 years ago

  • Keywords needs-design-feedback added

#4 @afercia
5 years ago

  • Keywords needs-copy-review added; needs-design-feedback removed
  • Milestone changed from Awaiting Review to Future Release

Discussed during today's accessibility bug-scrub. Pinging @pento as the Upgrade/Install component maintainer.

Also relevant:
https://wordpress.org/support/topic/5-2-1-update-authenticity-of-update-could-not-be-verified/

Copy could be improved here. The part The authenticity of twentynineteen.1.4.zip could not be verified is already a bit hard to get for non-tech-savvy users. Then, when it comes to signature, it's probably a bit too much technical :)

Pinging also @marybaum

Last edited 5 years ago by afercia (previous) (diff)

#5 @Hareesh Pillai
5 years ago

  • Focuses ui-copy added

#6 @SergeyBiryukov
4 years ago

#51428 was marked as a duplicate.

#7 @SergeyBiryukov
4 years ago

#47343 was marked as a duplicate.

#8 @SergeyBiryukov
4 years ago

#51672 was marked as a duplicate.

#9 @bridgetwillard
4 years ago

Happy to write copy, y'all. I'll need a bit more information.

What does it mean that the file wasn't verified?
What is the signature?
What is the solution?

Thanks.

#10 @s0what
4 years ago

Is this fixed now? Because I got this message when upgrading to 5.7
If this is not fixed, please remove the message!

#11 @SergeyBiryukov
3 years ago

#54495 was marked as a duplicate.

This ticket was mentioned in Slack in #core by sergey. View the logs.


3 years ago

This ticket was mentioned in Slack in #core by redsweater. View the logs.


17 months ago

#14 @rajinsharwar
14 months ago

#58937 was marked as a duplicate.

#15 @rajinsharwar
14 months ago

My suggestion would be to add a message like "You can safely ignore" to the message until the feature is redesigned, or just completely remove until it's fully ready.

#16 @joedolson
14 months ago

  • Focuses accessibility removed

#17 @audrasjb
5 months ago

  • Milestone changed from Future Release to 6.6
  • Owner set to audrasjb
  • Status changed from new to assigned

Hello there,

I'd like to suggest removing this message until the feature is ready to ship completely, since the "issue" (or rather the "non issue") is regularly pointed out by people on forums or during training sessions.

Worth noting that it would be nice to update the key and the related docblock in wp-admin/includes/file.php, too:

if ( time() < 1617235200 ) {
	// WordPress.org Key #1 - This key is only valid before April 1st, 2021.
	$trusted_keys[] = 'fRPyrxb/MvVLbdsYi+OOEv4xc+Eqpsj+kkAS6gNOkI0=';
}

Moving for 6.6 consideration.

#18 @johnbillion
5 months ago

  • Keywords needs-copy-review removed

The security team is in agreement that this message should be removed until software signing is fully implemented on wordpress.org.

#19 @audrasjb
5 months ago

Thanks for sharing this in the security team channel.
I'll make sure we have a patch ready to ship before beta 1.

This ticket was mentioned in PR #6648 on WordPress/wordpress-develop by @audrasjb.


4 months ago
#20

  • Keywords has-patch added; needs-patch removed

#21 @audrasjb
4 months ago

  • Keywords dev-feedback added

PR6648 disables package signature verification.

Alternatively, we can also just remove the WP_Error messages. What do you think @johnbillion?

#22 @audrasjb
4 months ago

Pinging @peterwilsoncc as well for second opinion on this changeset.

@peterwilsoncc commented on PR #6648:


4 months ago
#23

@audrasjb Is the intent to remove the signature warning just from themes and plugins or are you intending to remove it from Core too?

Core upgrades don't use the run method so if the intent is to remove the warning from there too I think this line will need changing too

https://github.com/WordPress/wordpress-develop/blob/13b571eeacf5a71e23c80d9f1d6b5cb5114e14af/src/wp-admin/includes/class-core-upgrader.php#L124

@audrasjb commented on PR #6648:


4 months ago
#24

Thanks @peterwilsoncc. I added a commit to also take Core into account.

#25 @peterwilsoncc
4 months ago

  • Keywords commit added

I've approved the linked pull request, marking this ready for commit.

It looks like the Core changes will need to be tested once they have made it to the nightly package but the plugin updates work as expected.

#26 @audrasjb
4 months ago

  • Keywords dev-feedback commit removed
  • Resolution set to fixed
  • Status changed from assigned to closed

@audrasjb commented on PR #6648:


4 months ago
#27

Thanks for the review! Committted in https://core.trac.wordpress.org/changeset/58319

Note: See TracTickets for help on using tickets.