#47315 closed defect (bug) (fixed)
Download authenticity message has no actionability
Reported by: | jipmoors | Owned by: | audrasjb |
---|---|---|---|
Milestone: | 6.6 | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Upgrade/Install | Keywords: | has-patch |
Focuses: | ui, administration, ui-copy | Cc: |
Description
Problem
While testing some upgrades of themes I noticed the following message:
The authenticity of twentynineteen.1.4.zip could not be verified as no signature was found.
As a user I have no idea what this means and more importantly, what I can do about it.
Proposed solution
Add more context about what it means, why it is a not a blocker (soft-fail) when this is the case.
This could be a page on WordPress.org or explained in-line.
Provide a context on where this should be solved, locally/server/WordPress.org
Expectations
I would have expected the theme update to be verified as it is downloaded from WordPress.org directly.
Change History (27)
This ticket was mentioned in Slack in #accessibility by afercia. View the logs.
5 years ago
#4
@
5 years ago
- Keywords needs-copy-review added; needs-design-feedback removed
- Milestone changed from Awaiting Review to Future Release
Discussed during today's accessibility bug-scrub. Pinging @pento as the Upgrade/Install component maintainer.
Also relevant:
https://wordpress.org/support/topic/5-2-1-update-authenticity-of-update-could-not-be-verified/
Copy could be improved here. The part The authenticity of twentynineteen.1.4.zip could not be verified
is already a bit hard to get for non-tech-savvy users. Then, when it comes to signature
, it's probably a bit too much technical :)
Pinging also @marybaum
#9
@
4 years ago
Happy to write copy, y'all. I'll need a bit more information.
What does it mean that the file wasn't verified?
What is the signature?
What is the solution?
Thanks.
#10
@
4 years ago
Is this fixed now? Because I got this message when upgrading to 5.7
If this is not fixed, please remove the message!
This ticket was mentioned in Slack in #core by sergey. View the logs.
3 years ago
This ticket was mentioned in Slack in #core by redsweater. View the logs.
17 months ago
#15
@
14 months ago
My suggestion would be to add a message like "You can safely ignore" to the message until the feature is redesigned, or just completely remove until it's fully ready.
#17
@
5 months ago
- Milestone changed from Future Release to 6.6
- Owner set to audrasjb
- Status changed from new to assigned
Hello there,
I'd like to suggest removing this message until the feature is ready to ship completely, since the "issue" (or rather the "non issue") is regularly pointed out by people on forums or during training sessions.
Worth noting that it would be nice to update the key and the related docblock in wp-admin/includes/file.php, too:
if ( time() < 1617235200 ) { // WordPress.org Key #1 - This key is only valid before April 1st, 2021. $trusted_keys[] = 'fRPyrxb/MvVLbdsYi+OOEv4xc+Eqpsj+kkAS6gNOkI0='; }
Moving for 6.6 consideration.
#18
@
5 months ago
- Keywords needs-copy-review removed
The security team is in agreement that this message should be removed until software signing is fully implemented on wordpress.org.
#19
@
5 months ago
Thanks for sharing this in the security team channel.
I'll make sure we have a patch ready to ship before beta 1.
This ticket was mentioned in PR #6648 on WordPress/wordpress-develop by @audrasjb.
4 months ago
#20
- Keywords has-patch added; needs-patch removed
#21
@
4 months ago
- Keywords dev-feedback added
PR6648 disables package signature verification.
Alternatively, we can also just remove the WP_Error messages. What do you think @johnbillion?
@peterwilsoncc commented on PR #6648:
4 months ago
#23
@audrasjb Is the intent to remove the signature warning just from themes and plugins or are you intending to remove it from Core too?
Core upgrades don't use the run
method so if the intent is to remove the warning from there too I think this line will need changing too
@audrasjb commented on PR #6648:
4 months ago
#24
Thanks @peterwilsoncc. I added a commit to also take Core into account.
#25
@
4 months ago
- Keywords commit added
I've approved the linked pull request, marking this ready for commit.
It looks like the Core changes will need to be tested once they have made it to the nightly package but the plugin updates work as expected.
#26
@
4 months ago
- Keywords dev-feedback commit removed
- Resolution set to fixed
- Status changed from assigned to closed
Committed in https://core.trac.wordpress.org/changeset/58319
@audrasjb commented on PR #6648:
4 months ago
#27
Thanks for the review! Committted in https://core.trac.wordpress.org/changeset/58319
Related: #39309